A JSON which checks the HTTP website security like cookies, xss protection and so on. If the website HTTP could not be checked then returns nul
{ "tests_quantity": 11, "x-frame-options": { "expectation": "x-frame-options-sameorigin-or-deny", "name": "x-frame-options", "output": { "data": "deny" }, "pass": true, "result": "x-frame-options-sameorigin-or-deny", "score_description": "X-Frame-Options(XFO)headersettoSAMEORIGINorDENY", "score_modifier": 0, "id": 10 }, "contribute": { "expectation": "contribute-json-only-required-on-mozilla-properties", "name": "contribute", "output": {}, "pass": true, "result": "contribute-json-only-required-on-mozilla-properties", "score_description": "Contribute.jsonisn'trequiredonwebsitesthatdon'tbelongtoMozilla", "score_modifier": 0, "id": 2 }, "cross-origin-resource-sharing": { "expectation": "cross-origin-resource-sharing-not-implemented", "name": "cross-origin-resource-sharing", "output": { "data": {} }, "pass": true, "result": "cross-origin-resource-sharing-not-implemented", "score_description": "Contentisnotvisibleviacross-originresourcesharing(CORS)filesorheaders", "score_modifier": 0, "id": 4 }, "cookies": { "expectation": "cookies-secure-with-httponly-sessions", "name": "cookies", "output": { "data": { "MSPOK": { "domain": ".login.live.com", "httponly": true, "path": "/", "secure": "" }, "MSPRequ": { "domain": "login.live.com", "httponly": true, "path": "/", "secure": "" }, "uaid": { "domain": ".login.live.com", "httponly": true, "path": "/", "secure": "" } } }, "pass": false, "result": "cookies-without-secure-flag-but-protected-by-hsts", "score_description": "CookiessetwithoutusingtheSecureflag,buttransmissionoverHTTPpreventedbyHSTS", "score_modifier": -5, "id": 3 }, "strict-transport-security": { "expectation": "hsts-implemented-max-age-at-least-six-months", "name": "strict-transport-security", "output": { "data": "max-age=31536000", "includeSubDomains": false, "max-age": 31536000, "preload": false, "preloaded": false }, "pass": true, "result": "hsts-implemented-max-age-at-least-six-months", "score_description": "HTTPStrictTransportSecurity(HSTS)headersettoaminimumofsixmonths(15768000)", "score_modifier": 0, "id": 7 }, "score": 60, "tests_passed": 7, "content-security-policy": { "expectation": "csp-implemented-with-no-unsafe", "name": "content-security-policy", "output": {}, "pass": false, "result": "csp-not-implemented", "score_description": "ContentSecurityPolicy(CSP)headernotimplemented", "score_modifier": -25, "id": 1 }, "x-content-type-options": { "expectation": "x-content-type-options-nosniff", "name": "x-content-type-options", "output": { "data": "nosniff" }, "pass": true, "result": "x-content-type-options-nosniff", "score_description": "X-Content-Type-Optionsheadersetto\"nosniff\"", "score_modifier": 0, "id": 9 }, "x-xss-protection": { "expectation": "x-xss-protection-1-mode-block", "name": "x-xss-protection", "output": { "data": "1;mode=block" }, "pass": true, "result": "x-xss-protection-enabled-mode-block", "score_description": "X-XSS-Protectionheadersetto\"1;mode=block\"", "score_modifier": 0, "id": 11 }, "subresource-integrity": { "expectation": "sri-implemented-and-external-scripts-loaded-securely", "name": "subresource-integrity", "output": { "data": { "https://auth.gfx.ms/16.000.26657.00/DefaultLoginStrings.EN.js": {}, "https://auth.gfx.ms/16.000.26657.00/DefaultLogin_Core.js": {} } }, "pass": false, "result": "sri-not-implemented-but-external-scripts-loaded-securely", "score_description": "SubresourceIntegrity(SRI)notimplemented,butallexternalscriptsareloadedoverhttps", "score_modifier": -5, "id": 8 }, "grade": "C+", "public-key-pinning": { "expectation": "hpkp-not-implemented", "name": "public-key-pinning", "output": { "includeSubDomains": false, "preloaded": false }, "pass": true, "result": "hpkp-not-implemented", "score_description": "HTTPPublicKeyPinning(HPKP)headernotimplemented", "score_modifier": 0, "id": 5 }, "state": "FINISHED", "tests_failed": 4, "redirection": { "expectation": "redirection-to-https", "name": "redirection", "output": { "destination": "https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1477620955&rver=6.4.6456.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fmail.live.com%2Fdefault.aspx%3Frru%3Dinbox&lc=1033&id=64855&mkt=en-US&cbcxt=mai", "redirects": true, "route": [ "http://www.hotmail.com/", "https://mail.live.com/default.aspx", "https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1477620955&rver=6.4.6456.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fmail.live.com%2Fdefault.aspx%3Frru%3Dinbox&lc=1033&id=64855&mkt=en-US&cbcxt=mai" ], "status_code": 302 }, "pass": false, "result": "redirection-off-host-from-http", "score_description": "Initialredirectionfromhttptohttpsistoadifferenthost,preventingHSTS", "score_modifier": -5, "id": 6 } }
Key | Type | Description |
---|---|---|
grade | String | Final grade assessed upon a completed scan. |
score | Integer | Final score from the test. |
state | String | The state returned from the security test, can be finished or aborted or failed. |
tests_failed | Integer | Indicating the number of tests which failed. |
tests_passed | Integer | Indicating the number of tests which passed. |
tests_quantity | Integer | Number of tests executed. |
expectation | String | The expectation of what the test need to return. |
name | String | Current test name. |
output | Object | Artifacts related to the test. |
data | Object | The data found inside each test content, like the cache that the website has and the factor is testing. |
???? | Object | Other values under output key have another keys that may vary. |
pass | String | Whether the test passed or failed; a test that meets or exceeds the expectation will be marked as passed. |
result | String | Result of the test. |
score_description | String | Short description describing what result means. |
id | Integer | Test ID. |
score_modifier | String | How much the result of the test affected the final score; should range between +5 and -50. |