Scoring module is aimed to evaluate the website's overall security grade. The assessment is based on the OWASP standard and the results may seem to be subjective. At the beginning of the scan, each resource is assumed as 100% secure. If the module detects a discrepancy in one of the checkpoints, the module subtracts a percentage from the total score, depending on the significance of the risk.
Currently, there are 13 checkpoints. They are:
- SSL - Checks for the validity of the SSL certificate.
- CMS - Checks for obsolete CMS version and checks for CVE on detected CMS.
- Malware - Scans the resources for well-known malware such as worms, trojans, viruses, etc.
- Security.txt - Checks for compliance with the security.txt standard
- Defacement - Checks for the traces of an injected defacement.
- JS components - Checks for obsolete versions of JS libraries, and the presence of CVE for detected versions of libraries.
- HTTP methods - Checks for support for insecure HTTP methods.
- Robots.txt - Checks for the presence of robots.txt.
- Web Application Firewall (WAF) - Checks for the presence of WAF.
- Open ports - Checks for the presence of open ports.
- Secure Cookies - Checks for the presence of cookies and the security of cookie settings.
- HTTP Security Headers & CSP - Checks for the presence of secure HTTP headers, and the validity of the setting of the detected headers.
- Email Leakage - Checks for email leaks.
It is also important to allocate that in fact the module just monitors the website health and gives recommendations. It does not automatically fix the issues raised in the results due to the high risk of website destroyal. Moreover, our system does not have access to change lots of configurations described in the module.
The module does not have on demand scanning and refreshes results once a weak.
Each section has its rating on the security assessment with High, Medium and Low impact on the overall scoring.