Security Test
Website Security Test
Website Vulnerability Scanner
Comprehensive security testing for your website
Security Report: https://tinder.com/
Scan Date: Feb. 8, 2026, 8:01 p.m. | Duration: 33.53 seconds
Have you made changes or fixed vulnerabilities?
Run a fresh scan to verify your latest security updates.
Risk Rating
Overall Risk Rating
A (80/100)
Risk Distribution Chart
CVE Based Risk Distribution
| Critical | 0 |
| High | 0 |
| Medium | 0 |
| Low | 0 |
CWE Based Risk Distribution
| Critical | 0 |
| High | 2 |
| Medium | 0 |
| Low | 0 |
Scan Summary
| 1 | Input Hostname | tinder.com |
| 2 | Target URL | https://tinder.com/ |
| 3 | Scan Start Time | Feb. 8, 2026, 8:01 p.m. |
| 4 | Scan Duration | 33.53 seconds |
| 5 | Total Test Cases | 42 |
| 6 | Passed Cases | 23 |
| 7 | Failed Cases | 15 |
Target Information
| 1 | Target URL | https://tinder.com/ |
| 2 | IP Address | 52.84.150.54 |
| 3 | Hosting Provider | Amazon Web Services (AWS) |
| 4 | Registrar | Not Available |
| 5 | Programming Language | express |
| 6 | Web Server | nginx |
| 7 | CMS | Not Detected |
| 8 | Operating System | Linux/Unix |
| 9 | HTTPS Enabled | Enabled |
| 10 | WAF Detected | ['AWS WAF'] |
Original Header Response
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Date: Sun, 08 Feb 2026 14:31:04 GMT
Content-Encoding: gzip
Set-Cookie: AWSALB=f+Xxzra8EMFuyoPWVANffizqmJVfkYMIM0OKARY5TizVs2MWLsYSHZFW7PclZPAV8NYxeYkHjCFL4LQfd8GBU2raGXW38wkJGtAYexHuzx/j8zFqILsnJTZ5I2X1; Expires=Sun, 15 Feb 2026 14:31:04 GMT; Path=/, AWSALBCORS=f+Xxzra8EMFuyoPWVANffizqmJVfkYMIM0OKARY5TizVs2MWLsYSHZFW7PclZPAV8NYxeYkHjCFL4LQfd8GBU2raGXW38wkJGtAYexHuzx/j8zFqILsnJTZ5I2X1; Expires=Sun, 15 Feb 2026 14:31:04 GMT; Path=/; SameSite=None; Secure
Server: nginx
X-Powered-By: Express
X-DNS-Prefetch-Control: on
Referrer-Policy: origin-when-cross-origin
Content-Security-Policy: default-src 'self';base-uri 'self';connect-src 'self' data: https: wss://keepalive.gotinder.com;script-src 'nonce-zA3rMci20CcRRPVQTLYsKw==' 'strict-dynamic' 'unsafe-hashes' 'unsafe-eval' 'wasm-unsafe-eval' 'sha256-PLCxbpHSwAa8+W198R1KQQ9UDCexTvYy4z4YmCg21NM=' 'unsafe-inline';style-src 'self' 'unsafe-inline' blob: https://*.googleapis.com https://accounts.google.com;frame-src 'self' https://tinder-api.arkoselabs.com https://*.paypal.com https://accounts.google.com https://*.doubleclick.net https://*.adyen.com;frame-ancestors 'self';form-action 'self' https://*.tinder.com https://tinder.com https://*.adyen.com;object-src 'none';img-src 'self' data: blob: https:;media-src 'self' data: https:;report-to tinderweb-csp-reports;font-src 'self' data: https:;manifest-src 'self' https:
Report-To: {"group":"tinderweb-csp-reports","max_age":604800,"endpoints":[{"url":"/csp-reports"}]}
Document-Policy: js-profiling
X-Render-Method: ssr
Cache-Control: must-revalidate, public, max-age=3024000000
Cross-Origin-Opener-Policy: same-origin-allow-popups
ETag: W/"7bca7-NDu03t4oQelPD1U0QyqeVjzfy0A"
Vary: Accept-Encoding
X-Cache: Miss from cloudfront
Via: 1.1 53dc07582ee18c39c3a772fe98297936.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: BOM78-P2
X-Amz-Cf-Id: B_eAaQyHSHgxpMfSFg1am8r2u4ZrFfncVQP60aScsEQp0qqcamEceQ==
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
Detailed Technical Analysis
| 1 | Open Ports | [80, 443] |
| 2 | Debug Method Enabled | No |
| 3 | OPTIONS Method | Yes |
| 4 | DKIM | Not Detected |
| 5 | SPF | Not Detected |
| 6 | DMARC | Not Detected |
| 7 | Captcha Detection | Not Detected |
| 8 | Password field with autocomplete | Not Detected |
| 9 | Unencrypted Viewstate | Not Detected |
Additional Findings
Secret Files Detection
Http Methods Allowed
- GET
- POST
- PUT
- PATCH
- DELETE
- OPTIONS
- HEAD
Cross Domain Inclusion
- tinder.com
- images-ssl.gotinder.com
- api.gotinder.com
- apis.google.com
- accounts.google.com
- ssl.gstatic.com
- connect.facebook.net
Client Access Policies
Findings – CVE (Common Vulnerabilities and Exposures)
No CVE vulnerabilities found.
