Web Security Map monitors a range of modern security standards. They are required for operating an internet service securely. Many of these are mandated by governments and standard bodies worldwide.
For example: when visiting a website, a secure (HTTPS) connection is needed to ensure integrity and privacy.
Web Security Map is intended for public installation and visibility: allowing everyone in the world to see results. This creates accountability. Because of the public nature of Web Security Map, there are limitations in its capabilities.
Transparency comes with responsibility: Web Security Map only explicitly scans and published information that does not increase risk. The data published with Web Security Map gives a first impression about risk monitoring, handling and mitigation of an organization.
Scanned and published
| Security Standard | Technology | Max. Severity |
|---|---|---|
| DNSSEC | DNS | High |
| TLS Encryption Quality | HTTP / TLS | High |
| Trust in TLS Certificate | HTTP / TLS | High |
| Websites without TLS | HTTP / TLS | High |
| Unencrypted File Transfer | FTP / auth | High |
| Encrypted Mail Transport | Mail / TLS | High |
| SPF Record | Mail / DNS | Medium |
| DKIM Record | Mail / DNS | Medium |
| DMARC Record | Mail / DNS | Medium |
| Strict Transport Security | HTTP | Medium |
| X-Frame-Options | HTTP | Medium |
| X-Content-Type-Options | HTTP | Low |
| X-XSS-Protection | HTTP | Low |
Out of scope
Transparency comes with responsibility. This means the following risks will not be scanned and publicly reported. These types are handled in Responsible Disclosure vulnerability programs.
Web Security Map does not scan or report on critical security risks such as:
SQL injection, Path Traversal, Vulnerable Versions (banner grabbing), Buffer Overflows, Weak passwords, Open Directories, Severe Misconfigurations, Missing Authentication, Permission Issues, Insecure Uploads and many others.