Skip to content

Instantly share code, notes, and snippets.

@code-explorer-io

code-explorer-io/security-fixes-www.trymyprompt.com.md

Created February 2, 2026 05:38
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save code-explorer-io/6ac237d2266856cdc220632cfbf02e7a to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save code-explorer-io/6ac237d2266856cdc220632cfbf02e7a to your computer and use it in GitHub Desktop.
Download ZIP
Security Checkup for www.trymyprompt.com
Raw
security-fixes-www.trymyprompt.com.md

Security Scan Technical Report

This report is designed to be parsed by AI coding assistants. Copy this entire report and paste it to your AI agent with: "Fix these security issues"

Target: https://www.trymyprompt.com Scanned: 2026-02-02T05:38:52.693Z Grade: C (63/100)

PHASE 1: Internal Security Scan

Security Headers

[MEDIUM] Missing Content-Security-Policy header

  • ID: missing-content-security-policy
  • Category: Security Headers
  • Description: CSP prevents XSS attacks by controlling which resources can be loaded
  • Fix: Add header: Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'

[MEDIUM] Missing X-Frame-Options header

  • ID: missing-x-frame-options
  • Category: Security Headers
  • Description: Prevents clickjacking by controlling if the site can be embedded in iframes
  • Fix: Add header: X-Frame-Options: DENY (or SAMEORIGIN if you need iframes)

[MEDIUM] Missing X-Content-Type-Options header

  • ID: missing-x-content-type-options
  • Category: Security Headers
  • Description: Prevents MIME-type sniffing attacks
  • Fix: Add header: X-Content-Type-Options: nosniff

[LOW] Missing Referrer-Policy header

  • ID: missing-referrer-policy
  • Category: Security Headers
  • Description: Controls how much referrer information is sent with requests
  • Fix: Add header: Referrer-Policy: strict-origin-when-cross-origin

[LOW] Missing Permissions-Policy header

  • ID: missing-permissions-policy
  • Category: Security Headers
  • Description: Controls which browser features the site can use
  • Fix: Add header: Permissions-Policy: geolocation=(), microphone=(), camera=()

[LOW] Missing X-XSS-Protection header

  • ID: missing-x-xss-protection
  • Category: Security Headers
  • Description: Legacy XSS filter (deprecated but still useful for older browsers)
  • Fix: Add header: X-XSS-Protection: 1; mode=block

CORS Configuration

[MEDIUM] CORS allows any origin

  • ID: cors-wildcard
  • Category: CORS
  • Description: Access-Control-Allow-Origin: * allows any website to read responses from your API
  • Fix: Restrict to specific trusted origins: Access-Control-Allow-Origin: https://yourdomain.com

Email Security (DNS)

[LOW] No SPF record found

  • ID: dns-no-spf
  • Category: Email Security
  • Description: Without SPF, anyone can send emails pretending to be from your domain. This is like having no caller ID on your phone. (Your domain has no MX records, so this is lower priority.)
  • Fix: Add a TXT record to your DNS: v=spf1 include:_spf.google.com ~all (adjust based on your email provider)

[LOW] No DMARC record found

  • ID: dns-no-dmarc
  • Category: Email Security
  • Description: DMARC tells email servers what to do when SPF/DKIM checks fail. Without it, spoofed emails may still be delivered. (Your domain has no MX records, so this is lower priority.)
  • Fix: Add a TXT record for _dmarc.www.trymyprompt.com: v=DMARC1; p=quarantine; rua=mailto:[email protected]

PHASE 2: External Tool Validation

Mozilla Observatory

Additional Manual Checks

These tools require manual verification:

Cross-Reference Analysis

Confidence: medium

Our scan found issues that external tools did not flag (they may check different things).

Issues found by our scan:

  • Missing Content-Security-Policy header
  • Missing X-Frame-Options header
  • Missing X-Content-Type-Options header
  • CORS allows any origin

Detected Technology Stack

  • Vercel (hosting)

Recommended Fix Order

Address issues in this order:

  1. CRITICAL - Fix immediately (security breach risk)
  2. HIGH - Fix soon (significant vulnerability)
  3. MEDIUM - Fix when possible (best practice)
  4. LOW - Nice to have (hardening)

AI Agent Instructions

To fix these issues:

  1. Start with CRITICAL and HIGH severity issues
  2. For each issue, implement the fix described
  3. Test the fix locally before deploying
  4. After deploying, the user should re-scan to verify

Domain: www.trymyprompt.com Total Issues: 9 Critical: 0, High: 0, Medium: 4, Low: 5

Raw
security-report-www.trymyprompt.com.md

Security Report: www.trymyprompt.com

Scanned on February 2, 2026

Overall Grade

C (63/100)

Fair. Some security gaps should be addressed.

At a Glance

Metric Value
Critical Issues 0
High Issues 0
Medium Issues 4
External Validation medium confidence

No Critical Issues Found

Great news! No critical or high-severity issues were found.

External Validation

We cross-checked our findings with industry-standard tools:

Mozilla Observatory: Grade C View full report

Confidence Level: MEDIUM

Our scan found issues that external tools did not flag (they may check different things).

Quick Wins

Smaller improvements you can make:

  • Missing Content-Security-Policy header: Add header: Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'.
  • Missing X-Frame-Options header: Add header: X-Frame-Options: DENY (or SAMEORIGIN if you need iframes).
  • Missing X-Content-Type-Options header: Add header: X-Content-Type-Options: nosniff.

What To Do Next

  1. Share the Technical Report (below) with your AI coding assistant
  2. Ask it to implement the fixes
  3. Re-scan after deploying to verify the fixes worked

Generated by URL Security Scanner | GitHub

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment