ASSMS
Home About Services Tools Pricing Blog Contact Career Login Get Started
Security Test

Website Security Test

Website Vulnerability Scanner

Comprehensive security testing for your website

You have 1 free guest scans left.

Security Report: https://x.com/

Scan Date: Jan. 21, 2026, 3:10 a.m. | Duration: 20.06 seconds

Have you made changes or fixed vulnerabilities?

Run a fresh scan to verify your latest security updates.

Risk Rating

Overall Risk Rating B (75/100)
Risk Distribution Chart
CVE Based Risk Distribution
Critical0
High0
Medium0
Low0
CWE Based Risk Distribution
Critical0
High2
Medium1
Low0

Scan Summary

1 Input Hostname x.com
2 Target URL https://x.com/
3 Scan Start Time Jan. 21, 2026, 3:10 a.m.
4 Scan Duration 20.06 seconds
5 Total Test Cases 42
6 Passed Cases 22
7 Failed Cases 16

Target Information

1 Target URL https://x.com/
2 IP Address 172.66.0.227
3 Hosting Provider Cloudflare
4 Registrar Not Available
5 Programming Language express
6 Web Server cloudflare envoy
7 CMS Not Detected
8 Operating System Unknown
9 HTTPS Enabled Enabled
10 WAF Detected ['Cloudflare', 'Cloudflare']

