Sample Reports

See what you get with each report tier. All reports include actionable findings to improve your security posture.

BASIC REPORT

Security Scan Report

Target: https://example-store.com • Scanned: Jan 15, 2026

Security Grade

Critical

High

Medium

Low

Info

Findings

SQL Injection in Search Parameter CRITICAL

Application Code

Missing Content-Security-Policy Header HIGH

Web Server / Load Balancer

Missing Strict-Transport-Security (HSTS) HIGH

Web Server / Load Balancer

Cross-Site Scripting (XSS) in Comment Field HIGH

Application Code

Missing X-Content-Type-Options Header MEDIUM

Web Server / Load Balancer

Cookie Missing HttpOnly Flag MEDIUM

Application Code / Web Server Config

Missing Referrer-Policy Header MEDIUM

Web Server / Load Balancer

Domain Expires in 67 Days LOW

Domain Registrar

Checks Passed (8)

SSL/TLS Configuration

HTTPS is properly configured with a valid certificate and HTTP-to-HTTPS redirect.

Cookie Security

All cookies have proper security flags (HttpOnly, Secure, SameSite).

HTTP Methods

No dangerous HTTP methods (TRACE, PUT, DELETE) are enabled on the server.

Directory Listing

Directory listing is properly disabled on all common directories.

UI & Accessibility

Viewport, page title, heading structure, alt text, form labels, favicon, and social tags all look good.

Image Optimization

All images are properly sized, have dimensions set, and use lazy loading.

Page Performance

Server responds quickly (TTFB < 800 ms), compression is enabled, and page downloads fast.

Common Misconfigurations

No exposed sensitive files, CORS is properly configured, and no dangerous paths found.

+ 8 more findings • Upgrade to Pro for full details and recommendations

Get your free Basic Report now

Scan Your Site Free

ENTERPRISE REPORT

Comprehensive Security Assessment

Target: https://example-store.com • Scanned: Jan 15, 2026 • Duration: 12m 18s

Security Grade

Critical

High

Medium

Low

Info

Pages Scanned

Forms Tested

105

Inputs Tested

524

Requests Made

Executive Summary

The security assessment of example-store.com identified 1 critical and 5 high-severity vulnerabilities requiring immediate attention. The most pressing issue is an SQL injection vulnerability in the product search functionality that could allow unauthorized database access.

The application lacks several important security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options), leaving it exposed to common web attacks including XSS and clickjacking. An open redirect vulnerability in the login flow creates phishing risk. Session management has weaknesses including cookies without HttpOnly and Secure flags. CORS is misconfigured with wildcard origins, and server version headers are exposed.

Recommended priority: Address the SQL injection and open redirect immediately, then implement security headers, fix CORS and cookie configuration, and suppress server version disclosure. These changes would elevate the security grade from C to an estimated A-.

Severity Distribution

Findings by Category

Security Score Trend

Issue count and security grade over the last 6 scans

40% fewer issues compared to first scan (Aug 2025)

OWASP Top 10 Coverage

How many issues map to each OWASP Top 10 category

Priority Action Items

P1 - NOW

Fix SQL Injection in /products search

Replace string concatenation with parameterized queries. Estimated effort: 2-4 hours.

Application Code — Backend query/repository layer

P2 - THIS WEEK

Fix Stored XSS in review comments

Implement server-side input sanitization and output encoding. Estimated effort: 3-5 hours.

Application Code — Controller & template layer

P2 - THIS WEEK

Add security headers (CSP, HSTS, X-Content-Type-Options)

Configure in web server or application middleware. Estimated effort: 1-2 hours.

Web Server / Load Balancer — Nginx, Apache, or CDN config

P2 - THIS WEEK

Fix Open Redirect in login return URL

Validate returnTo parameter against whitelist of allowed domains. Estimated effort: 1-2 hours.

Application Code — Auth controller redirect logic

P3 - THIS MONTH

Fix cookie security flags

Add HttpOnly, Secure, and SameSite attributes to all session cookies. Estimated effort: 1 hour.

Application Code / Web Server Config — Session configuration

P3 - THIS MONTH

Restrict CORS to trusted origins & add X-Frame-Options

Replace wildcard CORS with domain whitelist, add clickjacking protection. Estimated effort: 1-2 hours.

Web Server / Application Code — CORS config & response headers

P4 - BACKLOG

Suppress server version headers & add SRI to CDN scripts

Hide nginx/express version info and add integrity hashes to external scripts. Estimated effort: 30 min.

Web Server Config / Application Code — server_tokens & script tags

Compliance Mapping

Finding	Where to Fix	OWASP Top 10	PCI DSS	SOC 2	GDPR
SQL Injection	App Code	A03:2021	6.5.1	CC6.1	Art. 32
Stored XSS	App Code	A03:2021	6.5.7	CC6.1	Art. 32
Missing CSP Header	Web Server	A05:2021	6.5.10	CC6.6	-
Missing HSTS	Web Server	A05:2021	4.1	CC6.7	Art. 32
Open Redirect	App Code	A01:2021	6.5.10	CC6.1	-
Clickjacking (X-Frame-Options)	Web Server	A05:2021	6.5.10	CC6.6	-
CORS Wildcard	App Code	A05:2021	6.5.10	CC6.1	Art. 32
Server Version Disclosure	Web Server	A05:2021	-	CC6.6	-

Detailed Findings

CRITICAL SQL Injection in Search Parameter

The search parameter on /products is vulnerable to SQL injection. User input is concatenated directly into the SQL query without parameterization, allowing attackers to extract or modify database contents.

