This report is designed to be parsed by AI coding assistants. Copy this entire report and paste it to your AI agent with: "Fix these security issues"
Target: https://www.indietools.app Scanned: 2026-02-02T06:00:52.804Z Grade: D (51/100)
- ID: missing-content-security-policy
- Category: Security Headers
- Description: CSP prevents XSS attacks by controlling which resources can be loaded
- Fix: Add header: Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'
- ID: missing-strict-transport-security
- Category: Security Headers
- Description: HSTS forces browsers to use HTTPS, preventing downgrade attacks
- Fix: Add header: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
- ID: missing-x-frame-options
- Category: Security Headers
- Description: Prevents clickjacking by controlling if the site can be embedded in iframes
- Fix: Add header: X-Frame-Options: DENY (or SAMEORIGIN if you need iframes)
- ID: missing-x-content-type-options
- Category: Security Headers
- Description: Prevents MIME-type sniffing attacks
- Fix: Add header: X-Content-Type-Options: nosniff
- ID: missing-referrer-policy
- Category: Security Headers
- Description: Controls how much referrer information is sent with requests
- Fix: Add header: Referrer-Policy: strict-origin-when-cross-origin
- ID: missing-permissions-policy
- Category: Security Headers
- Description: Controls which browser features the site can use
- Fix: Add header: Permissions-Policy: geolocation=(), microphone=(), camera=()
- ID: missing-x-xss-protection
- Category: Security Headers
- Description: Legacy XSS filter (deprecated but still useful for older browsers)
- Fix: Add header: X-XSS-Protection: 1; mode=block
- ID: dns-no-spf
- Category: Email Security
- Description: Without SPF, anyone can send emails pretending to be from your domain. This is like having no caller ID on your phone. (Your domain has no MX records, so this is lower priority.)
- Fix: Add a TXT record to your DNS: v=spf1 include:_spf.google.com ~all (adjust based on your email provider)
- ID: dns-no-dmarc
- Category: Email Security
- Description: DMARC tells email servers what to do when SPF/DKIM checks fail. Without it, spoofed emails may still be delivered. (Your domain has no MX records, so this is lower priority.)
- Fix: Add a TXT record for _dmarc.www.indietools.app: v=DMARC1; p=quarantine; rua=mailto:[email protected]
- Grade: C
- Score: 50/100
- Tests Passed: 7
- Tests Failed: 3
- Full Report: https://developer.mozilla.org/en-US/observatory/analyze?host=www.indietools.app
These tools require manual verification:
Confidence: medium
Our scan found issues that external tools did not flag (they may check different things).
Issues found by our scan:
- Missing Content-Security-Policy header
- Missing Strict-Transport-Security header
- Missing X-Frame-Options header
- Missing X-Content-Type-Options header
- Vercel (hosting)
- Astro (framework)
Address issues in this order:
- CRITICAL - Fix immediately (security breach risk)
- HIGH - Fix soon (significant vulnerability)
- MEDIUM - Fix when possible (best practice)
- LOW - Nice to have (hardening)
To fix these issues:
- Start with CRITICAL and HIGH severity issues
- For each issue, implement the fix described
- Test the fix locally before deploying
- After deploying, the user should re-scan to verify
Domain: www.indietools.app Total Issues: 9 Critical: 0, High: 1, Medium: 3, Low: 5