Practical, vendor-neutral remediation for the issues our engine flags — each mapped to the compliance frameworks it touches.
Without SPF, DKIM and an enforcing DMARC policy, anyone can send email that appears to come from your domain.
HSTS, Content-Security-Policy, X-Content-Type-Options and X-Frame-Options are cheap, high-impact defences that most sites omit.
Your certificate must be valid and current, and the server should negotiate only TLS 1.2+ — never SSLv3, TLS 1.0 or 1.1.
A reachable .git directory, .env file, or database backup hands attackers your source code, credentials and secrets.
When a directory has no index file, some servers list its contents — exposing files you never meant to publish.
A security.txt file tells researchers how to report a vulnerability to you responsibly.
Session cookies must carry the Secure, HttpOnly and SameSite attributes to resist theft and cross-site attacks.
Databases, caches and admin panels (3306, 6379, 27017, SSH) should never be reachable from the public internet.
Running software with published CVEs, or leaving methods like TRACE enabled, gives attackers a ready-made exploit.
Server, X-Powered-By and framework debug banners tell attackers exactly what you run and which exploits to try.
A CAA record limits who can issue certificates for your domain, and stale records invite subdomain takeover.
Every subdomain is another way in. Forgotten staging, admin and legacy hosts are a favourite attacker foothold.
Exposed registrant details fuel targeted phishing, and a lapsed domain can be hijacked outright.
Enumerable users, exposed admin paths and outdated plugins make a CMS the most-attacked part of most sites.
Prove ownership and run a scan to get a graded, verifiable report of exactly what to fix.