Evidence

GET /products?search=' OR 1=1 -- returned 200 with all products

Affected URLs

/products, /api/search, /catalog

Where to Fix

Application Code Fix in your backend query/repository layer (e.g., ProductRepository.java, SearchService.java). Replace string concatenation with parameterized queries or use your ORM's built-in query builder.

Use parameterized queries or an ORM. Never concatenate user input into SQL strings.

OWASP A03:2021 PCI DSS 6.5.1 CWE-89

HIGH Cross-Site Scripting (XSS) in Comment Field

The comment field on the product review page does not sanitize user input. A stored XSS payload persists and executes for every user viewing the page, enabling session hijacking and data theft.

Evidence

Payload <script>alert(1)</script> stored and executed on /products/42/reviews

Where to Fix

Application Code Fix in your controller or template rendering layer (e.g., ReviewController.java, review-template.html). Sanitize input on save and encode output on render.

Sanitize all user input on the server side and encode output. Implement a Content-Security-Policy header.

OWASP A03:2021 PCI DSS 6.5.7 CWE-79

HIGH Open Redirect in Login Return URL

The returnTo parameter on /login accepts arbitrary external URLs without validation. An attacker can craft a link that redirects authenticated users to a phishing site that mimics the application, stealing credentials or session tokens.

Evidence

GET /login?returnTo=https://evil-site.com → 302 redirect to https://evil-site.com after successful authentication

Affected URLs

/login, /oauth/callback, /auth/return

Where to Fix

Application Code Fix in your authentication controller (e.g., AuthController.java, LoginHandler). Validate the returnTo parameter against a whitelist of allowed domains or restrict to relative paths only.

Only allow redirects to relative paths or whitelisted domains. Parse the URL and reject any external host.

OWASP A01:2021 PCI DSS 6.5.10 CWE-601

MEDIUM Missing X-Frame-Options Header (Clickjacking)

Neither X-Frame-Options nor CSP frame-ancestors directive is set. The entire application can be embedded in an iframe on any domain, enabling clickjacking attacks where users are tricked into performing unintended actions (e.g., clicking "Delete Account" or "Transfer Funds" hidden beneath an overlay).

Evidence

No X-Frame-Options or frame-ancestors header on any of the 56 pages scanned

Where to Fix

Web Server Config Load Balancer Add X-Frame-Options: DENY in Nginx (add_header), Apache (Header set), or your CDN/ALB response header rules.

Add X-Frame-Options: DENY or use CSP frame-ancestors 'none'. Use SAMEORIGIN if you need self-framing.

OWASP A05:2021 PCI DSS 6.5.10 CWE-1021

MEDIUM CORS Allows Wildcard Origin

Multiple API endpoints respond with Access-Control-Allow-Origin: *. Any website can make cross-origin requests to your API and read the responses. If combined with Access-Control-Allow-Credentials: true, authenticated user data can be exfiltrated by malicious sites.

Evidence

Access-Control-Allow-Origin: * found on /api/user/profile, /api/orders, /api/cart

Affected URLs

/api/user/profile, /api/orders, /api/cart, /api/wishlist

Where to Fix

Application Code Web Server Config Update your CORS configuration (e.g., WebMvcConfigurer, cors middleware, or Nginx headers) to whitelist specific trusted origins instead of using *.

Replace * with an explicit whitelist of allowed origins. Never combine wildcard with credentials.

OWASP A05:2021 PCI DSS 6.5.10 CWE-942

LOW Server Version Disclosure in Response Headers

The Server and X-Powered-By response headers reveal the web server software and version. Attackers use this information to search for known CVEs and exploits targeting specific versions, reducing the effort needed for a successful attack.

Evidence

Server: nginx/1.24.0 • X-Powered-By: Express 4.18.2

Where to Fix

Web Server Config In Nginx: set server_tokens off;. In Apache: set ServerTokens Prod. In Express: use app.disable('x-powered-by') or Helmet middleware.

Suppress version info in all server headers. Use server_tokens off in Nginx and remove X-Powered-By entirely.

OWASP A05:2021 CWE-200

MEDIUM Domain Expires in 28 Days

The domain example-store.com expires on Feb 12, 2026. It's recommended to renew at least 30 days before expiration to avoid any risk of losing the domain. An expired domain can be registered by anyone, potentially hijacking your website, email, and brand.

Evidence

Expiration date: Feb 12, 2026 (28 days remaining) • Source: RDAP/WHOIS

Where to Fix

Domain Registrar Log in to your domain registrar (GoDaddy, Namecheap, Cloudflare, etc.) and renew the domain or enable auto-renewal.

Renew the domain soon and enable auto-renewal to avoid disruption. Consider registering for multiple years to prevent future scares.

Business Continuity Domain Security

+ 19 more findings in full report

Checks Passed (5)

SSL/TLS Configuration

HTTPS is properly configured with a valid certificate and HTTP-to-HTTPS redirect.

HTTP Methods

No dangerous HTTP methods (TRACE, PUT, DELETE) are enabled on the server.

Directory Listing

Directory listing is properly disabled on all common directories.

Image Optimization

All images are properly sized, have dimensions set, and use lazy loading.

Page Performance

Server responds quickly (TTFB < 800 ms), compression is enabled, and page downloads fast.

Enterprise Reports — contact us for pricing