Original Header Response

Date: Tue, 20 Jan 2026 21:40:05 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
perf: 7402827104
expiry: Tue, 31 Mar 1981 05:00:00 GMT
pragma: no-cache
Server: cloudflare envoy
x-powered-by: Express
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
last-modified: Tue, 20 Jan 2026 21:40:05 GMT
x-frame-options: DENY
x-transaction-id: ad254115200f0a04
x-xss-protection: 0
reporting-endpoints: coep-report="https://x.com/i/coep-report", coop-report="https://x.com/i/coop-report"
x-content-type-options: nosniff
content-security-policy: connect-src 'self' blob: https://fonts.googleapis.com/css https://mapsresources-pa.googleapis.com https://maps.googleapis.com https://translate.googleapis.com https://www.gstatic.com/maps/ https://*.pscp.tv https://*.twimg.com https://*.video.pscp.tv https://aa.twitter.com https://aa.x.com https://accounts.google.com/gsi/ https://ads-api.twitter.com https://ads-api.x.com https://api-stream.twitter.com https://api-stream.x.com https://api.twitter.com https://api.x.ai https://api.x.com https://api.x.com https://caps.twitter.com https://caps.x.com https://grok.x.com https://jf.twitter.com https://jf.x.com https://jf-t.x.com https://pay.twitter.com https://pay.x.com https://sentry.io https://ton-staging.atla.twitter.com https://ton-staging.atla.x.com https://ton-staging.pdxa.twitter.com https://ton-staging.pdxa.x.com https://ton.twitter.com https://ton.local.twitter.com https://ton.x.com https://twitter.com https://upload.twitter.com https://upload.x.com https://www.google-analytics.com https://x.com https://grok-api.gcp.mouseion.dev https://assets.mouseion.dev https://grok.com https://assets.grok.com https://imagine-public.x.ai/ wss://grok.com wss://grok-api.gcp.mouseion.dev https://*.adtrafficquality.google https://*.googlesyndication.com https://*.doubleclick.net https://adservice.google.com https://www.googleadservices.com https://pagead2.googlesyndication.com https://www.google.com https://google.com https://via.intercom.io https://api.intercom.io https://api.au.intercom.io https://api.eu.intercom.io https://api-iam.intercom.io https://api-iam.eu.intercom.io https://api-iam.au.intercom.io https://api-ping.intercom.io https://nexus-websocket-a.intercom.io wss://nexus-websocket-a.intercom.io https://nexus-websocket-b.intercom.io wss://nexus-websocket-b.intercom.io https://nexus-europe-websocket.intercom.io wss://nexus-europe-websocket.intercom.io https://nexus-australia-websocket.intercom.io wss://nexus-australia-websocket.intercom.io https://uploads.intercomcdn.com https://uploads.intercomcdn.eu https://uploads.au.intercomcdn.com https://uploads.eu.intercomcdn.com https://uploads.intercomusercontent.com https://production.plaid.com/ https://sandbox.plaid.com/ https://ingestion.dv.socure.io https://network.dv.socure.io/ https://analytics.dv.socure.io/ https://payments-dev.x.com/customer/wasm/forward-with-v1.wasm https://payments-staging.x.com/customer/wasm/forward-with-v1.wasm https://payments-prod.x.com/customer/wasm/forward-with-v1.wasm https://money-dev.x.com/customer/wasm/forward-with-v1.wasm https://money-staging.x.com/customer/wasm/forward-with-v1.wasm https://money.x.com/customer/wasm/forward-with-v1.wasm https://api.stripe.com https://m.castle.io https://checkoutshopper-live.adyen.com wss://*.pscp.tv https://vmap.grabyo.com https://dwo3ckksxlb0v.cloudfront.net https://media.riffsy.com https://*.giphy.com https://media.tenor.com https://c.tenor.com wss://chat-ws.x.com https://d1muhwhmpsz4u8.cloudfront.net/ https://d2bchqfeno8n2m.cloudfront.net/ https://d2shtph9y6bxk.cloudfront.net/ https://xchat-hsm-staging.x.com/ https://realm-a.x.com https://realm-b.x.com https://realm-west1.x.com https://realm-east1.x.com https://hsm-staging.x.com https://ads-twitter.com https://analytics.twitter.com https://analytics.x.com ; default-src 'self'; form-action 'self' https://twitter.com https://*.twitter.com https://x.com https://*.x.com https://localhost.twitter.com:3443 https://localhost.x.com:3443 https://intercom.help https://api-iam.intercom.io https://api-iam.eu.intercom.io https://api-iam.au.intercom.io; font-src 'self' https://*.twimg.com https://js.intercomcdn.com https://fonts.intercomcdn.com; frame-src 'self' https://accounts.google.com/ https://accounts.google.com/gsi/ https://cards-frame.twitter.com https://cdn.plaid.com/ https://client-api.arkoselabs.com/ https://content.googleapis.com/ https://iframe.arkoselabs.com/ https://mobile.twitter.com https://mobile.x.com https://pay.twitter.com https://pay.x.com https://google.com https://www.google.com https://intercom-sheets.com https://www.intercom-reporting.com https://www.youtube.com https://player.vimeo.com https://fast.wistia.net https://console.googletagservices.com https://*.doubleclick.net https://*.adtrafficquality.google https://*.safeframe.googlesyndication.com https://www.googleadservices.com https://googleadservices.com https://adservice.google.com https://*.googlesyndication.com https://td.doubleclick.net https://payments-dev.x.com/ https://payments-staging.x.com/ https://payments-prod.x.com/ https://sdn.payments-dev.x.com/ https://sdn.payments-staging.x.com/ https://sdn.payments-prod.x.com/ https://money-dev.x.com/ https://money-staging.x.com/ https://money.x.com/ https://sdn.money-dev.x.com/ https://sdn.money-staging.x.com/ https://sdn.money.x.com/ https://p2pcreditcardiframesandbox.crbcos.com https://p2pcreditcardiframe.crbcos.com https://verify-sandbox.plaid.com/ https://*.js.stripe.com https://js.stripe.com https://hooks.stripe.com https://cdn.getpinwheel.com/ https://artifacts.grokusercontent.com https://twitter.com https://x.com https://recaptcha.net/recaptcha/; img-src 'self' blob: data: https://www.google.com/maps/place/ https://imgs.search.brave.com