Diagnostics

Metrics

http

https

A CAA record was discovered. A CAA record is used to specify which certificate authorities (CAs) are allowed to issue certificates for a domain.

CAA Record

DNS SaaS Service Detection

Setting the XSS-Protection header is deprecated. Setting the header to anything other than `0` can actually introduce an XSS vulnerability.

XSS-Protection Header - Cross-Site Scripting

Wappalyzer Technology Detection

This template searches for missing HTTP security headers. The impact of these missing headers can vary.


HTTP Missing Security Headers

Checks if external script and stylesheet tags in the HTML response are missing the Subresource Integrity (SRI) attribute.


Missing Subresource Integrity

TLS version detection is a security process used to determine the version of the Transport Layer Security (TLS) protocol used by a computer or server.
It is important to detect the TLS version in order to ensure secure communication between two computers or servers.


TLS Version - Detect

Extract the issuer's organization from the target's certificate. Issuers are entities which sign and distribute certificates.


Detect SSL Certificate Issuer

Extract the Subject Alternative Name (SAN) from the target's certificate. SAN facilitates the usage of additional hostnames with the same certificate.


SSL DNS Names

bln_challengejs

default-src 'self' sante.fr *.sante.fr *.gouv.fr *.dmcdn.net *.synapse-medicine.com *.twitter.com *.twimg.com *.data.gouv *.rogervoice.com *.googleapis.com *.mapbox.com *.cloudflareinsights.com *.cloudflare.com googletagmanager.com *.googletagmanager.com api-adresse.data.gouv.fr *.google.com vitemadose.gitlab.io *.dailymotion.com *.youtube.com *.soundcloud.com *.c-napps.com gstatic.com *.gstatic.com *.adform.net *.facebook.net *.facebook.com *.snapchat.com *.criteo.com unpkg.com *.fontawesome.com *.newrelic.com *.linkedin.com *.licdn.com *.atlasante.fr bam.eu01.nr-data.net; script-src 'self' sante.fr *.sante.fr *.gouv.fr *.dmcdn.net *.synapse-medicine.com *.twitter.com *.twimg.com *.data.gouv *.rogervoice.com *.googleapis.com *.mapbox.com *.cloudflareinsights.com *.cloudflare.com googletagmanager.com *.googletagmanager.com api-adresse.data.gouv.fr *.google.com vitemadose.gitlab.io *.dailymotion.com *.youtube.com *.soundcloud.com *.c-napps.com gstatic.com *.gstatic.com *.adform.net *.facebook.net *.snapchat.com sc-static.net secure.adnxs.com ads-engagement.presage.io *.criteo.com unpkg.com *.fontawesome.com *.newrelic.com *.linkedin.com *.licdn.com *.atlasante.fr *.ckeditor.com bam.eu01.nr-data.net 'unsafe-inline' 'unsafe-eval'; style-src 'self' sante.fr *.sante.fr *.gouv.fr *.dmcdn.net *.synapse-medicine.com *.twitter.com *.twimg.com *.data.gouv *.rogervoice.com *.googleapis.com *.mapbox.com *.cloudflareinsights.com *.cloudflare.com googletagmanager.com *.googletagmanager.com api-adresse.data.gouv.fr *.google.com vitemadose.gitlab.io *.dailymotion.com *.youtube.com *.soundcloud.com *.c-napps.com gstatic.com *.gstatic.com *.adform.net *.facebook.net unpkg.com *.fontawesome.com *.newrelic.com *.linkedin.com *.licdn.com *.atlasante.fr bam.eu01.nr-data.net 'unsafe-inline'; img-src * data:; media-src *; frame-src *; frame-ancestors *; child-src *; font-src * data:; report-uri /report-csp-violation

HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.

severity	service	vulnerability
info	http (port:80)
info	https (port:443)

Impact	Description	Documentation
-25	Content Security Policy (CSP) header not implemented	Implement one, see MDN's Content Security Policy (CSP) documentation.

risk	name
Medium (High)	Content Security Policy (CSP) Header Not Set
Medium (High)	Sub Resource Integrity Attribute Missing
Low (Medium)	Insufficient Site Isolation Against Spectre Vulnerability
Low (Medium)	Permissions Policy Header Not Set
Informational (High)	Sec-Fetch-Dest Header is Missing
Informational (High)	Sec-Fetch-Mode Header is Missing
Informational (High)	Sec-Fetch-Site Header is Missing
Informational (High)	Sec-Fetch-User Header is Missing
Informational (Medium)	Base64 Disclosure
Informational (Medium)	Modern Web Application
Informational (Medium)	Storable and Cacheable Content
Informational (Medium)	Storable but Non-Cacheable Content
Informational (Low)	Re-examine Cache-control Directives

https://sas.sante.fr

Nmap

Mozilla HTTP observatory

SSL

Expiration : 02/06/2025

Scan OWASP6 jours

Nuclei6 jours

Séverité	Name	Matcher
info	CAA Record	caa-fingerprint
info	DNS SaaS Service Detection	dns-saas-service-detection
info	XSS-Protection Header - Cross-Site Scripting	xss-deprecated-header
info	Wappalyzer Technology Detection	google-font-api
info	HTTP Missing Security Headers	x-permitted-cross-domain-policies
info	HTTP Missing Security Headers	clear-site-data
info	HTTP Missing Security Headers	cross-origin-embedder-policy
info	HTTP Missing Security Headers	cross-origin-opener-policy
info	HTTP Missing Security Headers	cross-origin-resource-policy
info	HTTP Missing Security Headers	content-security-policy
info	HTTP Missing Security Headers	permissions-policy
info	Missing Subresource Integrity	missing-sri
info	TLS Version - Detect	tls-version
info	Detect SSL Certificate Issuer	ssl-issuer
info	SSL DNS Names	ssl-dns-names
info	TLS Version - Detect	tls-version