Security checks — sorted by severity
Security Headers
2/5 security headers present. Missing: X-Frame-Options, Referrer-Policy, Permissions-Policy. This exposes the application to clickjacking, MIME-sniffing, and other client-side attacks.
2/5 security headers present. Missing: X-Frame-Options, Referrer-Policy, Permissions-Policy. This exposes the application to clickjacking, MIME-sniffing, and other client-side attacks.
MTA-STS & TLS Reporting
Issues: No MTA-STS configured — email in transit is vulnerable to TLS downgrade attacks. Sending servers cannot verify that your mail server requires TLS; No TLSRPT record — TLS delivery failures won't be reported to domain owner.
Issues: No MTA-STS configured — email in transit is vulnerable to TLS downgrade attacks. Sending servers cannot verify that your mail server requires TLS; No TLSRPT record — TLS delivery failures won't be reported to domain owner.
DNS Configuration
Strengths: 2 nameservers configured (pranab.ns.cloudflare.com., jamie.ns.cloudflare.com.); 2 MX records present; Zone transfers properly restricted. Issues: DNSSEC not configured — DNS responses can be spoofed.
Strengths: 2 nameservers configured (pranab.ns.cloudflare.com., jamie.ns.cloudflare.com.); 2 MX records present; Zone transfers properly restricted. Issues: DNSSEC not configured — DNS responses can be spoofed.
DMARC / Email Security
Strengths: SPF record present with soft-fail (~all); DKIM configured (selectors: s1). Issues: DMARC policy is 'none' (monitoring only, no enforcement).
Strengths: SPF record present with soft-fail (~all); DKIM configured (selectors: s1). Issues: DMARC policy is 'none' (monitoring only, no enforcement).
MX Records & Mail Provider
Strengths: Mail handled by pan.w3.org; 2 MX record(s) configured; Multiple MX records provide redundancy; All MX records share the same priority (5) — round-robin load balancing (no primary/backup distinction).
Strengths: Mail handled by pan.w3.org; 2 MX record(s) configured; Multiple MX records provide redundancy; All MX records share the same priority (5) — round-robin load balancing (no primary/backup distinction).
DNS CAA Records
Strengths: CAA records configured (14 record(s)); Authorized CAs: amazon.com, comodoca.com, digicert.com; cansignhttpexchanges=yes, letsencrypt.org, pki.goog; cansignhttpexchanges=yes, sectigo.com, ssl.com; Violation reporting (iodef) configured.
Strengths: CAA records configured (14 record(s)); Authorized CAs: amazon.com, comodoca.com, digicert.com; cansignhttpexchanges=yes, letsencrypt.org, pki.goog; cansignhttpexchanges=yes, sectigo.com, ssl.com; Violation reporting (iodef) configured.
TLS Protocol Support
Strengths: TLS 1.3 supported; TLS 1.2 supported; TLS 1.3 supported (strongest). Protocol support: TLS 1.3: Yes, TLS 1.2: Yes, TLS 1.1: No, TLS 1.0: No.
Strengths: TLS 1.3 supported; TLS 1.2 supported; TLS 1.3 supported (strongest). Protocol support: TLS 1.3: Yes, TLS 1.2: Yes, TLS 1.1: No, TLS 1.0: No.
TLS Configuration
TLSv1.3 negotiated with TLS_AES_256_GCM_SHA384 (256-bit). Strong configuration with no deprecated protocols or weak ciphers detected.
TLSv1.3 negotiated with TLS_AES_256_GCM_SHA384 (256-bit). Strong configuration with no deprecated protocols or weak ciphers detected.
Known Breaches
No known breaches found in public disclosure databases.
No known breaches found in public disclosure databases.
HSTS Header
HSTS enabled: max-age=15552000s (180 days). includeSubDomains present. preload present.
HSTS enabled: max-age=15552000s (180 days). includeSubDomains present. preload present.
Cookie Security
No cookies set on the homepage response. No cookie security flags to evaluate.
No cookies set on the homepage response. No cookie security flags to evaluate.
security.txt (RFC 9116)
Strengths: security.txt found with 1 field(s); Contact: mailto:[email protected]. Issues: Missing 'Expires' field (required by RFC 9116); Not PGP signed (recommended for authenticity).
