Security checks — sorted by severity
Security Headers
2/5 security headers present. Missing: X-Frame-Options, Referrer-Policy, Permissions-Policy. This exposes the application to clickjacking, MIME-sniffing, and other client-side attacks.
2/5 security headers present. Missing: X-Frame-Options, Referrer-Policy, Permissions-Policy. This exposes the application to clickjacking, MIME-sniffing, and other client-side attacks.
DMARC / Email Security
Issues: No DMARC record found — email spoofing is not prevented; No SPF record found; No DKIM records found for common selectors (domain may use custom selectors — this is not a confirmed gap).
Issues: No DMARC record found — email spoofing is not prevented; No SPF record found; No DKIM records found for common selectors (domain may use custom selectors — this is not a confirmed gap).
MTA-STS & TLS Reporting
Issues: No MTA-STS configured — email in transit is vulnerable to TLS downgrade attacks. Sending servers cannot verify that your mail server requires TLS; No TLSRPT record — TLS delivery failures won't be reported to domain owner.
Issues: No MTA-STS configured — email in transit is vulnerable to TLS downgrade attacks. Sending servers cannot verify that your mail server requires TLS; No TLSRPT record — TLS delivery failures won't be reported to domain owner.
DNS CAA Records
Strengths: CAA records configured (1 record(s)); Authorized CAs: letsencrypt.org. Issues: No iodef record — CA violations won't be reported to the domain owner.
Strengths: CAA records configured (1 record(s)); Authorized CAs: letsencrypt.org. Issues: No iodef record — CA violations won't be reported to the domain owner.
DNS Configuration
Strengths: 2 nameservers configured (ns01.hostiserver.com., ns02.hostiserver.com.); Zone transfers properly restricted. Issues: DNSSEC not configured — DNS responses can be spoofed.
Strengths: 2 nameservers configured (ns01.hostiserver.com., ns02.hostiserver.com.); Zone transfers properly restricted. Issues: DNSSEC not configured — DNS responses can be spoofed.
Cookie Security
Strengths: 2 cookie(s) analyzed; All cookies have Secure flag; All cookies have SameSite attribute. Issues: 2/2 cookie(s) missing HttpOnly flag (s, uid).
Strengths: 2 cookie(s) analyzed; All cookies have Secure flag; All cookies have SameSite attribute. Issues: 2/2 cookie(s) missing HttpOnly flag (s, uid).
security.txt (RFC 9116)
No security.txt found. Publishing a security.txt at /.well-known/security.txt is the industry standard (RFC 9116) for vulnerability disclosure policies. Its absence may indicate a less mature security program.
No security.txt found. Publishing a security.txt at /.well-known/security.txt is the industry standard (RFC 9116) for vulnerability disclosure policies. Its absence may indicate a less mature security program.
MX Records & Mail Provider
No MX records found. This domain does not receive email directly — this is intentional for many domains and carries no security risk. If email is expected, verify mail routing via A/AAAA fallback or a mail provider.
No MX records found. This domain does not receive email directly — this is intentional for many domains and carries no security risk. If email is expected, verify mail routing via A/AAAA fallback or a mail provider.
TLS Configuration
TLSv1.3 negotiated with TLS_AES_256_GCM_SHA384 (256-bit). Strong configuration with no deprecated protocols or weak ciphers detected.
TLSv1.3 negotiated with TLS_AES_256_GCM_SHA384 (256-bit). Strong configuration with no deprecated protocols or weak ciphers detected.
TLS Protocol Support
Strengths: TLS 1.3 supported; TLS 1.2 supported; TLS 1.3 supported (strongest). Protocol support: TLS 1.3: Yes, TLS 1.2: Yes, TLS 1.1: No, TLS 1.0: No.
Strengths: TLS 1.3 supported; TLS 1.2 supported; TLS 1.3 supported (strongest). Protocol support: TLS 1.3: Yes, TLS 1.2: Yes, TLS 1.1: No, TLS 1.0: No.
Known Breaches
No known breaches found in public disclosure databases.
No known breaches found in public disclosure databases.
