Security Test
Website Security Test
Website Vulnerability Scanner
Comprehensive security testing for your website
Security Report: https://www.wafcharm.com:443/
Scan Date: Jan. 21, 2026, 12:20 p.m. | Duration: 1 minute, 0.45 seconds
Have you made changes or fixed vulnerabilities?
Run a fresh scan to verify your latest security updates.
Risk Rating
Overall Risk Rating
F (40/100)
Risk Distribution Chart
CVE Based Risk Distribution
| Critical | 0 |
| High | 0 |
| Medium | 2 |
| Low | 0 |
CWE Based Risk Distribution
| Critical | 0 |
| High | 4 |
| Medium | 2 |
| Low | 0 |
Scan Summary
| 1 | Input Hostname | wafcharm.com |
| 2 | Target URL | https://www.wafcharm.com:443/ |
| 3 | Scan Start Time | Jan. 21, 2026, 12:20 p.m. |
| 4 | Scan Duration | 1 minute, 0.45 seconds |
| 5 | Total Test Cases | 42 |
| 6 | Passed Cases | 18 |
| 7 | Failed Cases | 18 |
Target Information
| 1 | Target URL | https://www.wafcharm.com:443/ |
| 2 | IP Address | 18.172.78.56 |
| 3 | Hosting Provider | Amazon Web Services (AWS) |
| 4 | Registrar | Not Available |
| 5 | Programming Language | PHP (WordPress) |
| 6 | Web Server | apache |
| 7 | CMS | {'WordPress': '7.3.6'} |
| 8 | Operating System | Linux/Unix |
| 9 | HTTPS Enabled | Enabled |
| 10 | WAF Detected | ['AWS WAF'] |
Original Header Response
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Date: Wed, 21 Jan 2026 06:50:12 GMT
Server: Apache
Vary: Accept-Encoding
X-Cache: Miss from cloudfront
Via: 1.1 fa2388d433a66e7365406f5a2a0963fa.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: BOM78-P9
X-Amz-Cf-Id: 0nr146M7Qa8FRyEOs1kCYeHdUiNS4qaa-tVtMjJiN2RETeRZB1uQYQ==
Detailed Technical Analysis
| 1 | Open Ports | [80, 443] |
| 2 | Debug Method Enabled | No |
| 3 | OPTIONS Method | Yes |
| 4 | DKIM | Not Detected |
| 5 | SPF | Not Detected |
| 6 | DMARC | Not Detected |
| 7 | Captcha Detection | Not Detected |
| 8 | Password field with autocomplete | Not Detected |
| 9 | Unencrypted Viewstate | Not Detected |
Additional Findings
Javascript Libraries
Secret Files Detection
Http Methods Allowed
- GET
- POST
- PUT
- PATCH
- DELETE
- OPTIONS
- HEAD
Cross Domain Inclusion
- ajax.googleapis.com
- www.wafcharm.com
- www.google.com
- fonts.googleapis.com
- fonts.gstatic.com
- www.googletagmanager.com
- www.youtube.com
Findings – CVE (Common Vulnerabilities and Exposures)
| Sr. No | Vulnerability Source | CVE ID | Severity | Score | Description | Remediation |
|---|---|---|---|---|---|---|
| 5 | jquery-3.4.1 - CVE-2020-11023 | CVE-2020-11023 | Medium | 6.9 | In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. | No solution provided. |
| 6 | jquery-3.4.1 - CVE-2020-11022 | CVE-2020-11022 | Medium | 6.9 | In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. | No solution provided. |
Findings – CWE (Common Weakness Enumeration)
| Sr. No | Vulnerability Source | CWE ID | Severity | Description | Remediation |
|---|---|---|---|---|---|
| 1 | Missing Content-Security-Policy header | CWE-693 | High | Failure to enforce mechanisms that protect against unauthorized modifications such as XSS or content injection. | Implement a strong Content-Security-Policy header such as: "Content-Security-Policy: default-src 'self'; script-src 'self'". |
| 2 | Missing Strict-Transport-Security header | CWE-319 | High | Sensitive information is exposed in transit due to the absence of secure channel enforcement. | Enable HSTS with: "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload". |
| 3 | Missing HttpOnly flag in cookies | CWE-1004 | High | Cookies accessible by JavaScript can be stolen via XSS. | Set the HttpOnly flag to prevent client-side script access. |
