https://spiegel.de
Analyse abgeschlossen. 3 Schwachstellen gefunden · Score 77/100.
Unlock 1 masked finding
1 e-mails · clean PDF report · history
Sensitive reconnaissance findings
Recon · OSINT 🔒 maskedThis section contains sensitive findings (e-mails found, sensitive paths, server versions). For visitors without an account, actual values are masked — only count and status are shown. → Sign in for full view
sp●●●@●●●.de
🔒 1 e-mails readable by spam bots — sign up for free for the full list
Quick Wins — biggest impact
These 3 changes raise your score the most.
77 → 100
-
1
X-Frame-Options missing i X-Frame-Options Prevents your site from being embedded in an iframe on a foreign site. Protects against clickjacking, where users invisibly trigger actions on your site.
+10 ⏱ 5 Minuten · leichtMissing – site is vulnerable to clickjacking.
-
2
X-Content-Type-Options missing i X-Content-Type-Options Prevents the browser from 'guessing' the MIME type of a file (MIME sniffing). Stops e.g. an HTML file disguised as an image from being executed as code.
+10 ⏱ 5 Minuten · leichtMissing – browsers could misinterpret file types.
-
3
1 unprotected e-mail address(es) on the page
+3 ⏱ 15-30 Minuten · mittelSpam bots and scrapers find these addresses automatically in under a second:
spiegel_online@spiegel.de
Scan categories
SSL & HTTPS
Passed ✓
HTTP headers
Issues ✗
DNS & infrastructure
Passed ✓
E-mail protection
Passed ✓
Open ports
Passed ✓
GDPR
Passed ✓
Vulnerabilities found
X-Frame-Options missing
Missing – site is vulnerable to clickjacking.
+ 2 more vulnerabilities locked
Including action items & fixes — unlock for free
Save this report as PDF
With a free account: full PDF report with screenshot, Quick Wins, all recommendations and step-by-step fixes — perfect to show, archive or pass on to clients.
Terms in this report
Understand what we found — the key concepts behind the findings, briefly explained.
SSL & TLS
How SSL/TLS certificates work, how the handshake unfolds and what to watch for when checking — explained in plain English.
HSTS (Strict-Transport-Security) forces browsers permanently to HTTPS. Learn how the header is built, what includeSubDomains and p…
CAA records define which certificate authorities are allowed to issue SSL certificates for your domain. Protection against mis-iss…
DMARC protects your domain from e-mail spoofing. Learn how the record is structured, what p=none/quarantine/reject mean and how to…
SPF (Sender Policy Framework) prevents foreign servers from sending e-mails under your domain name. Structure, mechanisms and best…
DKIM signs your outgoing e-mails cryptographically — the recipient can reliably verify a mail came from you. Structure, selectors …
HTTP headers
The Content-Security-Policy is the most important browser-side defence against XSS. Learn how a CSP is structured and how to roll …
X-Frame-Options prevents clickjacking by controlling whether your site can be embedded in an iframe. Values DENY, SAMEORIGIN and t…
The Referrer-Policy controls which information is sent when users click external links. Values, privacy implications and safe defa…
The Permissions-Policy selectively disables browser features like geolocation, microphone, camera and FLoC. Structure, all directi…
X-Content-Type-Options: nosniff prevents browsers from guessing the MIME type of files. Protection against cross-site-scripting an…
Frontend & APIs
SRI protects external JavaScript and CSS files against tampering on the CDN. Hash-based integrity verification in the browser — ex…
Cross-Origin Resource Sharing controls which foreign sites may call your APIs. Same-Origin policy, preflight requests and the key …
Secure, HttpOnly and SameSite — the three most important cookie flags and what they do. How to harden sessions against XSS, MITM a…