Security (OWASP) issues we check — and how to fix them
Security headers, SSL configuration, email authentication, and server misconfigs — issues that erode customer trust and tank your search rankings if Google flags you.
23 catalogued Security (OWASP) issues, each with step-by-step, platform-specific fixes.
Filter:
- Dmarc policy noneModerate effortStrengthen your DMARC policy from p=none (monitor-only) to p=quarantine, then p=reject, to actively block email spoofing of your domain.
- Hsts disabledQuick winEnable HTTP Strict-Transport-Security (HSTS) by setting a max-age of at least 31536000 seconds (one year) so browsers always use HTTPS when visiting your store.
- Hsts max age too shortQuick winIncrease your HSTS max-age to at least 31536000 (one year) so browsers enforce HTTPS-only connections for a meaningful period.
- Https not availableQuick winEnable HTTPS by installing a valid SSL/TLS certificate and redirecting all HTTP traffic to the secure HTTPS version of your store.
- Info disclosure serverQuick winRemove or obscure the Server HTTP response header so your web server software name and version are no longer exposed to the public internet.
- Info disclosure x powered byQuick winRemove or mask the X-Powered-By HTTP response header to stop advertising your server technology stack to attackers.
- Insecure cookieModerate effortSet the HttpOnly, Secure, and SameSite=Strict flags on every session and CSRF cookie your store sets so they cannot be stolen by malicious scripts or sent over unencrypted connections.
- Missing content security policyModerate effortAdd a Content-Security-Policy (CSP) response header to every page so browsers block unauthorized scripts, styles, and resources from loading.
- Missing dmarcQuick winAdd a DMARC DNS TXT record at _dmarc.yourdomain.com to protect your domain from email spoofing and phishing.
- Missing permissions policyQuick winAdd a Permissions-Policy HTTP response header to explicitly restrict which browser features (camera, microphone, geolocation, etc.) your store's pages are allowed to use.
- Missing referrer policyQuick winAdd a `Referrer-Policy: strict-origin-when-cross-origin` HTTP response header to every page so browsers control what referrer information is sent with requests.
- Missing spfQuick winAdd a DNS TXT record containing a valid SPF policy to your domain so email servers can verify that messages sent from your domain are legitimate.
- Missing strict transport securityQuick winAdd an HTTP Strict-Transport-Security (HSTS) response header with at least `max-age=31536000; includeSubDomains` to every HTTPS response your store sends.
- Missing x content type optionsQuick winAdd the `X-Content-Type-Options: nosniff` HTTP response header to every page of your store so browsers never guess at file types.
- Missing x frame optionsQuick winAdd an X-Frame-Options HTTP response header set to DENY or SAMEORIGIN to prevent your store's pages from being embedded in iframes on other websites.
- Passive scan onlyModerate effortComplement passive security scans with active Dynamic Application Security Testing (DAST) against a staging copy of your store before each release.
- Ssl cert expiring soonQuick winRenew your SSL/TLS certificate before it expires to keep your store secure, trusted, and visible in search results.
- Ssl cert invalidModerate effortInstall a valid SSL/TLS certificate that exactly matches your store's domain name, so browsers trust your site and customer data is encrypted in transit.
- Ssl errorModerate effortReplace or reissue your SSL/TLS certificate so it is valid for the exact domain name your store uses, eliminating the hostname mismatch error.
- Ssl not accessibleModerate effortEnable HTTPS on your store by opening port 443 and installing a valid SSL/TLS certificate so every page is served over a secure connection.
- Weak spfQuick winAdd a hard-fail (-all) or soft-fail (~all) mechanism to your SPF DNS record so that mail servers are explicitly told to reject or flag email from senders not listed in your record.
- X content type options weakQuick winSet the X-Content-Type-Options response header to exactly `nosniff` (once, not duplicated) on every page and asset your store serves.
- X frame options weakQuick winChange the X-Frame-Options response header from its current weak or missing value to either DENY or SAMEORIGIN so your store cannot be embedded in a malicious iframe.