%20--%3e%3ccircle%20cx='32'%20cy='32'%20r='30'%20fill='rgba(99,102,241,0.05)'%20stroke='url(%23icon-gradient)'%20stroke-width='1.5'/%3e%3c!--%20Left%20bracket%20%3c%20--%3e%3cpath%20d='M12%2020L4%2032L12%2044'%20stroke='url(%23icon-gradient)'%20stroke-width='4'%20stroke-linecap='round'%20stroke-linejoin='round'%20fill='none'/%3e%3c!--%20Central%20E%20--%3e%3cpath%20d='M22%2018H42V24H28V29H40V35H28V40H42V46H22V18Z'%20fill='url(%23icon-accent)'/%3e%3c!--%20Right%20bracket%20%3e%20--%3e%3cpath%20d='M52%2020L60%2032L52%2044'%20stroke='url(%23icon-gradient)'%20stroke-width='4'%20stroke-linecap='round'%20stroke-linejoin='round'%20fill='none'/%3e%3c!--%20Decorative%20dots%20--%3e%3ccircle%20cx='32'%20cy='10'%20r='2'%20fill='%23818CF8'%20opacity='0.7'/%3e%3ccircle%20cx='32'%20cy='54'%20r='2'%20fill='%236366F1'%20opacity='0.7'/%3e%3c/svg%3e){kind=small}
Security Vulnerabilities Guide
Understanding and fixing common web security vulnerabilities detected by VitaPulse
HTTP Security Headers
Security headers instruct browsers to enable built-in security mechanisms, protecting your users from common attacks.
High
Strict-Transport-Security (HSTS)
Forces browsers to connect to your site exclusively over HTTPS, preventing protocol downgrade attacks and cookie hijacking.
High
Content-Security-Policy (CSP)
Defines which content sources are allowed to be loaded by the browser, preventing cross-site scripting (XSS) and data injection attacks.
High
X-XSS-Protection
Activates the browser's built-in XSS filter to detect and block reflected cross-site scripting attacks.
Medium
X-Content-Type-Options
Prevents browsers from guessing (MIME sniffing) the content type of a response, forcing them to respect the declared Content-Type.
Medium
X-Frame-Options
Controls whether your site can be embedded in iframes, protecting against clickjacking attacks.
Low
Referrer-Policy
Controls how much referrer information is sent when navigating from your site to another.
Low
Permissions-Policy
Controls which browser features and APIs (camera, microphone, geolocation, etc.) can be used by your site and embedded content.
Low
Cross-Origin-Opener-Policy (COOP)
Isolates your browsing context from cross-origin windows, preventing them from accessing your window object.
Low
Cross-Origin-Resource-Policy (CORP)
Controls which origins can load your resources (images, scripts, etc.), preventing unauthorized cross-origin reads.
Low
Cross-Origin-Embedder-Policy (COEP)
Requires all resources loaded by your page to explicitly opt-in to being loaded cross-origin, enabling full site isolation.
TLS / SSL Certificate
TLS (Transport Layer Security) encrypts the connection between users and your server. Certificate misconfigurations and outdated protocols expose your site to interception and data theft.
High
Weak TLS Protocol (TLS 1.0 / 1.1)
Your server supports outdated TLS versions (1.0 or 1.1) that have known cryptographic weaknesses.
High
Weak Certificate Signature Algorithm
Your SSL/TLS certificate uses a weak signature algorithm (such as SHA-1 with RSA PKCS#1) that is vulnerable to collision attacks.
High
Expired SSL/TLS Certificate
Your SSL/TLS certificate has expired or will expire within 30 days.
Medium
Missing Certificate Transparency
Your SSL certificate does not include Certificate Transparency (CT) information, making it harder to detect misissued certificates.
Low
No Encrypted Client Hello (ECH)
Your server does not support Encrypted Client Hello, which means the domain name (SNI) is visible during the TLS handshake.
Lighthouse Security Audits
Google Lighthouse performs automated security checks that identify common misconfigurations and unsafe practices on your website.
High
Site Not Served Over HTTPS
Your website is accessible over unencrypted HTTP, meaning all data between users and your server is transmitted in plaintext.
High
No HTTP to HTTPS Redirect
Your server does not redirect HTTP requests to HTTPS, allowing users to access the site over an insecure connection.
High
CSP Not Effective Against XSS
Your Content Security Policy is missing or does not effectively prevent cross-site scripting attacks.
Medium
No Trusted Types Policy
Your site does not use Trusted Types, a browser API that prevents DOM-based cross-site scripting attacks.
Medium
Geolocation Permission on Page Load
Your site requests geolocation permission immediately when the page loads, before any user interaction.
Medium
Notification Permission on Page Load
Your site requests notification permission immediately when the page loads, before any user interaction.
Low
No Cross-Origin Isolation
Your site is not cross-origin isolated, meaning it cannot use powerful performance APIs and is more vulnerable to side-channel attacks.
Software Version Exposure
Exposing software versions in HTTP headers or HTML source gives attackers a roadmap of known vulnerabilities to exploit.
Medium
Server Software Version Exposed
Your server's 'Server' HTTP header reveals the software name and version (e.g., Apache/2.4.41, nginx/1.18.0).
Medium
X-Powered-By Header Exposed
Your server sends an 'X-Powered-By' header revealing the backend technology and version (e.g., PHP/7.4, Express, ASP.NET).
Medium
CMS Version Exposed
Your CMS version (WordPress, Drupal, Joomla, etc.) is visible in meta tags, HTML source, or URL patterns.
Low
JavaScript Framework Version Exposed
Your frontend framework version (React, Vue, Angular, jQuery, etc.) is detectable via source code patterns, global variables, or library files.