Findings – CWE (Common Weakness Enumeration)
| Sr. No | Vulnerability Source | CWE ID | Severity | Description | Remediation |
|---|---|---|---|---|---|
| 1 | Missing HttpOnly flag in cookies | CWE-1004 | High | Cookies accessible by JavaScript can be stolen via XSS. | Set the HttpOnly flag to prevent client-side script access. |
| 2 | Missing Secure flag in cookies | CWE-614 | High | Cookies without the Secure flag may be sent over unencrypted connections. | Enable the Secure flag for all session or sensitive cookies. |
Scan Test Cases
| Sr. No | Test Case |
|---|---|
| 1 | Inline Connection |
| 2 | Ip-Address |
| 3 | Cloud_Provider |
| 4 | Server Disclosure |
| 5 | Technology Disclosure |
| 6 | Cms Detection |
| 7 | Mixed Content Analysis |
| 8 | Operating-System |
| 9 | Open Ports Scan |
| 10 | Database |
| 11 | Javascript Libraries |
| 12 | Secure Connection Check |
| 13 | Directories Listing Exposed |
| 14 | Password Exposing Pages |
| 15 | Missing Security Headers |
| 16 | Missing Content-Security-Policy |
| 17 | Missing Strict-Transport-Security |
| 18 | Missing Referrer-Policy |
| 19 | Missing X-Content-Type-Options |
| 20 | Missing Cookie http flag |
| 21 | Missing Cookie secure flag |
| 22 | Secret Files Detection |
| 23 | WAF-Detection |
| Sr. No | Test Case |
|---|---|
| 24 | SSL Certificate Validation |
| 25 | Loose Cookie Domain |
| 26 | CSP Header Analysis |
| 27 | OpenAPI Disclosure |
| 28 | Password Leak Detection |
| 29 | Path Disclosure |
| 30 | Error Messages Analysis |
| 31 | Rate Limit Headers |
| 32 | Email Extraction |
| 33 | Xml-RPC Endpoint Detection |
| 34 | HTTP Methods Allowed |
| 35 | Enabled Debug Method |
| 36 | Enabled OPTIONS Method |
| 37 | Cross-Domain Inclusion |
| 38 | File Upload Detection |
| 39 | Client Access Policies |
| 40 | X-FRAME OPTIONS |
| 41 | X-XSS PROTECTION |
| 42 | .htaccess Exposure |
Passed & Failed Cases
Passed Cases (23)
- CMS
- Mixed Content (HTTP on HTTPS)
- Open Ports Scan
- Javascript Libraries
- Secure Connection
- Directory Listing Exposed
- Passwords submitted unencrypted
- Missing Content-Security-Policy header
- Missing Strict-Transport-Security header
- Missing Referrer-Policy header
- Missing X-Content-Type-Options header
- WAF Detection
- SSL Certificate
- Loose cookie domain
- Password Leakage
- Error Messages Analysis
- Path Disclosure
- Rate Limit Headers
- Emails exposed
- XML-RPC Endpoint Detection (XML-RPC Endpoint Detection)
- Enabled OPTIONS Method
- File Upload Detection
- Host Header Injection
Failed Cases (15)
- Server Disclosure
- Technology Disclosure
- Missing Security Headers
- Missing HttpOnly flag in cookies
- Missing Secure flag in cookies
- Secret Files Detection
- robots.txt file found
- Content Security Policy Misconfiguration
- OpenAPI Disclosure
- Enabled Debug Method
- Cross-Domain Inclusion
- Client Access Policies
- X-FRAME OPTIONS
- X-XSS PROTECTION
- .htaccess Exposure
View Raw Scan Data (JSON)
