Audit report 11:33:13 Akamaighost

mobile.de

Analyse abgeschlossen. 5 Schwachstellen gefunden · Score 57/100.

D 57/100

Security

65 /100

GDPR

Full view · free

Unlock 1 masked finding

1 e-mails · clean PDF report · history

Unlock for free

Unlock for free · 30 sec

Sensitive reconnaissance findings

Recon · OSINT 🔒 masked

This section contains sensitive findings (e-mails found, sensitive paths, server versions). For visitors without an account, actual values are masked — only count and status are shown. → Sign in for full view

robots.txt — not present

sitemap.xml — not present

.git directory ✓ protected

Server disclosure ✓ hidden

Sensitive files ✓ none of the 13 checked files reachable

Unprotected e-mail addresses ⚠ 1 visible to spam bots

se●●●@●●●.de

🔒 1 e-mails readable by spam bots — sign up for free for the full list

Site preview

click to open

Open site

Screenshot is being captured in the background …

⚡

Quick Wins — biggest impact

These 3 changes raise your score the most.

+30 points

57 → 87

1

Content-Security-Policy missing i CSP Content-Security-Policy: defines which sources may load scripts, images and styles. The most effective defence against Cross-Site-Scripting (XSS) — attackers can no longer inject foreign code.
+10 ⏱ 30 Minuten · mittel

No CSP – high XSS risk.
2

Insecure cookies i Unsichere Cookies Session cookies need three flags: Secure (only sent over HTTPS), HttpOnly (no JavaScript access — protection against XSS theft) and SameSite (protection against CSRF attacks).
+10 ⏱ 15 Minuten · mittel

Cookies without Secure/HttpOnly/SameSite flags can be stolen. bm_s: SameSite fehlt; bm_so: HttpOnly, SameSite fehlt
3

Strict-Transport-Security missing i HSTS Strict-Transport-Security: HTTP header that forces the browser to always load the site over HTTPS. Without HSTS, an attacker can redirect the first request to plain HTTP and intercept data.
+10 ⏱ 5 Minuten · leicht

HSTS is missing – the connection can be downgraded to HTTP.

+ 2 more vulnerabilities — see the list below

Scan categories

SSL & HTTPS

Passed ✓

HTTP headers

Issues ✗

DNS & infrastructure

Passed ✓

E-mail protection

Passed ✓

Open ports

Passed ✓

GDPR

Issues ✗

Vulnerabilities found

2 critical 2 medium 1 low

High

Content-Security-Policy missing

No CSP – high XSS risk.

High

Insecure cookies

Cookies without Secure/HttpOnly/SameSite flags can be stolen. <code>bm_s</code>: SameSite fehlt; <code>bm_so</code>: HttpOnly, SameSite fehlt

Medium

Strict-Transport-Security missing

HSTS is missing – the connection can be downgraded to HTTP.

Medium

X-Content-Type-Options missing

Missing – browsers could misinterpret file types.

+ 4 more vulnerabilities locked

Including action items & fixes — unlock for free

Save this report as PDF

With a free account: full PDF report with screenshot, Quick Wins, all recommendations and step-by-step fixes — perfect to show, archive or pass on to clients.

✓ PDF download ✓ Scan history ✓ Domain monitoring ✓ E-mail alerts ✓ Re-scan diff

Terms in this report

Understand what we found — the key concepts behind the findings, briefly explained.

SSL & TLS

SSL/TLS explained ssl

How SSL/TLS certificates work, how the handshake unfolds and what to watch for when checking — explained in plain English.

HSTS explained hsts

HSTS (Strict-Transport-Security) forces browsers permanently to HTTPS. Learn how the header is built, what includeSubDomains and p…

CAA record explained caa-record

CAA records define which certificate authorities are allowed to issue SSL certificates for your domain. Protection against mis-iss…

DNS

DNSSEC explained dnssec

DNSSEC protects DNS answers cryptographically against tampering and cache poisoning. Structure, key hierarchy (KSK/ZSK) and how to…

Email

DMARC explained dmarc

DMARC protects your domain from e-mail spoofing. Learn how the record is structured, what p=none/quarantine/reject mean and how to…

SPF explained spf

SPF (Sender Policy Framework) prevents foreign servers from sending e-mails under your domain name. Structure, mechanisms and best…

DKIM explained dkim

DKIM signs your outgoing e-mails cryptographically — the recipient can reliably verify a mail came from you. Structure, selectors …

HTTP headers

CSP explained csp

The Content-Security-Policy is the most important browser-side defence against XSS. Learn how a CSP is structured and how to roll …

X-Frame-Options explained x-frame-options

X-Frame-Options prevents clickjacking by controlling whether your site can be embedded in an iframe. Values DENY, SAMEORIGIN and t…

Referrer-Policy explained referrer-policy

The Referrer-Policy controls which information is sent when users click external links. Values, privacy implications and safe defa…

Permissions-Policy explained permissions-policy

The Permissions-Policy selectively disables browser features like geolocation, microphone, camera and FLoC. Structure, all directi…

MIME sniffing & X-Content-Type-Options explained mime-sniffing

X-Content-Type-Options: nosniff prevents browsers from guessing the MIME type of files. Protection against cross-site-scripting an…

Frontend & APIs

Subresource Integrity explained subresource-integrity

SRI protects external JavaScript and CSS files against tampering on the CDN. Hash-based integrity verification in the browser — ex…

CORS explained cors

Cross-Origin Resource Sharing controls which foreign sites may call your APIs. Same-Origin policy, preflight requests and the key …

Cookie flags explained cookie-flags

Secure, HttpOnly and SameSite — the three most important cookie flags and what they do. How to harden sessions against XSS, MITM a…

→ All 15 glossary articles

Heads up — sensitive findings in this scan

https://mobile.de

Unlock 1 masked finding

Sensitive reconnaissance findings

Site preview

Quick Wins — biggest impact

Scan categories

Vulnerabilities found

Terms in this report

SSL & TLS

DNS

Email

HTTP headers

Frontend & APIs