| 4 | Missing Secure flag in cookies | CWE-614 | High | Cookies without the Secure flag may be sent over unencrypted connections. | Enable the Secure flag for all session or sensitive cookies. |
| 7 | Missing Referrer-Policy header | CWE-200 | Medium | Exposure of sensitive URLs or information to third-party sites. | Set a secure referrer policy such as: "Referrer-Policy: no-referrer". |
| 8 | Missing X-Content-Type-Options header | CWE-16 | Medium | Improperly configured security headers allow MIME-type confusion attacks. | Add the header: "X-Content-Type-Options: nosniff". |
Scan Test Cases
| Sr. No | Test Case |
|---|---|
| 1 | Inline Connection |
| 2 | Ip-Address |
| 3 | Cloud_Provider |
| 4 | Server Disclosure |
| 5 | Technology Disclosure |
| 6 | Cms Detection |
| 7 | Mixed Content Analysis |
| 8 | Operating-System |
| 9 | Open Ports Scan |
| 10 | Database |
| 11 | Javascript Libraries |
| 12 | Secure Connection Check |
| 13 | Directories Listing Exposed |
| 14 | Password Exposing Pages |
| 15 | Missing Security Headers |
| 16 | Missing Content-Security-Policy |
| 17 | Missing Strict-Transport-Security |
| 18 | Missing Referrer-Policy |
| 19 | Missing X-Content-Type-Options |
| 20 | Missing Cookie http flag |
| 21 | Missing Cookie secure flag |
| 22 | Secret Files Detection |
| 23 | WAF-Detection |
| Sr. No | Test Case |
|---|---|
| 24 | SSL Certificate Validation |
| 25 | Loose Cookie Domain |
| 26 | CSP Header Analysis |
| 27 | OpenAPI Disclosure |
| 28 | Password Leak Detection |
| 29 | Path Disclosure |
| 30 | Error Messages Analysis |
| 31 | Rate Limit Headers |
| 32 | Email Extraction |
| 33 | Xml-RPC Endpoint Detection |
| 34 | HTTP Methods Allowed |
| 35 | Enabled Debug Method |
| 36 | Enabled OPTIONS Method |
| 37 | Cross-Domain Inclusion |
| 38 | File Upload Detection |
| 39 | Client Access Policies |
| 40 | X-FRAME OPTIONS |
| 41 | X-XSS PROTECTION |
| 42 | .htaccess Exposure |
Passed & Failed Cases
Passed Cases (18)
- Mixed Content (HTTP on HTTPS)
- Open Ports Scan
- Secure Connection
- Directory Listing Exposed
- Passwords submitted unencrypted
- WAF Detection
- Loose cookie domain
- Content Security Policy Misconfiguration
- OpenAPI Disclosure
- Password Leakage
- Error Messages Analysis
- Path Disclosure
- Rate Limit Headers
- Emails exposed
- Enabled OPTIONS Method
- File Upload Detection
- .htaccess Exposure
- Host Header Injection
Failed Cases (18)
- Server Disclosure
- Technology Disclosure
- Javascript Libraries
- Missing Security Headers
- Missing Content-Security-Policy header
- Missing Strict-Transport-Security header
- Missing Referrer-Policy header
- Missing X-Content-Type-Options header
- Missing HttpOnly flag in cookies
- Missing Secure flag in cookies
- Secret Files Detection
- robots.txt file found
- SSL Certificate
- Enabled Debug Method
- Cross-Domain Inclusion
- Client Access Policies
- X-FRAME OPTIONS
- X-XSS PROTECTION
View Raw Scan Data (JSON)
{
"host": "wafcharm.com",
"host_url": "https://www.wafcharm.com:443/",
"task_id": "7f8ef689-43b2-4a1d-9bac-ed96f8374347",
"status": "COMPLETED",
"inline_connection": "Yes",
"original_header": {
"Content-Type": "text/html; charset=UTF-8",
"Transfer-Encoding": "chunked",
"Connection": "keep-alive",
"Date": "Wed, 21 Jan 2026 06:50:12 GMT",
"Server": "Apache",
"Vary": "Accept-Encoding",
"X-Cache": "Miss from cloudfront",
"Via": "1.1 fa2388d433a66e7365406f5a2a0963fa.cloudfront.net (CloudFront)",
"X-Amz-Cf-Pop": "BOM78-P9",
"X-Amz-Cf-Id": "0nr146M7Qa8FRyEOs1kCYeHdUiNS4qaa-tVtMjJiN2RETeRZB1uQYQ=="
},
"ip_address": "18.172.78.56",
"hosting_provider": "Amazon Web Services (AWS)",
"registrar": null,
"cms": {
"WordPress": "7.3.6"
},
"cms_cve": null,
"server": "apache",
"server_disclosure_cve": null,
"programming_language": "PHP (WordPress)",