Strengths: security.txt found with 1 field(s); Contact: mailto:[email protected]. Issues: Missing 'Expires' field (required by RFC 9116); Not PGP signed (recommended for authenticity).
CVE Exposure
Detected technologies: cloudflare. (cloudflare detected but excluded from CVE matching — upstream infrastructure). All detected technologies are upstream CDN/proxy infrastructure. No application-level software versions exposed.
Detected technologies: cloudflare. (cloudflare detected but excluded from CVE matching — upstream infrastructure). All detected technologies are upstream CDN/proxy infrastructure. No application-level software versions exposed.
Certificate Hygiene
Strengths: Certificate valid, 61 days remaining; Issued by Google Trust Services. Note: Wildcard certificate in use (*.domain) — covers all subdomains. Common practice; worth noting that compromise would affect all subdomains.
Strengths: Certificate valid, 61 days remaining; Issued by Google Trust Services. Note: Wildcard certificate in use (*.domain) — covers all subdomains. Common practice; worth noting that compromise would affect all subdomains.
Recommended actions
1+ items
Steps to improve w3.org's security grade, ranked by impact.
1
Add missing security headers (X-Frame-Options, Referrer-Policy, Permissions-Policy)
3 of 5 recommended security headers are missing on w3.org: X-Frame-Options, Referrer-Policy, Permissions-Policy. These headers protect against clickjacking, MIME-sniffing, and unauthorized browser feature access. Adding them is a server configuration change with no application code changes required.
PCI-DSS 4.0Req 6.4.1
Security headers are required application controls
OWASPSecure Headers
Recommended baseline for web applications
How to fix this
1
Add: X-Frame-Options: SAMEORIGIN (use DENY only if you never embed your pages in iframes)
2
Add: Referrer-Policy: strict-origin-when-cross-origin
3
Add: Permissions-Policy: camera=(), microphone=(), geolocation=()
4
Verify with: curl -sI https://w3.org | grep -iE 'content-security|x-frame|x-content|referrer|permissions'
See all 2 remaining recommendations
Enter your work email to unlock the full action plan.
No spam. We only send security-related updates.
Report unlocked.
AI Summary
What this means
w3.org scored 80/100, demonstrating a strong security posture. Minor improvements are noted below.
Critical gaps in: Security Headers. Positive signals: MX Records & Mail Provider, DNS CAA Records, TLS Protocol Support all passed.
3 action items identified, including 0 critical. The issues are configuration gaps, not architectural problems. A focused remediation effort of 2–5 days could address all findings.
How w3.org compares
Grade distribution across 2678 companies we've scanned. w3.org scores better than 64% of them.
88
A+
28
A
194
A-
200
B+
75
B
376
B-
137
C+
117
C
347
C-
123
D+
96
D
265
D-
632
F
w3.org — Grade B- (80/100)
2678 companies scanned
At a glance
Key data points from the scan.
TLS Version
TLSv1.3
TLSv1.3 negotiated with TLS_AES_256_GCM_SHA384 (256-bit). Strong configuration with no deprecated protocols or weak ciphers detected.
DMARC Policy
p=none
Strengths: SPF record present with soft-fail (~all); DKIM configured (selectors: s1). Issues: DMARC policy is 'none' (monitoring only, no enforcement).
SPF Record
Present
v=spf1 mx ip4:34.238.48.92 ip4:34.199.101.240 ip6:2600:1f18:7d7a:2700::/56 include:_spf.google.com ~
Security Headers
2/5 present
Missing: X-Frame-Options, Referrer-Policy, Permissions-Policy
HSTS
Enabled
HSTS enabled: max-age=15552000s (180 days). includeSubDomains present. preload present.
SSL Certificate
Valid
Strengths: Certificate valid, 61 days remaining; Issued by Google Trust Services. Note: Wildcard certificate in use (*.domain) — covers all subdomains. Common practice; worth noting that compromise would affect all subdomains.
DNSSEC
Not enabled
Strengths: 2 nameservers configured (pranab.ns.cloudflare.com., jamie.ns.cloudflare.com.); 2 MX records present; Zone transfers properly restricted. Issues: DNSSEC not configured — DNS responses can be spoofed.
Similar companies
Other domains with comparable security profiles.
