85
nih.gov
Findings
6
·
2
·
0
Checks
8 passive
Executive Summary
AI-GENERATED
nih.gov scored 85/100, demonstrating a strong security posture. Minor improvements are noted below.
Positive signals: Known Breaches, HSTS Header, CVE Exposure all passed.
2 action items identified, including 0 critical. The issues are configuration gaps, not architectural problems. A focused remediation effort of 2–5 days could address all findings.
Action Items
Ordered by priority · 2 items
1
Add optional security headers (Referrer-Policy, Permissions-Policy)
nih.gov has most security headers configured. Missing: Referrer-Policy, Permissions-Policy. These are best-practice additions that reduce the attack surface for client-side vulnerabilities.
Remediation Steps
1
Add: Referrer-Policy: strict-origin-when-cross-origin
2
Add: Permissions-Policy: camera=(), microphone=(), geolocation=()
3
Verify with: curl -sI https://nih.gov | grep -iE 'content-security|x-frame|x-content|referrer|permissions'
Unlock the full remediation plan
Get detailed steps, compliance mapping, and ownership for all 2 action items. Free — just enter your work email.
No spam. We'll only contact you about this report.
✓ Report unlocked. Scroll down for full details.
2
Upgrade to TLS 1.3
nih.gov negotiated TLSv1.2. TLS 1.2 is still compliant under all major security frameworks and is not a vulnerability. TLS 1.3 offers faster handshakes and removes legacy cipher negotiation. This is a best-practice improvement, not a compliance gap.
Remediation Steps
1
Update web server config to prefer TLS 1.3 (nginx: ssl_protocols TLSv1.2 TLSv1.3)
2
Verify: openssl s_client -connect nih.gov:443 -tls1_3
Scan Findings
Security Headers
Warning
TLS Configuration
Warning
Known Breaches
Healthy
HSTS Header
Healthy
CVE Exposure
Healthy
DMARC / Email Security
Healthy
Certificate Hygiene
Healthy
DNS Configuration
Healthy