https://*.cdn.twitter.com https://*.cdn.x.com https://ton.twitter.com https://ton.x.com https://*.twimg.com https://analytics.twitter.com https://analytics.x.com https://cm.g.doubleclick.net https://www.google-analytics.com https://maps.googleapis.com https://www.periscope.tv https://www.pscp.tv https://ads-twitter.com https://ads-api.twitter.com https://ads-api.x.com https://api.x.com https://developer.x.com blob: data: https://js.intercomcdn.com https://static.intercomassets.com https://downloads.intercomcdn.com https://downloads.intercomcdn.eu https://downloads.au.intercomcdn.com https://uploads.intercomusercontent.com https://gifs.intercomcdn.com https://video-messages.intercomcdn.com https://messenger-apps.intercom.io https://messenger-apps.eu.intercom.io https://messenger-apps.au.intercom.io https://*.intercom-attachments-1.com https://*.intercom-attachments.eu https://*.au.intercom-attachments.com https://*.intercom-attachments-2.com https://*.intercom-attachments-3.com https://*.intercom-attachments-4.com https://*.intercom-attachments-5.com https://*.intercom-attachments-6.com https://*.intercom-attachments-7.com https://*.intercom-attachments-8.com https://*.intercom-attachments-9.com https://static.intercomassets.eu https://static.au.intercomassets.com https://media.riffsy.com https://*.giphy.com https://media.tenor.com https://c.tenor.com https://*.pscp.tv https://*.periscope.tv https://prod-periscope-profile.s3-us-west-2.amazonaws.com https://platform-lookaside.fbsbx.com https://scontent.xx.fbcdn.net https://scontent-sea1-1.xx.fbcdn.net https://*.googleusercontent.com https://t.co/1/i/adsct https://*.googleusercontent.com https://*.gstatic.com https://*.googlesyndication.com https://*.adtrafficquality.google https://www.google.com/ads/measurement/ https://*.google.com/ads/measurement/ https://googleads.g.doubleclick.net https://google.com https://www.google.com https://plaid-merchant-logos.plaid.com https://plaid-counterparty-logos.plaid.com https://assets.mouseion.dev https://assets.grok.com; manifest-src 'self'; media-src 'self' data: blob: https://twitter.com https://x.com https://*.twimg.com https://*.vine.co https://*.pscp.tv https://*.video.pscp.tv https://js.intercomcdn.com https://downloads.intercomcdn.com https://downloads.intercomcdn.eu https://downloads.au.intercomcdn.com https://dwo3ckksxlb0v.cloudfront.net; object-src 'none'; script-src 'self' 'unsafe-inline' https://maps.googleapis.com https://*.twimg.com https://recaptcha.net/recaptcha/ http://www.gstatic.com/cast/sdk/libs/caf_receiver/v3/cast_receiver_framework.js https://accounts.google.com/gsi/client https://apis.google.com/js/api.js https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js https://client-api.arkoselabs.com/ https://static.ads-twitter.com https://twitter.com https://www.google-analytics.com https://www.gstatic.com/cast/sdk/libs/caf_receiver/v3/cast_receiver_framework.js https://x.com https://sdn.payments-dev.x.com/assets/loader.min.js https://sdn.payments-staging.x.com/assets/loader.min.js https://sdn.payments-prod.x.com/assets/loader.min.js https://sdn.money-dev.x.com/assets/loader.min.js https://sdn.money-staging.x.com/assets/loader.min.js https://sdn.money.x.com/assets/loader.min.js https://sdk.dv.socure.io/latest/device-risk-sdk.js https://cdn.plaid.com/link/v2/stable/link-initialize.js https://payments-dev.x.com/customer/wasm/xxp-forward-with-sdk.js https://payments-staging.x.com/customer/wasm/xxp-forward-with-sdk.js https://payments-prod.x.com/customer/wasm/xxp-forward-with-sdk.js https://money-dev.x.com/customer/wasm/xxp-forward-with-sdk.js https://money-staging.x.com/customer/wasm/xxp-forward-with-sdk.js https://money.x.com/customer/wasm/xxp-forward-with-sdk.js https://js.stripe.com https://*.js.stripe.com https://cdn.getpinwheel.com/pinwheel-v3.2.1.js https://securepubads.g.doubleclick.net https://www.googletagservices.com https://*.googletagservices.com https://pagead2.googlesyndication.com https://adservice.google.com https://www.googleadservices.com https://ads.google.com https://tpc.googlesyndication.com https://*.tpc.googlesyndication.com https://www.google.com https://googleads.g.doubleclick.net https://app.intercom.io https://widget.intercom.io https://js.intercomcdn.com 'wasm-unsafe-eval' 'nonce-ZTlhZDMyODgtODljZi00MWExLWEyOTUtY2NlZmU1YzI4ZGVj'; style-src 'self' 'unsafe-inline' https://accounts.google.com/gsi/style https://*.twimg.com; child-src 'self' blob:; worker-src 'self' blob:; report-uri https://x.com/i/csp_report?a=O5RXE%3D%3D%3D&ro=false
cross-origin-opener-policy: unsafe-none
cross-origin-embedder-policy: unsafe-none
cf-cache-status: DYNAMIC
x-response-time: 15
origin-cf-ray: 9c11ba6b6dead4bc-SEA
strict-transport-security: max-age=631138519; includeSubdomains
x-served-by: t4_p
Set-Cookie: guest_id_marketing=v1%3A176894520518641637; Max-Age=63072000; Expires=Thu, 20 Jan 2028 21:40:05 GMT; Path=/; Domain=.x.com; Secure, guest_id_ads=v1%3A176894520518641637; Max-Age=63072000; Expires=Thu, 20 Jan 2028 21:40:05 GMT; Path=/; Domain=.x.com; Secure, personalization_id="v1_W6w7a+X1vAIIJapUivtdLg=="; Max-Age=63072000; Expires=Thu, 20 Jan 2028 21:40:05 GMT; Path=/; Domain=.x.com; Secure, guest_id=v1%3A176894520518641637; Max-Age=63072000; Expires=Thu, 20 Jan 2028 21:40:05 GMT; Path=/; Domain=.x.com; Secure, ct0=; Max-Age=-1768945204; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/; Domain=.x.com; Secure; SameSite=Lax, __cf_bm=N2SvCSCN.E73lKfUYswMSKiNrTaBA4ZL3g72nYcKlKw-1768945205.0275238-1.0.1.1-IDItqgNv3hsBQzAdTy8gLkUVYmsyMJduQcUB2N8ESyDEWbVEcWW.E2rnPYEuctSMIIy5m3u3xW9W4hw9zoZVuFt_HCpLyi_WYJ159pqrf0.6cxEO_hHg41O2LjhL.V71; HttpOnly; Secure; Path=/; Domain=x.com; Expires=Tue, 20 Jan 2026 22:10:05 GMT
vary: accept-encoding
Content-Encoding: gzip
CF-RAY: 9c11ba6b6dead4bc-BOM