HSTS Header
HSTS enabled: max-age=31536000s (365 days) with includeSubDomains and preload. Meets best-practice configuration.
HSTS enabled: max-age=31536000s (365 days) with includeSubDomains and preload. Meets best-practice configuration.
CVE Exposure
Detected technologies: nginx/1.21.1. No high or critical CVEs found for detected versions.
Detected technologies: nginx/1.21.1. No high or critical CVEs found for detected versions.
Certificate Hygiene
Strengths: Certificate valid, 47 days remaining; Issued by Let's Encrypt; 142 certificates logged in CT. Note: Wildcard certificate in use (*.domain) — covers all subdomains. Common practice; worth noting that compromise would affect all subdomains.
Strengths: Certificate valid, 47 days remaining; Issued by Let's Encrypt; 142 certificates logged in CT. Note: Wildcard certificate in use (*.domain) — covers all subdomains. Common practice; worth noting that compromise would affect all subdomains.
Recommended actions
1+ items
Steps to improve porn-hd.xxx's security grade, ranked by impact.
1
Set up email authentication (DMARC, SPF, DKIM)
Without email authentication, anyone can send emails that appear to come from porn-hd.xxx. This is the most common vector for phishing attacks targeting employees and customers. DMARC, SPF, DKIM are not configured.
NIST CSFPR.AC-7
Email authentication is a required access control
ISO 27001A.13.2.1
Information transfer policies require email security controls
HIPAA§164.312(e)
Transmission security for electronic PHI
How to fix this
1
Add SPF record to DNS: v=spf1 include:_spf.google.com ~all (adjust for your email provider)
2
Configure DKIM signing with your email provider and publish the public key in DNS
3
Add DMARC record: v=DMARC1; p=quarantine; rua=mailto:[email protected]
4
Monitor DMARC reports for 2–4 weeks, then upgrade policy to p=reject
See all 2 remaining recommendations
Enter your work email to unlock the full action plan.
No spam. We only send security-related updates.
Report unlocked.
AI Summary
What this means
porn-hd.xxx scored 72/100, meeting baseline requirements but with 5 findings that require attention. The vendor can proceed with a remediation timeline agreement.
Critical gaps in: DMARC / Email Security, Security Headers. Positive signals: MX Records & Mail Provider, TLS Configuration, Known Breaches all passed.
3 action items identified, including 1 critical. The issues are configuration gaps, not architectural problems. A focused remediation effort of 2–5 days could address all findings.
How porn-hd.xxx compares
Grade distribution across 2678 companies we've scanned. porn-hd.xxx scores better than 46% of them.
88
A+
28
A
194
A-
200
B+
75
B
376
B-
137
C+
117
C
347
C-
123
D+
96
D
265
D-
632
F
porn-hd.xxx — Grade C- (72/100)
2678 companies scanned
At a glance
Key data points from the scan.
TLS Version
TLSv1.3
TLSv1.3 negotiated with TLS_AES_256_GCM_SHA384 (256-bit). Strong configuration with no deprecated protocols or weak ciphers detected.
DMARC Policy
Not configured
Issues: No DMARC record found — email spoofing is not prevented; No SPF record found; No DKIM records found for common selectors (domain may use custom selectors — this is not a confirmed gap).
SPF Record
Missing
No SPF record found.
Security Headers
2/5 present
Missing: X-Frame-Options, Referrer-Policy, Permissions-Policy
HSTS
Enabled
HSTS enabled: max-age=31536000s (365 days) with includeSubDomains and preload. Meets best-practice configuration.
SSL Certificate
Valid
Strengths: Certificate valid, 47 days remaining; Issued by Let's Encrypt; 142 certificates logged in CT. Note: Wildcard certificate in use (*.domain) — covers all subdomains. Common practice; worth noting that compromise would affect all subdomains.
DNSSEC
Not enabled
Strengths: 2 nameservers configured (ns01.hostiserver.com., ns02.hostiserver.com.); Zone transfers properly restricted. Issues: DNSSEC not configured — DNS responses can be spoofed.
Similar companies
Other domains with comparable security profiles.
