| HIGH |
security-headers |
Missing Content-Security-Policy header |
A05:2021 - Security Misconfiguration |
The response does not define a Content-Security-Policy header. |
Set a strict Content-Security-Policy header. |
| MEDIUM |
auth-cookies |
Cookie 'sessionid' missing SameSite |
A07:2021 - Identification and Authentication Failures |
The session cookie is missing the SameSite attribute. |
Set SameSite=Lax or SameSite=Strict for session cookies. |
| MEDIUM |
security-txt |
Missing /.well-known/security.txt |
A09:2021 - Security Logging and Monitoring Failures |
No RFC 9116 security.txt file was found. |
Publish a security.txt file under /.well-known/security.txt. |
| LOW |
directory-listing |
Auto-generated index page exposed |
A05:2021 - Security Misconfiguration |
A directory listing appears to be enabled for a web path. |
Disable directory indexes for public paths. |