Website Vulnerabilities — Complete Reference
A comprehensive, plain-English reference for every type of website security vulnerability our scanners detect. Each entry explains what the vulnerability is, why it matters to your business, and exactly how to fix it.
HTTP Headers (6)
Missing HSTS Header
highThe HTTP Strict Transport Security (HSTS) header is missing, allowing browsers to silently downgrade HTTPS connections to HTTP.
Missing Content-Security-Policy Header
highNo Content-Security-Policy (CSP) header is set, leaving the site vulnerable to cross-site scripting (XSS) and data injection attacks.
Missing X-Frame-Options Header (Clickjacking)
mediumThe X-Frame-Options header is missing, allowing your site to be embedded in iframes on malicious sites (clickjacking attacks).
Insecure Cookie Configuration
highSession cookies are missing the Secure, HttpOnly, or SameSite attributes, exposing them to theft via XSS, MITM, or CSRF.
CORS Misconfiguration
highThe server reflects arbitrary Origin headers with credentials, allowing any website to make authenticated cross-origin requests.
Mixed Content (HTTP resources on HTTPS page)
mediumThe HTTPS page loads resources (scripts, images, stylesheets) over HTTP, breaking the integrity of HTTPS.
SSL/TLS (2)
Weak TLS Cipher Suite
highThe server negotiates weak TLS cipher suites (RC4, 3DES, CBC, NULL, EXPORT) that are vulnerable to known attacks.
Expired SSL Certificate
criticalThe SSL certificate has expired. Browsers show a "Not Secure" warning and may block access to the site.
Infrastructure (2)
Exposed Service Port
criticalA sensitive service port (MySQL, Redis, RDP, SSH, MongoDB) is exposed to the public internet.
No Web Application Firewall (WAF)
mediumNo Web Application Firewall is detected, leaving the site exposed to SQL injection, XSS, and bot attacks.
Information Disclosure (2)
Exposed .git Directory
criticalThe .git directory is publicly accessible, allowing attackers to download your entire source code repository.
Server Version Disclosure
lowThe Server and X-Powered-By headers disclose the server software and version, helping attackers target known vulnerabilities.
Technology (2)
Outdated CMS Version
highThe CMS (WordPress, Joomla, Drupal) is running an outdated version with known security vulnerabilities.
Vulnerable JavaScript Library
mediumThe site uses an outdated JavaScript library (jQuery, Lodash, Bootstrap, Angular) with known vulnerabilities.
Web Vulnerabilities (2)
Open Redirect Vulnerability
mediumThe site has an open redirect — a parameter that redirects to any URL, allowing phishing campaigns that appear to come from your domain.
Dangerous HTTP Methods Enabled
highThe server allows dangerous HTTP methods (PUT, DELETE, TRACE, CONNECT, WebDAV) that can be abused for file upload, deletion, or cross-site tracing.
Want to check if your site has any of these vulnerabilities?
Run a free scan with 2MNY Security — 27 scanners check for all of these and more.
Start Free Scan