Detailed Technical Analysis

1 Open Ports [80, 443]
2 Debug Method Enabled No
3 OPTIONS Method Yes
4 DKIM Not Detected
5 SPF Not Detected
6 DMARC Not Detected
7 Captcha Detection Not Detected
8 Password field with autocomplete Not Detected
9 Unencrypted Viewstate Not Detected

Additional Findings

Http Methods Allowed

  • GET
  • POST
  • OPTIONS

Cross Domain Inclusion

  • abs.twimg.com
  • abs-0.twimg.com

Findings – CVE (Common Vulnerabilities and Exposures)

No CVE vulnerabilities found.

Findings – CWE (Common Weakness Enumeration)

Sr. No Vulnerability Source CWE ID Severity Description Remediation
1 Missing HttpOnly flag in cookies CWE-1004 High Cookies accessible by JavaScript can be stolen via XSS. Set the HttpOnly flag to prevent client-side script access.
2 Missing Secure flag in cookies CWE-614 High Cookies without the Secure flag may be sent over unencrypted connections. Enable the Secure flag for all session or sensitive cookies.
3 Missing Referrer-Policy header CWE-200 Medium Exposure of sensitive URLs or information to third-party sites. Set a secure referrer policy such as: "Referrer-Policy: no-referrer".

Scan Test Cases

Sr. No Test Case
1 Inline Connection
2 Ip-Address
3 Cloud_Provider
4 Server Disclosure
5 Technology Disclosure
6 Cms Detection
7 Mixed Content Analysis
8 Operating-System
9 Open Ports Scan
10 Database
11 Javascript Libraries
12 Secure Connection Check
13 Directories Listing Exposed
14 Password Exposing Pages
15 Missing Security Headers
16 Missing Content-Security-Policy
17 Missing Strict-Transport-Security
18 Missing Referrer-Policy
19 Missing X-Content-Type-Options
20 Missing Cookie http flag
21 Missing Cookie secure flag
22 Secret Files Detection
23 WAF-Detection
Sr. No Test Case
24 SSL Certificate Validation
25 Loose Cookie Domain
26 CSP Header Analysis
27 OpenAPI Disclosure
28 Password Leak Detection
29 Path Disclosure
30 Error Messages Analysis
31 Rate Limit Headers
32 Email Extraction
33 Xml-RPC Endpoint Detection
34 HTTP Methods Allowed
35 Enabled Debug Method
36 Enabled OPTIONS Method
37 Cross-Domain Inclusion
38 File Upload Detection
39 Client Access Policies
40 X-FRAME OPTIONS
41 X-XSS PROTECTION
42 .htaccess Exposure

Passed & Failed Cases

Passed Cases (22)

  • CMS
  • Mixed Content (HTTP on HTTPS)
  • Open Ports Scan
  • Javascript Libraries
  • Secure Connection
  • Directory Listing Exposed
  • Passwords submitted unencrypted
  • Missing Content-Security-Policy header
  • Missing Strict-Transport-Security header
  • Missing X-Content-Type-Options header
  • WAF Detection
  • SSL Certificate
  • Password Leakage
  • Error Messages Analysis
  • Path Disclosure
  • Rate Limit Headers
  • Emails exposed
  • XML-RPC Endpoint Detection (XML-RPC Endpoint Detection)
  • Enabled OPTIONS Method
  • File Upload Detection
  • .htaccess Exposure
  • Host Header Injection

Failed Cases (16)

