Fix guides

How to fix common security issues

Practical, vendor-neutral remediation for the issues our engine flags — each mapped to the compliance frameworks it touches.

Medium KVKK GDPR ISO 27001

Set up SPF, DKIM and DMARC to stop email spoofing

Without SPF, DKIM and an enforcing DMARC policy, anyone can send email that appears to come from your domain.

Medium GDPR ISO 27001 NIST CSF

Add the HTTP security headers every site should send

HSTS, Content-Security-Policy, X-Content-Type-Options and X-Frame-Options are cheap, high-impact defences that most sites omit.

High GDPR ISO 27001 CIS Controls

Fix TLS: valid certificate and modern protocols only

Your certificate must be valid and current, and the server should negotiate only TLS 1.2+ — never SSLv3, TLS 1.0 or 1.1.

Critical KVKK GDPR ISO 27001

Remove exposed .git, .env and backup files

A reachable .git directory, .env file, or database backup hands attackers your source code, credentials and secrets.

Low ISO 27001 CIS Controls

Disable directory listing

When a directory has no index file, some servers list its contents — exposing files you never meant to publish.

Info ISO 27001 NIST CSF

Publish a security.txt (RFC 9116)

A security.txt file tells researchers how to report a vulnerability to you responsibly.

Medium GDPR ISO 27001

Set Secure, HttpOnly and SameSite on cookies

Session cookies must carry the Secure, HttpOnly and SameSite attributes to resist theft and cross-site attacks.

High ISO 27001 CIS Controls NIST CSF

Close exposed ports and admin services

Databases, caches and admin panels (3306, 6379, 27017, SSH) should never be reachable from the public internet.

High GDPR ISO 27001 CIS Controls

Patch known CVEs and disable risky HTTP methods

Running software with published CVEs, or leaving methods like TRACE enabled, gives attackers a ready-made exploit.

Low ISO 27001 CIS Controls

Stop leaking software versions in headers and errors

Server, X-Powered-By and framework debug banners tell attackers exactly what you run and which exploits to try.

Low ISO 27001 NIST CSF

Harden your DNS: CAA, and no dangling records

A CAA record limits who can issue certificates for your domain, and stale records invite subdomain takeover.

Info ISO 27001 CIS Controls

Know and shrink your subdomain attack surface

Every subdomain is another way in. Forgotten staging, admin and legacy hosts are a favourite attacker foothold.

Info KVKK GDPR

Protect registrant data and renew on time

Exposed registrant details fuel targeted phishing, and a lapsed domain can be hijacked outright.

Medium ISO 27001 CIS Controls

Harden your CMS (WordPress and friends)

Enumerable users, exposed admin paths and outdated plugins make a CMS the most-attacked part of most sites.

See where your domain stands

Prove ownership and run a scan to get a graded, verifiable report of exactly what to fix.