Overview
Findings
Actions
Details
Related
AI-Generated Summary
What this means
nih.gov scored 85/100, demonstrating a strong security posture. Minor improvements are noted below.
Positive signals: Known Breaches, HSTS Header, CVE Exposure all passed.
2 action items identified, including 0 critical. The issues are configuration gaps, not architectural problems. A focused remediation effort of 2–5 days could address all findings.
How nih.gov compares
Grade distribution across 2520 companies we've scanned. nih.gov scores better than 78% of them.
79
A+
25
A
184
A-
190
B+
73
B
351
B-
121
C+
113
C
324
C-
117
D+
93
D
237
D-
613
F
nih.gov — Grade B (85/100)
2520 companies scanned
Security checks
Each check inspects a different part of nih.gov's public security setup. Green means healthy, yellow needs attention, red is a problem.
Security Headers
3/5 security headers present. Missing: Referrer-Policy, Permissions-Policy.
TLS Configuration
TLSv1.2 negotiated. Issues: TLS 1.2 negotiated (1.3 preferred).
Known Breaches
No known breaches found in public disclosure databases.
HSTS Header
HSTS enabled: max-age=31536000. Missing includeSubDomains. Missing preload directive.
CVE Exposure
Detected technologies: Drupal 10/(https://www.drupal.org). No high or critical CVEs found for detected versions.
DMARC / Email Security
Strengths: DMARC policy set to reject (strongest); SPF record present with soft-fail (~all); DKIM configured (selectors: selector1, s2, k1).
Certificate Hygiene
Strengths: Certificate valid, 364 days remaining; Issued by GoDaddy.com, Inc..
DNS Configuration
Strengths: 3 nameservers configured (ns3.nih.gov., ns.nih.gov., ns2.nih.gov.); 8 MX records present; DNSSEC enabled; Zone transfers properly restricted.
Recommended actions
2 items
Steps to improve nih.gov's security grade, ranked by impact.
1
Add optional security headers (Referrer-Policy, Permissions-Policy)
nih.gov has most security headers configured. Missing: Referrer-Policy, Permissions-Policy. These are best-practice additions that reduce the attack surface for client-side vulnerabilities.
How to fix this
1
Add: Referrer-Policy: strict-origin-when-cross-origin
2
Add: Permissions-Policy: camera=(), microphone=(), geolocation=()
3
Verify with: curl -sI https://nih.gov | grep -iE 'content-security|x-frame|x-content|referrer|permissions'
See all recommendations
Enter your work email to unlock the full action plan.
No spam. We only send security-related updates.
Report unlocked.
2
Upgrade to TLS 1.3
nih.gov negotiated TLSv1.2. TLS 1.2 is still compliant under all major security frameworks and is not a vulnerability. TLS 1.3 offers faster handshakes and removes legacy cipher negotiation. This is a best-practice improvement, not a compliance gap.
How to fix this
1
Update web server config to prefer TLS 1.3 (nginx: ssl_protocols TLSv1.2 TLSv1.3)
2
Verify: openssl s_client -connect nih.gov:443 -tls1_3
At a glance
Key data points from the scan.
TLS Version
TLSv1.2
TLSv1.2 negotiated. Issues: TLS 1.2 negotiated (1.3 preferred).
DMARC Policy
p=reject
Strengths: DMARC policy set to reject (strongest); SPF record present with soft-fail (~all); DKIM configured (selectors: selector1, s2, k1).
SPF Record
Present
v=spf1 ip4:128.231.90.64/26 ip4:165.112.13.0/26 ip4:156.40.79.128/25 ip4:128.231.89.192/28 ip4:165.1
Security Headers
3/5 present
Missing: Referrer-Policy, Permissions-Policy
HSTS
Enabled
HSTS enabled: max-age=31536000. Missing includeSubDomains. Missing preload directive.
SSL Certificate
Valid
Strengths: Certificate valid, 364 days remaining; Issued by GoDaddy.com, Inc..
DNSSEC
Enabled
Strengths: 3 nameservers configured (ns3.nih.gov., ns.nih.gov., ns2.nih.gov.); 8 MX records present; DNSSEC enabled; Zone transfers properly restricted.