Diagnostics

Metrics

http

A CAA record was discovered. A CAA record is used to specify which certificate authorities (CAs) are allowed to issue certificates for a domain.

CAA Record

This template searches for missing HTTP security headers. The impact of these missing headers can vary.


HTTP Missing Security Headers

WAF Detection

Extract the issuer's organization from the target's certificate. Issuers are entities which sign and distribute certificates.


Detect SSL Certificate Issuer

Extract the Subject Alternative Name (SAN) from the target's certificate. SAN facilitates the usage of additional hostnames with the same certificate.


SSL DNS Names

TLS version detection is a security process used to determine the version of the Transport Layer Security (TLS) protocol used by a computer or server.
It is important to detect the TLS version in order to ensure secure communication between two computers or servers.


TLS Version - Detect

Apache is a free and open-source cross-platform web server software.

Apache HTTP Server

jQuery is a JavaScript library which is a free, open-source software designed to simplify HTML DOM tree traversal and manipulation, as well as event handling, CSS animation, and Ajax.

jQuery

Content Security Policy (CSP) Header Not Set

Multiple X-Frame-Options Header Entries

Vulnerable JS Library

CSP: X-WebKit-CSP

Insufficient Site Isolation Against Spectre Vulnerability

Permissions Policy Header Not Set

Strict-Transport-Security Header Not Set

Base64 Disclosure

Information Disclosure - Suspicious Comments

Modern Web Application

Non-Storable Content

Obsolete Content Security Policy (CSP) Header Found

Re-examine Cache-control Directives

Sec-Fetch-Dest Header is Missing

Sec-Fetch-Mode Header is Missing

Sec-Fetch-Site Header is Missing

Sec-Fetch-User Header is Missing

Storable and Cacheable Content

severity	service	vulnerability
info	http (port:80)
info	http (port:443)

Impact	Description	Documentation
-25	Content Security Policy (CSP) header not implemented	Implement one, see MDN's Content Security Policy (CSP) documentation.
-20	Does not redirect to an HTTPS site.	Documentation for redirection-to-https
-20	`Strict-Transport-Security` header not implemented.	Add HSTS. Consider rolling out with shorter periods first (as suggested on https://hstspreload.org/).
-20	`X-Frame-Options` (XFO) header cannot be recognized.	Documentation for x-frame-options-sameorigin-or-deny

Séverité	Name	Matcher
info	CAA Record	caa-fingerprint
info	HTTP Missing Security Headers	strict-transport-security
info	HTTP Missing Security Headers	content-security-policy
info	HTTP Missing Security Headers	permissions-policy
info	HTTP Missing Security Headers	referrer-policy
info	HTTP Missing Security Headers	clear-site-data
info	HTTP Missing Security Headers	cross-origin-embedder-policy
info	HTTP Missing Security Headers	cross-origin-opener-policy
info	HTTP Missing Security Headers	cross-origin-resource-policy
info	WAF Detection	apachegeneric
info	Detect SSL Certificate Issuer	ssl-issuer
info	SSL DNS Names	ssl-dns-names
info	TLS Version - Detect	tls-version

https://tops.eservices.esante.gouv.fr

Nmap

Mozilla HTTP observatory

SSL

Grade capped to A. HSTS is not offered

Expiration : 26/08/2025

Scan OWASP7 jours

Nuclei14 jours

risk	name
Medium (High)	Content Security Policy (CSP) Header Not Set
Medium (Medium)	Multiple X-Frame-Options Header Entries
Medium (Medium)	Vulnerable JS Library
Low (High)	CSP: X-WebKit-CSP
Low (High)	Strict-Transport-Security Header Not Set
Low (Medium)	Insufficient Site Isolation Against Spectre Vulnerability
Low (Medium)	Permissions Policy Header Not Set
Informational (High)	Obsolete Content Security Policy (CSP) Header Found
Informational (High)	Sec-Fetch-Dest Header is Missing
Informational (High)	Sec-Fetch-Mode Header is Missing
Informational (High)	Sec-Fetch-Site Header is Missing
Informational (High)	Sec-Fetch-User Header is Missing
Informational (Medium)	Base64 Disclosure
Informational (Medium)	Modern Web Application
Informational (Medium)	Non-Storable Content
Informational (Medium)	Storable and Cacheable Content
Informational (Low)	Information Disclosure - Suspicious Comments
Informational (Low)	Re-examine Cache-control Directives