  • Server Disclosure
  • Technology Disclosure
  • Missing Security Headers
  • Missing Referrer-Policy header
  • Missing HttpOnly flag in cookies
  • Missing Secure flag in cookies
  • Secret Files Detection
  • robots.txt file found
  • Loose cookie domain
  • Content Security Policy Misconfiguration
  • OpenAPI Disclosure
  • Enabled Debug Method
  • Cross-Domain Inclusion
  • Client Access Policies
  • X-FRAME OPTIONS
  • X-XSS PROTECTION
View Raw Scan Data (JSON) 
{
    "host": "x.com",
    "host_url": "https://x.com/",
    "task_id": "c4478e2c-4f97-4171-a7a3-e6f175780920",
    "status": "COMPLETED",
    "inline_connection": "Yes",
    "original_header": {
        "Date": "Tue, 20 Jan 2026 21:40:05 GMT",
        "Content-Type": "text/html; charset=utf-8",
        "Transfer-Encoding": "chunked",
        "Connection": "keep-alive",
        "perf": "7402827104",
        "expiry": "Tue, 31 Mar 1981 05:00:00 GMT",
        "pragma": "no-cache",
        "Server": "cloudflare envoy",
        "x-powered-by": "Express",
        "Cache-Control": "no-cache, no-store, must-revalidate, pre-check=0, post-check=0",
        "last-modified": "Tue, 20 Jan 2026 21:40:05 GMT",
        "x-frame-options": "DENY",
        "x-transaction-id": "ad254115200f0a04",
        "x-xss-protection": "0",
        "reporting-endpoints": "coep-report=\"https://x.com/i/coep-report\", coop-report=\"https://x.com/i/coop-report\"",
        "x-content-type-options": "nosniff",
        "content-security-policy": "connect-src 'self' blob: https://fonts.googleapis.com/css https://mapsresources-pa.googleapis.com https://maps.googleapis.com https://translate.googleapis.com https://www.gstatic.com/maps/ https://*.pscp.tv https://*.twimg.com https://*.video.pscp.tv https://aa.twitter.com https://aa.x.com https://accounts.google.com/gsi/ https://ads-api.twitter.com https://ads-api.x.com https://api-stream.twitter.com https://api-stream.x.com https://api.twitter.com https://api.x.ai https://api.x.com https://api.x.com https://caps.twitter.com https://caps.x.com https://grok.x.com https://jf.twitter.com https://jf.x.com https://jf-t.x.com https://pay.twitter.com https://pay.x.com https://sentry.io https://ton-staging.atla.twitter.com https://ton-staging.atla.x.com https://ton-staging.pdxa.twitter.com https://ton-staging.pdxa.x.com https://ton.twitter.com https://ton.local.twitter.com https://ton.x.com https://twitter.com https://upload.twitter.com https://upload.x.com https://www.google-analytics.com https://x.com https://grok-api.gcp.mouseion.dev https://assets.mouseion.dev https://grok.com https://assets.grok.com https://imagine-public.x.ai/ wss://grok.com wss://grok-api.gcp.mouseion.dev https://*.adtrafficquality.google https://*.googlesyndication.com https://*.doubleclick.net https://adservice.google.com https://www.googleadservices.com https://pagead2.googlesyndication.com https://www.google.com https://google.com https://via.intercom.io https://api.intercom.io https://api.au.intercom.io https://api.eu.intercom.io https://api-iam.intercom.io https://api-iam.eu.intercom.io https://api-iam.au.intercom.io https://api-ping.intercom.io https://nexus-websocket-a.intercom.io wss://nexus-websocket-a.intercom.io https://nexus-websocket-b.intercom.io wss://nexus-websocket-b.intercom.io https://nexus-europe-websocket.intercom.io wss://nexus-europe-websocket.intercom.io https://nexus-australia-websocket.intercom.io wss://nexus-australia-websocket.intercom.io https://uploads.intercomcdn.com https://uploads.intercomcdn.eu https://uploads.au.intercomcdn.com https://uploads.eu.intercomcdn.com https://uploads.intercomusercontent.com https://production.plaid.com/ https://sandbox.plaid.com/ https://ingestion.dv.socure.io https://network.dv.socure.io/ https://analytics.dv.socure.io/ https://payments-dev.x.com/customer/wasm/forward-with-v1.wasm https://payments-staging.x.com/customer/wasm/forward-with-v1.wasm https://payments-prod.x.com/customer/wasm/forward-with-v1.wasm https://money-dev.x.com/customer/wasm/forward-with-v1.wasm https://money-staging.x.com/customer/wasm/forward-with-v1.wasm https://money.x.com/customer/wasm/forward-with-v1.wasm https://api.stripe.com https://m.castle.io https://checkoutshopper-live.adyen.com wss://*.pscp.tv https://vmap.grabyo.com https://dwo3ckksxlb0v.cloudfront.net https://media.riffsy.com https://*.giphy.com https://media.tenor.com https://c.tenor.com wss://chat-ws.x.com https://d1muhwhmpsz4u8.cloudfront.net/ https://d2bchqfeno8n2m.cloudfront.net/ https://d2shtph9y6bxk.cloudfront.net/ https://xchat-hsm-staging.x.com/ https://realm-a.x.com https://realm-b.x.com https://realm-west1.x.com https://realm-east1.x.com https://hsm-staging.x.com https://ads-twitter.com https://analytics.twitter.com https://analytics.x.com         ; default-src 'self'; form-action 'self' https://twitter.com https://*.twitter.com https://x.com https://*.x.com https://localhost.twitter.com:3443 https://localhost.x.com:3443 https://intercom.help https://api-iam.intercom.io https://api-iam.eu.intercom.io https://api-iam.au.intercom.io; font-src 'self' https://*.twimg.com https://js.intercomcdn.com https://fonts.intercomcdn.com; frame-src 'self' https://accounts.google.com/ https://accounts.google.com/gsi/ https://cards-frame.twitter.com