{
"host": "tinder.com",
"host_url": "https://tinder.com/",
"task_id": "3262d395-4493-4e1d-80a7-9b7d2ea8d023",
"status": "COMPLETED",
"inline_connection": "Yes",
"original_header": {
"Content-Type": "text/html; charset=utf-8",
"Transfer-Encoding": "chunked",
"Connection": "keep-alive",
"Date": "Sun, 08 Feb 2026 14:31:04 GMT",
"Content-Encoding": "gzip",
"Set-Cookie": "AWSALB=f+Xxzra8EMFuyoPWVANffizqmJVfkYMIM0OKARY5TizVs2MWLsYSHZFW7PclZPAV8NYxeYkHjCFL4LQfd8GBU2raGXW38wkJGtAYexHuzx/j8zFqILsnJTZ5I2X1; Expires=Sun, 15 Feb 2026 14:31:04 GMT; Path=/, AWSALBCORS=f+Xxzra8EMFuyoPWVANffizqmJVfkYMIM0OKARY5TizVs2MWLsYSHZFW7PclZPAV8NYxeYkHjCFL4LQfd8GBU2raGXW38wkJGtAYexHuzx/j8zFqILsnJTZ5I2X1; Expires=Sun, 15 Feb 2026 14:31:04 GMT; Path=/; SameSite=None; Secure",
"Server": "nginx",
"X-Powered-By": "Express",
"X-DNS-Prefetch-Control": "on",
"Referrer-Policy": "origin-when-cross-origin",
"Content-Security-Policy": "default-src 'self';base-uri 'self';connect-src 'self' data: https: wss://keepalive.gotinder.com;script-src 'nonce-zA3rMci20CcRRPVQTLYsKw==' 'strict-dynamic' 'unsafe-hashes' 'unsafe-eval' 'wasm-unsafe-eval' 'sha256-PLCxbpHSwAa8+W198R1KQQ9UDCexTvYy4z4YmCg21NM=' 'unsafe-inline';style-src 'self' 'unsafe-inline' blob: https://*.googleapis.com https://accounts.google.com;frame-src 'self' https://tinder-api.arkoselabs.com https://*.paypal.com https://accounts.google.com https://*.doubleclick.net https://*.adyen.com;frame-ancestors 'self';form-action 'self' https://*.tinder.com https://tinder.com https://*.adyen.com;object-src 'none';img-src 'self' data: blob: https:;media-src 'self' data: https:;report-to tinderweb-csp-reports;font-src 'self' data: https:;manifest-src 'self' https:",
"Report-To": "{\"group\":\"tinderweb-csp-reports\",\"max_age\":604800,\"endpoints\":[{\"url\":\"/csp-reports\"}]}",
"Document-Policy": "js-profiling",
"X-Render-Method": "ssr",
"Cache-Control": "must-revalidate, public, max-age=3024000000",
"Cross-Origin-Opener-Policy": "same-origin-allow-popups",
"ETag": "W/\"7bca7-NDu03t4oQelPD1U0QyqeVjzfy0A\"",
"Vary": "Accept-Encoding",
"X-Cache": "Miss from cloudfront",
"Via": "1.1 53dc07582ee18c39c3a772fe98297936.cloudfront.net (CloudFront)",
"X-Amz-Cf-Pop": "BOM78-P2",
"X-Amz-Cf-Id": "B_eAaQyHSHgxpMfSFg1am8r2u4ZrFfncVQP60aScsEQp0qqcamEceQ==",
"X-XSS-Protection": "1; mode=block",
"X-Frame-Options": "SAMEORIGIN",
"X-Content-Type-Options": "nosniff",
"Strict-Transport-Security": "max-age=31536000"
},
"ip_address": "52.84.150.54",
"hosting_provider": "Amazon Web Services (AWS)",
"registrar": null,
"cms": null,
"cms_cve": null,
"server": "nginx",
"server_disclosure_cve": null,
"programming_language": "express",
"technology_disclosure_cve": null,
"mixed_content_analysis": null,
"operating_system": "Linux/Unix",
"open_ports": [
80,
443
],
"database_technology": null,
"javascript_libraries": null,
"javascript_libraries_cve": null,
"secure_connection": "Enabled",
"directory_listing": null,