"technology_disclosure_cve": null,
"mixed_content_analysis": null,
"operating_system": "Linux/Unix",
"open_ports": [
80,
443
],
"database_technology": null,
"javascript_libraries": [
{
"jquery": {
"version": "3.4.1",
"source": "//cdnjs.cloudflare.com/ajax/libs/jquery/3.4.1/jquery.min.js?ver=3.4.1"
},
"wordpress-popular-posts": {
"version": "7.3.6",
"source": "https://www.wafcharm.com/en/wp/wp-content/plugins/wordpress-popular-posts/assets/js/wpp.js?ver=7.3.6"
},
"jquery_migrate": {
"version": "3.1.0",
"source": "//cdnjs.cloudflare.com/ajax/libs/jquery-migrate/3.1.0/jquery-migrate.min.js?ver=3.1.0"
},
"all-in-one-seo-pack": {
"version": "4.9.2",
"source": "https://www.wafcharm.com/en/wp/wp-content/plugins/all-in-one-seo-pack/dist/Lite/assets/table-of-contents.95d0dfce.js?ver=4.9.2"
},
"contact-form-7": {
"version": "6.1.4",
"source": "https://www.wafcharm.com/en/wp/wp-content/plugins/contact-form-7/modules/recaptcha/index.js?ver=6.1.4"
}
}
],
"javascript_libraries_cve": {
"Total CVEs": 2,
"Critical": 0,
"High": 0,
"Medium": 2,
"Low": 0,
"jquery-3.4.1": [
{
"Id": "CVE-2020-11023",
"Published": "2020-04-29T21:15:11.743",
"Description": "In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.",
"Severity": "MEDIUM",
"Score": 6.9,
"CWE": "CWE-79"
},
{
"Id": "CVE-2020-11022",
"Published": "2020-04-29T22:15:11.903",
"Description": "In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.",
"Severity": "MEDIUM",
"Score": 6.9,
"CWE": "CWE-79"
}
]
},
"secure_connection": "Enabled",
"directory_listing": null,
"passwords_submitted_unencrypted": null,
"missing_security_headers": [
"STRICT-TRANSPORT-SECURITY",
"PERMISSIONS-POLICY",
"X-FRAME-OPTIONS",
"CONTENT-SECURITY-POLICY",
"X-CONTENT-TYPE-OPTIONS",
"X-XSS-PROTECTION",
"REFERRER-POLICY",
"X-PERMITTED-CROSS-DOMAIN"
],
"missing_content_security_policy_header": {
"issue": "Missing Content-Security-Policy header",
"severity": "High",
"cwe_id": "CWE-693",
"cwe_description": "Failure to enforce mechanisms that protect against unauthorized modifications such as XSS or content injection.",
"fix": "Implement a strong Content-Security-Policy header such as: \"Content-Security-Policy: default-src 'self'; script-src 'self'\"."
},
"missing_strict_transport_security_header": {
"issue": "Missing Strict-Transport-Security header",
"severity": "High",
"cwe_id": "CWE-319",
"cwe_description": "Sensitive information is exposed in transit due to the absence of secure channel enforcement.",
"fix": "Enable HSTS with: \"Strict-Transport-Security: max-age=31536000; includeSubDomains; preload\"."
},
"missing_referrer_policy_header": {
"issue": "Missing Referrer-Policy header",
"severity": "Medium",
"cwe_id": "CWE-200",
"cwe_description": "Exposure of sensitive URLs or information to third-party sites.",
"fix": "Set a secure referrer policy such as: \"Referrer-Policy: no-referrer\"."
},
"missing_x_content_type_options_header": {
"issue": "Missing X-Content-Type-Options header",
"severity": "Medium",
"cwe_id": "CWE-16",
"cwe_description": "Improperly configured security headers allow MIME-type confusion attacks.",
"fix": "Add the header: \"X-Content-Type-Options: nosniff\"."
},
"missing_httponly_flag_in_cookies": {
"issue": "Missing HttpOnly flag in cookies",
"severity": "High",
"cwe_id": "CWE-1004",
"cwe_description": "Cookies accessible by JavaScript can be stolen via XSS.",
"fix": "Set the HttpOnly flag to prevent client-side script access."
},
"missing_secure_flag_in_cookies": {
"issue": "Missing Secure flag in cookies",
"severity": "High",
"cwe_id": "CWE-614",
"cwe_description": "Cookies without the Secure flag may be sent over unencrypted connections.",
"fix": "Enable the Secure flag for all session or sensitive cookies."