https://cdn.plaid.com/ https://client-api.arkoselabs.com/ https://content.googleapis.com/ https://iframe.arkoselabs.com/ https://mobile.twitter.com https://mobile.x.com https://pay.twitter.com https://pay.x.com https://google.com https://www.google.com https://intercom-sheets.com https://www.intercom-reporting.com https://www.youtube.com https://player.vimeo.com https://fast.wistia.net https://console.googletagservices.com https://*.doubleclick.net https://*.adtrafficquality.google https://*.safeframe.googlesyndication.com https://www.googleadservices.com https://googleadservices.com https://adservice.google.com https://*.googlesyndication.com https://td.doubleclick.net https://payments-dev.x.com/ https://payments-staging.x.com/ https://payments-prod.x.com/ https://sdn.payments-dev.x.com/ https://sdn.payments-staging.x.com/ https://sdn.payments-prod.x.com/ https://money-dev.x.com/ https://money-staging.x.com/ https://money.x.com/ https://sdn.money-dev.x.com/ https://sdn.money-staging.x.com/ https://sdn.money.x.com/ https://p2pcreditcardiframesandbox.crbcos.com https://p2pcreditcardiframe.crbcos.com https://verify-sandbox.plaid.com/ https://*.js.stripe.com https://js.stripe.com https://hooks.stripe.com https://cdn.getpinwheel.com/ https://artifacts.grokusercontent.com https://twitter.com https://x.com  https://recaptcha.net/recaptcha/; img-src 'self' blob: data: https://www.google.com/maps/place/ https://imgs.search.brave.com https://*.cdn.twitter.com https://*.cdn.x.com https://ton.twitter.com https://ton.x.com https://*.twimg.com https://analytics.twitter.com https://analytics.x.com https://cm.g.doubleclick.net https://www.google-analytics.com https://maps.googleapis.com https://www.periscope.tv https://www.pscp.tv https://ads-twitter.com https://ads-api.twitter.com https://ads-api.x.com https://api.x.com https://developer.x.com blob: data: https://js.intercomcdn.com https://static.intercomassets.com https://downloads.intercomcdn.com https://downloads.intercomcdn.eu https://downloads.au.intercomcdn.com https://uploads.intercomusercontent.com https://gifs.intercomcdn.com https://video-messages.intercomcdn.com https://messenger-apps.intercom.io https://messenger-apps.eu.intercom.io https://messenger-apps.au.intercom.io https://*.intercom-attachments-1.com https://*.intercom-attachments.eu https://*.au.intercom-attachments.com https://*.intercom-attachments-2.com https://*.intercom-attachments-3.com https://*.intercom-attachments-4.com https://*.intercom-attachments-5.com https://*.intercom-attachments-6.com https://*.intercom-attachments-7.com https://*.intercom-attachments-8.com https://*.intercom-attachments-9.com https://static.intercomassets.eu https://static.au.intercomassets.com https://media.riffsy.com https://*.giphy.com https://media.tenor.com https://c.tenor.com https://*.pscp.tv https://*.periscope.tv https://prod-periscope-profile.s3-us-west-2.amazonaws.com https://platform-lookaside.fbsbx.com https://scontent.xx.fbcdn.net https://scontent-sea1-1.xx.fbcdn.net https://*.googleusercontent.com https://t.co/1/i/adsct https://*.googleusercontent.com https://*.gstatic.com https://*.googlesyndication.com https://*.adtrafficquality.google https://www.google.com/ads/measurement/ https://*.google.com/ads/measurement/ https://googleads.g.doubleclick.net https://google.com https://www.google.com https://plaid-merchant-logos.plaid.com https://plaid-counterparty-logos.plaid.com https://assets.mouseion.dev https://assets.grok.com; manifest-src 'self'; media-src 'self' data: blob: https://twitter.com https://x.com https://*.twimg.com https://*.vine.co https://*.pscp.tv https://*.video.pscp.tv https://js.intercomcdn.com https://downloads.intercomcdn.com https://downloads.intercomcdn.eu https://downloads.au.intercomcdn.com https://dwo3ckksxlb0v.cloudfront.net; object-src 'none'; script-src 'self' 'unsafe-inline' https://maps.googleapis.com https://*.twimg.com https://recaptcha.net/recaptcha/ http://www.gstatic.com/cast/sdk/libs/caf_receiver/v3/cast_receiver_framework.js https://accounts.google.com/gsi/client https://apis.google.com/js/api.js https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js https://client-api.arkoselabs.com/ https://static.ads-twitter.com https://twitter.com https://www.google-analytics.com https://www.gstatic.com/cast/sdk/libs/caf_receiver/v3/cast_receiver_framework.js https://x.com https://sdn.payments-dev.x.com/assets/loader.min.js https://sdn.payments-staging.x.com/assets/loader.min.js https://sdn.payments-prod.x.com/assets/loader.min.js https://sdn.money-dev.x.com/assets/loader.min.js https://sdn.money-staging.x.com/assets/loader.min.js https://sdn.money.x.com/assets/loader.min.js https://sdk.dv.socure.io/latest/device-risk-sdk.js https://cdn.plaid.com/link/v2/stable/link-initialize.js https://payments-dev.x.com/customer/wasm/xxp-forward-with-sdk.js https://payments-staging.x.com/customer/wasm/xxp-forward-with-sdk.js https://payments-prod.x.com/customer/wasm/xxp-forward-with-sdk.js https://money-dev.x.com/customer/wasm/xxp-forward-with-sdk.js https://money-staging.x.com/customer/wasm/xxp-forward-with-sdk.js https://money.x.com/customer/wasm/xxp-forward-with-sdk.js https://js.stripe.com https://*.js.stripe.com https://cdn.getpinwheel.com/pinwheel-v3.2.1.js https://securepubads.g.doubleclick.net https://www.googletagservices.com https://*.googletagservices.com https://pagead2.googlesyndication.com https://adservice.google.com https://www.googleadservices.com https://ads.google.com https://tpc.googlesyndication.com https://*.tpc.googlesyndication.com https://www.google.com https://googleads.g.doubleclick.net https://app.intercom.io https://widget.intercom.io https://js.intercomcdn.com   'wasm-unsafe-eval'  'nonce-ZTlhZDMyODgtODljZi00MWExLWEyOTUtY2NlZmU1YzI4ZGVj'; style-src 'self' 'unsafe-inline' https://accounts.google.com/gsi/style https://*.twimg.com; child-src 'self' blob:; worker-src 'self' blob:; report-uri https://x.com/i/csp_report?a=O5RXE%3D%3D%3D&ro=false",
