Audit report 11:32:34

audi.de

Analyse abgeschlossen. 4 Schwachstellen gefunden · Score 80/100.

B 80/100

Security

75 /100

GDPR

Full view · free

Unlock full view + PDF report

clean PDF report · history

Unlock for free

Unlock for free · 30 sec

Sensitive reconnaissance findings

Recon · OSINT 🔒 masked

This section contains sensitive findings (e-mails found, sensitive paths, server versions). For visitors without an account, actual values are masked — only count and status are shown. → Sign in for full view

robots.txt — not present

sitemap.xml — not present

.git directory ✓ protected

Server disclosure ✓ hidden

Sensitive files ✓ none of the 13 checked files reachable

Unprotected e-mail addresses ✓ none in plain text

Site preview

click to open

Open site

Screenshot is being captured in the background …

⚡

Quick Wins — biggest impact

These 3 changes raise your score the most.

+45 points

80 → 100

1

No cookie-consent tool i Cookie-Consent Required under GDPR and §165 TKG 2021: before setting non-essential cookies (analytics, marketing), users must actively and freely consent. Violations can be fined up to €20M or 4% of annual revenue.
+25 ⏱ 2–4 Stunden · aufwändig

Tracking scripts (analytics, marketing pixels) are loaded, but no consent-management tool was detected. Under GDPR and §165 TKG 2021 this is unlawful — fines up to €20M possible.
2

Insecure cookies i Unsichere Cookies Session cookies need three flags: Secure (only sent over HTTPS), HttpOnly (no JavaScript access — protection against XSS theft) and SameSite (protection against CSRF attacks).
+10 ⏱ 15 Minuten · mittel

Cookies without Secure/HttpOnly/SameSite flags can be stolen. bm_mi: HttpOnly fehlt
3

X-Frame-Options missing i X-Frame-Options Prevents your site from being embedded in an iframe on a foreign site. Protects against clickjacking, where users invisibly trigger actions on your site.
+10 ⏱ 5 Minuten · leicht

Missing – site is vulnerable to clickjacking.

+ 1 more vulnerabilities — see the list below

Scan categories

SSL & HTTPS

Passed ✓

HTTP headers

Issues ✗

DNS & infrastructure

Passed ✓

E-mail protection

Passed ✓

Open ports

Passed ✓

GDPR

Passed ✓

Vulnerabilities found

3 critical 1 medium

High

No cookie-consent tool

Tracking scripts (analytics, marketing pixels) are loaded, but no consent-management tool was detected. Under GDPR and §165 TKG 2021 this is unlawful — fines up to €20M possible.

High

Insecure cookies

Cookies without Secure/HttpOnly/SameSite flags can be stolen. <code>bm_mi</code>: HttpOnly fehlt

High

Google Analytics without consent gate

Tracking scripts are loaded without consent. Fines up to €20M possible.

Medium

X-Frame-Options missing

Missing – site is vulnerable to clickjacking.

+ 3 more vulnerabilities locked

Including action items & fixes — unlock for free

Save this report as PDF

With a free account: full PDF report with screenshot, Quick Wins, all recommendations and step-by-step fixes — perfect to show, archive or pass on to clients.

✓ PDF download ✓ Scan history ✓ Domain monitoring ✓ E-mail alerts ✓ Re-scan diff

Terms in this report

Understand what we found — the key concepts behind the findings, briefly explained.

SSL & TLS

SSL/TLS explained ssl

How SSL/TLS certificates work, how the handshake unfolds and what to watch for when checking — explained in plain English.

HSTS explained hsts

HSTS (Strict-Transport-Security) forces browsers permanently to HTTPS. Learn how the header is built, what includeSubDomains and p…

CAA record explained caa-record

CAA records define which certificate authorities are allowed to issue SSL certificates for your domain. Protection against mis-iss…

DNS

DNSSEC explained dnssec

DNSSEC protects DNS answers cryptographically against tampering and cache poisoning. Structure, key hierarchy (KSK/ZSK) and how to…

Email

DMARC explained dmarc

DMARC protects your domain from e-mail spoofing. Learn how the record is structured, what p=none/quarantine/reject mean and how to…

SPF explained spf

SPF (Sender Policy Framework) prevents foreign servers from sending e-mails under your domain name. Structure, mechanisms and best…

DKIM explained dkim

DKIM signs your outgoing e-mails cryptographically — the recipient can reliably verify a mail came from you. Structure, selectors …

HTTP headers

CSP explained csp

The Content-Security-Policy is the most important browser-side defence against XSS. Learn how a CSP is structured and how to roll …

X-Frame-Options explained x-frame-options

X-Frame-Options prevents clickjacking by controlling whether your site can be embedded in an iframe. Values DENY, SAMEORIGIN and t…

Referrer-Policy explained referrer-policy

The Referrer-Policy controls which information is sent when users click external links. Values, privacy implications and safe defa…

Permissions-Policy explained permissions-policy

The Permissions-Policy selectively disables browser features like geolocation, microphone, camera and FLoC. Structure, all directi…

MIME sniffing & X-Content-Type-Options explained mime-sniffing

X-Content-Type-Options: nosniff prevents browsers from guessing the MIME type of files. Protection against cross-site-scripting an…

Frontend & APIs

Subresource Integrity explained subresource-integrity

SRI protects external JavaScript and CSS files against tampering on the CDN. Hash-based integrity verification in the browser — ex…

CORS explained cors

Cross-Origin Resource Sharing controls which foreign sites may call your APIs. Same-Origin policy, preflight requests and the key …

Cookie flags explained cookie-flags

Secure, HttpOnly and SameSite — the three most important cookie flags and what they do. How to harden sessions against XSS, MITM a…

→ All 15 glossary articles

Heads up — sensitive findings in this scan

https://audi.de

Unlock full view + PDF report

Sensitive reconnaissance findings

Site preview

Quick Wins — biggest impact

Scan categories

Vulnerabilities found

Terms in this report

SSL & TLS

DNS

Email

HTTP headers

Frontend & APIs