},
"secret_files_detection": [
"https://www.wafcharm.com:443/robots.txt",
"https://www.wafcharm.com:443/sitemap.xml"
],
"robots_txt_file_found": null,
"waf_detection": [
"AWS WAF"
],
"ssl_certificate": null,
"loose_cookie_domain": null,
"csp_header_analysis": null,
"openapi_disclosure": null,
"password_leakage": null,
"error_messages_analysis": null,
"path_disclosure": null,
"rate_limit_headers": null,
"email_extraction": null,
"xml_rpc_endpoint_detection": null,
"http_methods_allowed": [
"GET",
"POST",
"PUT",
"PATCH",
"DELETE",
"OPTIONS",
"HEAD"
],
"enabled_debug_method": "No",
"enabled_options_method": "Yes",
"cross_domain_inclusion": [
"ajax.googleapis.com",
"www.wafcharm.com",
"www.google.com",
"fonts.googleapis.com",
"fonts.gstatic.com",
"www.googletagmanager.com",
"www.youtube.com"
],
"file_upload": null,
"client_access_policies": [],
"x_frame_options": "Missing X-Frame-Options",
"x_xss_protection": "Missing x-xss-protection header",
"htaccess_exposure": null,
"host_header_injection": null,
"captcha_detection": null,
"password_field_with_autocomplete": null,
"spf": null,
"dmarc": null,
"dkim": null,
"unencrypted_viewstate": null,
"total_scans": [
"Inline Connection",
"Ip-Address",
"Cloud_Provider",
"Server Disclosure",
"Technology Disclosure",
"Cms Detection",
"Mixed Content Analysis",
"Operating-System",
"Open Ports Scan",
"Database",
"Javascript Libraries",
"Secure Connection Check",
"Directories Listing Exposed",
"Password Exposing Pages",
"Missing Security Headers",
"Missing Content-Security-Policy",
"Missing Strict-Transport-Security",
"Missing Referrer-Policy",
"Missing X-Content-Type-Options",
"Missing Cookie http flag",
"Missing Cookie secure flag",
"Secret Files Detection",
"WAF-Detection",
"SSL Certificate Validation",
"Loose Cookie Domain",
"CSP Header Analysis",
"OpenAPI Disclosure",
"Password Leak Detection",
"Path Disclosure",
"Error Messages Analysis",
"Rate Limit Headers",
"Email Extraction",
"Xml-RPC Endpoint Detection",
"HTTP Methods Allowed",
"Enabled Debug Method",
"Enabled OPTIONS Method",
"Cross-Domain Inclusion",
"File Upload Detection",
"Client Access Policies",
"X-FRAME OPTIONS",
"X-XSS PROTECTION",
".htaccess Exposure"
],
"executive_summary": {
"Severity": "Medium",
"Total Checks Passed": 18,
"Passed Cases": [
"Mixed Content (HTTP on HTTPS)",
"Open Ports Scan",
"Secure Connection",
"Directory Listing Exposed",
"Passwords submitted unencrypted",
"WAF Detection",
"Loose cookie domain",
"Content Security Policy Misconfiguration",
"OpenAPI Disclosure",
"Password Leakage",
"Error Messages Analysis",
"Path Disclosure",
"Rate Limit Headers",
"Emails exposed",
"Enabled OPTIONS Method",
"File Upload Detection",
".htaccess Exposure",
"Host Header Injection"
],
"Total Checks Failed": 18,
"Failed Cases": [
"Server Disclosure",
"Technology Disclosure",
"Javascript Libraries",
"Missing Security Headers",
"Missing Content-Security-Policy header",
"Missing Strict-Transport-Security header",
"Missing Referrer-Policy header",
"Missing X-Content-Type-Options header",
"Missing HttpOnly flag in cookies",
"Missing Secure flag in cookies",
"Secret Files Detection",
"robots.txt file found",
"SSL Certificate",
"Enabled Debug Method",
"Cross-Domain Inclusion",
"Client Access Policies",
"X-FRAME OPTIONS",
"X-XSS PROTECTION"
],
"Total CVEs Found": 2,
"Critical": 0,
"High": 0,
"Medium": 2,
"Low": 0,
"Total CWEs Found": 7
},
"total_scan_time": "1 minute, 0.45 seconds",
"scan_start_timestamp": "2026-01-21 06:50:10"
}
Other Security Tools
Explore our comprehensive suite of security testing tools