        "cross-origin-opener-policy": "unsafe-none",
        "cross-origin-embedder-policy": "unsafe-none",
        "cf-cache-status": "DYNAMIC",
        "x-response-time": "15",
        "origin-cf-ray": "9c11ba6b6dead4bc-SEA",
        "strict-transport-security": "max-age=631138519; includeSubdomains",
        "x-served-by": "t4_p",
        "Set-Cookie": "guest_id_marketing=v1%3A176894520518641637; Max-Age=63072000; Expires=Thu, 20 Jan 2028 21:40:05 GMT; Path=/; Domain=.x.com; Secure, guest_id_ads=v1%3A176894520518641637; Max-Age=63072000; Expires=Thu, 20 Jan 2028 21:40:05 GMT; Path=/; Domain=.x.com; Secure, personalization_id=\"v1_W6w7a+X1vAIIJapUivtdLg==\"; Max-Age=63072000; Expires=Thu, 20 Jan 2028 21:40:05 GMT; Path=/; Domain=.x.com; Secure, guest_id=v1%3A176894520518641637; Max-Age=63072000; Expires=Thu, 20 Jan 2028 21:40:05 GMT; Path=/; Domain=.x.com; Secure, ct0=; Max-Age=-1768945204; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/; Domain=.x.com; Secure; SameSite=Lax, __cf_bm=N2SvCSCN.E73lKfUYswMSKiNrTaBA4ZL3g72nYcKlKw-1768945205.0275238-1.0.1.1-IDItqgNv3hsBQzAdTy8gLkUVYmsyMJduQcUB2N8ESyDEWbVEcWW.E2rnPYEuctSMIIy5m3u3xW9W4hw9zoZVuFt_HCpLyi_WYJ159pqrf0.6cxEO_hHg41O2LjhL.V71; HttpOnly; Secure; Path=/; Domain=x.com; Expires=Tue, 20 Jan 2026 22:10:05 GMT",
        "vary": "accept-encoding",
        "Content-Encoding": "gzip",
        "CF-RAY": "9c11ba6b6dead4bc-BOM"
    },
    "ip_address": "172.66.0.227",
    "hosting_provider": "Cloudflare",
    "registrar": null,
    "cms": null,
    "cms_cve": null,
    "server": "cloudflare envoy",
    "server_disclosure_cve": null,
    "programming_language": "express",
    "technology_disclosure_cve": null,
    "mixed_content_analysis": null,
    "operating_system": "Unknown",
    "open_ports": [
        80,
        443
    ],
    "database_technology": null,
    "javascript_libraries": null,
    "javascript_libraries_cve": null,
    "secure_connection": "Enabled",
    "directory_listing": null,
    "passwords_submitted_unencrypted": null,
    "missing_security_headers": [
        "PERMISSIONS-POLICY",
        "REFERRER-POLICY",
        "X-PERMITTED-CROSS-DOMAIN"
    ],
    "missing_content_security_policy_header": null,
    "missing_strict_transport_security_header": null,
    "missing_referrer_policy_header": {
        "issue": "Missing Referrer-Policy header",
        "severity": "Medium",
        "cwe_id": "CWE-200",
        "cwe_description": "Exposure of sensitive URLs or information to third-party sites.",
        "fix": "Set a secure referrer policy such as: \"Referrer-Policy: no-referrer\"."
    },
    "missing_x_content_type_options_header": null,
    "missing_httponly_flag_in_cookies": {
        "issue": "Missing HttpOnly flag in cookies",
        "severity": "High",
        "cwe_id": "CWE-1004",
        "cwe_description": "Cookies accessible by JavaScript can be stolen via XSS.",
        "fix": "Set the HttpOnly flag to prevent client-side script access."
    },
    "missing_secure_flag_in_cookies": {
        "issue": "Missing Secure flag in cookies",
        "severity": "High",
        "cwe_id": "CWE-614",
        "cwe_description": "Cookies without the Secure flag may be sent over unencrypted connections.",
        "fix": "Enable the Secure flag for all session or sensitive cookies."
    },
    "secret_files_detection": [
        "https://x.com/robots.txt",
        "https://x.com/security.txt",
        "https://x.com/sitemap.xml"
    ],
    "robots_txt_file_found": null,
    "waf_detection": [
        "Cloudflare",
        "Cloudflare"
    ],
    "ssl_certificate": null,
    "loose_cookie_domain": {
        "Source": {
            "__cf_bm": ".x.com"
        },
        "Loose cookie domain": {
            "issue": "Loose cookie domain",
            "severity": "Medium",
            "cwe_id": "CWE-565",
            "cwe_description": "Overly broad cookie domain allows cookies to be sent to subdomains that should not receive them.",
            "fix": "Set the cookie domain narrowly, e.g., domain=www.example.com instead of example.com."
        }
    },
    "csp_header_analysis": "Missing 'frame-ancestors' directive",
    "openapi_disclosure": {
        "Source": [
            "File found at https://x.com/v2/swagger.json, but not OpenAPI format",
            "File found at https://x.com/v2/openapi.json, but not OpenAPI format",
            "File found at https://x.com/v2/openapi.yaml, but not OpenAPI format",
            "File found at https://x.com/v3/swagger.json, but not OpenAPI format",
            "File found at https://x.com/v3/openapi.json, but not OpenAPI format",