"passwords_submitted_unencrypted": null,
"missing_security_headers": [
"PERMISSIONS-POLICY",
"X-PERMITTED-CROSS-DOMAIN"
],
"missing_content_security_policy_header": null,
"missing_strict_transport_security_header": null,
"missing_referrer_policy_header": null,
"missing_x_content_type_options_header": null,
"missing_httponly_flag_in_cookies": {
"issue": "Missing HttpOnly flag in cookies",
"severity": "High",
"cwe_id": "CWE-1004",
"cwe_description": "Cookies accessible by JavaScript can be stolen via XSS.",
"fix": "Set the HttpOnly flag to prevent client-side script access."
},
"missing_secure_flag_in_cookies": {
"issue": "Missing Secure flag in cookies",
"severity": "High",
"cwe_id": "CWE-614",
"cwe_description": "Cookies without the Secure flag may be sent over unencrypted connections.",
"fix": "Enable the Secure flag for all session or sensitive cookies."
},
"secret_files_detection": [
"https://tinder.com/robots.txt",
"https://tinder.com/security.txt",
"https://tinder.com/sitemap.xml"
],
"robots_txt_file_found": null,
"waf_detection": [
"AWS WAF"
],
"ssl_certificate": null,
"loose_cookie_domain": null,
"csp_header_analysis": "CSP configuration is this default-src 'self';base-uri 'self';connect-src 'self' data: https: wss://keepalive.gotinder.com;script-src 'nonce-zA3rMci20CcRRPVQTLYsKw==' 'strict-dynamic' 'unsafe-hashes' 'unsafe-eval' 'wasm-unsafe-eval' 'sha256-PLCxbpHSwAa8+W198R1KQQ9UDCexTvYy4z4YmCg21NM=' 'unsafe-inline';style-src 'self' 'unsafe-inline' blob: https://*.googleapis.com https://accounts.google.com;frame-src 'self' https://tinder-api.arkoselabs.com https://*.paypal.com https://accounts.google.com https://*.doubleclick.net https://*.adyen.com;frame-ancestors 'self';form-action 'self' https://*.tinder.com https://tinder.com https://*.adyen.com;object-src 'none';img-src 'self' data: blob: https:;media-src 'self' data: https:;report-to tinderweb-csp-reports;font-src 'self' data: https:;manifest-src 'self' https:",
"openapi_disclosure": {
"Source": [
"File found at https://tinder.com/v2/swagger.json, but not OpenAPI format",
"File found at https://tinder.com/v2/openapi.json, but not OpenAPI format",
"File found at https://tinder.com/v2/openapi.yaml, but not OpenAPI format",
"File found at https://tinder.com/v3/swagger.json, but not OpenAPI format",
"File found at https://tinder.com/v3/openapi.json, but not OpenAPI format",
"File found at https://tinder.com/v3/openapi.yamlapi-docs, but not OpenAPI format",
"File found at https://tinder.com/v2/api-docs, but not OpenAPI format",
"File found at https://tinder.com/v3/api-docs, but not OpenAPI format"
],
"Exposure of Resource to Wrong Sphere": {
"issue": "Exposure of Resource to Wrong Sphere",
"severity": "High",
"cwe_id": "CWE-668",
"cwe_description": "Resources such as open ports or services are accessible to unauthorized actors.",
"fix": "Restrict unnecessary open ports and limit exposure via firewalls or access control lists."