            "File found at https://x.com/v3/openapi.yamlapi-docs, but not OpenAPI format",
            "File found at https://x.com/v2/api-docs, but not OpenAPI format",
            "File found at https://x.com/v3/api-docs, but not OpenAPI format"
        ],
        "Exposure of Resource to Wrong Sphere": {
            "issue": "Exposure of Resource to Wrong Sphere",
            "severity": "High",
            "cwe_id": "CWE-668",
            "cwe_description": "Resources such as open ports or services are accessible to unauthorized actors.",
            "fix": "Restrict unnecessary open ports and limit exposure via firewalls or access control lists."
        }
    },
    "password_leakage": null,
    "error_messages_analysis": null,
    "path_disclosure": null,
    "rate_limit_headers": null,
    "email_extraction": null,
    "xml_rpc_endpoint_detection": null,
    "http_methods_allowed": [
        "GET",
        "POST",
        "OPTIONS"
    ],
    "enabled_debug_method": "No",
    "enabled_options_method": "Yes",
    "cross_domain_inclusion": [
        "abs.twimg.com",
        "abs-0.twimg.com"
    ],
    "file_upload": null,
    "client_access_policies": [
        "https://x.com/crossdomain.xml",
        "https://x.com/clientaccesspolicy.xml"
    ],
    "x_frame_options": "Properly Configured",
    "x_xss_protection": "x-xss-protection header exists but is misconfigured",
    "htaccess_exposure": null,
    "host_header_injection": null,
    "captcha_detection": null,
    "password_field_with_autocomplete": null,
    "spf": null,
    "dmarc": null,
    "dkim": null,
    "unencrypted_viewstate": null,
    "total_scans": [
        "Inline Connection",
        "Ip-Address",
        "Cloud_Provider",
        "Server Disclosure",
        "Technology Disclosure",
        "Cms Detection",
        "Mixed Content Analysis",
        "Operating-System",
        "Open Ports Scan",
        "Database",
        "Javascript Libraries",
        "Secure Connection Check",
        "Directories Listing Exposed",
        "Password Exposing Pages",
        "Missing Security Headers",
        "Missing Content-Security-Policy",
        "Missing Strict-Transport-Security",
        "Missing Referrer-Policy",
        "Missing X-Content-Type-Options",
        "Missing Cookie http flag",
        "Missing Cookie secure flag",
        "Secret Files Detection",
        "WAF-Detection",
        "SSL Certificate Validation",
        "Loose Cookie Domain",
        "CSP Header Analysis",
        "OpenAPI Disclosure",
        "Password Leak Detection",
        "Path Disclosure",
        "Error Messages Analysis",
        "Rate Limit Headers",
        "Email Extraction",
        "Xml-RPC Endpoint Detection",
        "HTTP Methods Allowed",
        "Enabled Debug Method",
        "Enabled OPTIONS Method",
        "Cross-Domain Inclusion",
        "File Upload Detection",
        "Client Access Policies",
        "X-FRAME OPTIONS",
        "X-XSS PROTECTION",
        ".htaccess Exposure"
    ],
    "executive_summary": {
        "Severity": "High",
        "Total Checks Passed": 22,
        "Passed Cases": [
            "CMS",
            "Mixed Content (HTTP on HTTPS)",
            "Open Ports Scan",
            "Javascript Libraries",
            "Secure Connection",
            "Directory Listing Exposed",
            "Passwords submitted unencrypted",
            "Missing Content-Security-Policy header",
            "Missing Strict-Transport-Security header",
            "Missing X-Content-Type-Options header",
            "WAF Detection",
            "SSL Certificate",
            "Password Leakage",
            "Error Messages Analysis",
            "Path Disclosure",
            "Rate Limit Headers",
            "Emails exposed",
            "XML-RPC Endpoint Detection (XML-RPC Endpoint Detection) ",
            "Enabled OPTIONS Method",
            "File Upload Detection",
            ".htaccess Exposure",
            "Host Header Injection"
        ],
        "Total Checks Failed": 16,
        "Failed Cases": [
            "Server Disclosure",
            "Technology Disclosure",
            "Missing Security Headers",
            "Missing Referrer-Policy header",
            "Missing HttpOnly flag in cookies",
            "Missing Secure flag in cookies",
            "Secret Files Detection",
            "robots.txt file found",
            "Loose cookie domain",
            "Content Security Policy Misconfiguration",
            "OpenAPI Disclosure",
            "Enabled Debug Method",
            "Cross-Domain Inclusion",
            "Client Access Policies",
            "X-FRAME OPTIONS",
            "X-XSS PROTECTION"
        ],
        "Total CVEs Found": 0,
        "Critical": 0,
        "High": 0,
        "Medium": 0,
        "Low": 0,
        "Total CWEs Found": 3
    },
    "total_scan_time": "20.06 seconds",
    "scan_start_timestamp": "2026-01-20 21:40:04"
}

Other Security Tools

Explore our comprehensive suite of security testing tools

Web Scanners

SSL Security Test

Run Test
Web Scanners

Malicious IP Test

Run Test
Web Scanners

Wordpress Test

Run Test
Web Scanners

Security Headers Test

Run Test
Web Scanners

Malicious URL Test

Run Test
Web Scanners

Reconnaissance

Run Test