}
},
"password_leakage": null,
"error_messages_analysis": null,
"path_disclosure": null,
"rate_limit_headers": null,
"email_extraction": null,
"xml_rpc_endpoint_detection": null,
"http_methods_allowed": [
"GET",
"POST",
"PUT",
"PATCH",
"DELETE",
"OPTIONS",
"HEAD"
],
"enabled_debug_method": "No",
"enabled_options_method": "Yes",
"cross_domain_inclusion": [
"tinder.com",
"images-ssl.gotinder.com",
"api.gotinder.com",
"apis.google.com",
"accounts.google.com",
"ssl.gstatic.com",
"connect.facebook.net"
],
"file_upload": null,
"client_access_policies": [
"https://tinder.com/crossdomain.xml",
"https://tinder.com/clientaccesspolicy.xml"
],
"x_frame_options": "Properly Configured",
"x_xss_protection": "Properly Configured",
"htaccess_exposure": null,
"host_header_injection": null,
"captcha_detection": null,
"password_field_with_autocomplete": null,
"spf": null,
"dmarc": null,
"dkim": null,
"unencrypted_viewstate": null,
"total_scans": [
"Inline Connection",
"Ip-Address",
"Cloud_Provider",
"Server Disclosure",
"Technology Disclosure",
"Cms Detection",
"Mixed Content Analysis",
"Operating-System",
"Open Ports Scan",
"Database",
"Javascript Libraries",
"Secure Connection Check",
"Directories Listing Exposed",
"Password Exposing Pages",
"Missing Security Headers",
"Missing Content-Security-Policy",
"Missing Strict-Transport-Security",
"Missing Referrer-Policy",
"Missing X-Content-Type-Options",
"Missing Cookie http flag",
"Missing Cookie secure flag",
"Secret Files Detection",
"WAF-Detection",
"SSL Certificate Validation",
"Loose Cookie Domain",
"CSP Header Analysis",
"OpenAPI Disclosure",
"Password Leak Detection",
"Path Disclosure",
"Error Messages Analysis",
"Rate Limit Headers",
"Email Extraction",
"Xml-RPC Endpoint Detection",
"HTTP Methods Allowed",
"Enabled Debug Method",
"Enabled OPTIONS Method",
"Cross-Domain Inclusion",
"File Upload Detection",
"Client Access Policies",
"X-FRAME OPTIONS",
"X-XSS PROTECTION",
".htaccess Exposure"
],
"executive_summary": {
"Severity": "High",
"Total Checks Passed": 23,
"Passed Cases": [
"CMS",
"Mixed Content (HTTP on HTTPS)",
"Open Ports Scan",
"Javascript Libraries",
"Secure Connection",
"Directory Listing Exposed",
"Passwords submitted unencrypted",
"Missing Content-Security-Policy header",
"Missing Strict-Transport-Security header",
"Missing Referrer-Policy header",
"Missing X-Content-Type-Options header",
"WAF Detection",
"SSL Certificate",
"Loose cookie domain",
"Password Leakage",
"Error Messages Analysis",
"Path Disclosure",
"Rate Limit Headers",
"Emails exposed",
"XML-RPC Endpoint Detection (XML-RPC Endpoint Detection) ",
"Enabled OPTIONS Method",
"File Upload Detection",
"Host Header Injection"
],
"Total Checks Failed": 15,
"Failed Cases": [
"Server Disclosure",
"Technology Disclosure",
"Missing Security Headers",
"Missing HttpOnly flag in cookies",
"Missing Secure flag in cookies",
"Secret Files Detection",
"robots.txt file found",
"Content Security Policy Misconfiguration",
"OpenAPI Disclosure",
"Enabled Debug Method",
"Cross-Domain Inclusion",
"Client Access Policies",
"X-FRAME OPTIONS",
"X-XSS PROTECTION",
".htaccess Exposure"
],
"Total CVEs Found": 0,
"Critical": 0,
"High": 0,
"Medium": 0,
"Low": 0,
"Total CWEs Found": 3
},
"total_scan_time": "33.53 seconds",
"scan_start_timestamp": "2026-02-08 14:31:01"
}
Other Security Tools
Explore our comprehensive suite of security testing tools