CSP: Wildcard Directive | Medium | -2 | +3 |
CSP: script-src unsafe-eval | Medium | -2 | +3 |
CSP: script-src unsafe-inline | Medium | -2 | +3 |
CSP: style-src unsafe-inline | Medium | -2 | +3 |
Sub Resource Integrity Attribute Missing | @@ -240,7 +246,7 @@|||
Base64 Disclosure | Informational | -9 | +12 |
Information Disclosure - Suspicious Comments | @@ -255,12 +261,12 @@|||
Re-examine Cache-control Directives | Informational | -5 | +4 |
Retrieved from Cache | Informational | -6 | +7 |
Sec-Fetch-Dest Header is Missing | @@ -343,6 +349,40 @@The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined: style-src, frame-ancestors, form-action +The directive(s): frame-ancestors, form-action are among the directives that do not fallback to default-src, missing/excluding them is the same as allowing anything. | +||
URL | +https://deces.matchid.io/ | +||
Method | +GET | +||
Parameter | +Content-Security-Policy | +||
Attack | ++ | ||
Evidence | +default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' static.cloudflareinsights.com ajax.cloudflare.com www.googletagmanager.com fundingchoicesmessages.google.com www.google.com www.google.ca analytics.google.com www.google-analytics.com pagead2.googlesyndication.com partner.googleadservices.com tpc.googlesyndication.com www.googletagservices.com adservice.google.com adservice.google.fr;style-src https: 'self' 'unsafe-inline';font-src 'self' data:;img-src 'self' matchid.io a.basemaps.cartocdn.com b.basemaps.cartocdn.com c.basemaps.cartocdn.com upload.wikimedia.org pagead2.googlesyndication.com www.google-analytics.com stats.g.doubleclick.net www.google.fr;connect-src 'self' www.data.gouv.fr cloudflareinsights.com www.google-analytics.com analytics.google.com csi.gstatic.com region1.analytics.google.com stats.g.doubleclick.net pagead2.googlesyndication.com; frame-src 'self' matchid.io www.google.com google.com googleads.g.doubleclick.net tpc.googlesyndication.com | +||
Other Info | +The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined: +style-src, frame-ancestors, form-action + The directive(s): frame-ancestors, form-action are among the directives that do not fallback to default-src, missing/excluding them is the same as allowing anything. | ||
Instances | -2 | +3 | |
Solution | @@ -476,6 +516,37 @@script-src includes unsafe-eval. | ||
URL | +https://deces.matchid.io/ | +||
Method | +GET | +||
Parameter | +Content-Security-Policy | +||
Attack | ++ | ||
Evidence | +default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' static.cloudflareinsights.com ajax.cloudflare.com www.googletagmanager.com fundingchoicesmessages.google.com www.google.com www.google.ca analytics.google.com www.google-analytics.com pagead2.googlesyndication.com partner.googleadservices.com tpc.googlesyndication.com www.googletagservices.com adservice.google.com adservice.google.fr;style-src https: 'self' 'unsafe-inline';font-src 'self' data:;img-src 'self' matchid.io a.basemaps.cartocdn.com b.basemaps.cartocdn.com c.basemaps.cartocdn.com upload.wikimedia.org pagead2.googlesyndication.com www.google-analytics.com stats.g.doubleclick.net www.google.fr;connect-src 'self' www.data.gouv.fr cloudflareinsights.com www.google-analytics.com analytics.google.com csi.gstatic.com region1.analytics.google.com stats.g.doubleclick.net pagead2.googlesyndication.com; frame-src 'self' matchid.io www.google.com google.com googleads.g.doubleclick.net tpc.googlesyndication.com | +||
Other Info | +script-src includes unsafe-eval. | +||
URL | @@ -509,7 +580,7 @@|||
Instances | -2 | +3 | |
Solution | @@ -603,6 +674,37 @@script-src includes unsafe-inline. | ||
URL | +https://deces.matchid.io/ | +||
Method | +GET | +||
Parameter | +Content-Security-Policy | +||
Attack | ++ | ||
Evidence | +default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' static.cloudflareinsights.com ajax.cloudflare.com www.googletagmanager.com fundingchoicesmessages.google.com www.google.com www.google.ca analytics.google.com www.google-analytics.com pagead2.googlesyndication.com partner.googleadservices.com tpc.googlesyndication.com www.googletagservices.com adservice.google.com adservice.google.fr;style-src https: 'self' 'unsafe-inline';font-src 'self' data:;img-src 'self' matchid.io a.basemaps.cartocdn.com b.basemaps.cartocdn.com c.basemaps.cartocdn.com upload.wikimedia.org pagead2.googlesyndication.com www.google-analytics.com stats.g.doubleclick.net www.google.fr;connect-src 'self' www.data.gouv.fr cloudflareinsights.com www.google-analytics.com analytics.google.com csi.gstatic.com region1.analytics.google.com stats.g.doubleclick.net pagead2.googlesyndication.com; frame-src 'self' matchid.io www.google.com google.com googleads.g.doubleclick.net tpc.googlesyndication.com | +||
Other Info | +script-src includes unsafe-inline. | +||
URL | @@ -636,7 +738,7 @@|||
Instances | -2 | +3 | |
Solution | @@ -730,6 +832,37 @@style-src includes unsafe-inline. | ||
URL | +https://deces.matchid.io/ | +||
Method | +GET | +||
Parameter | +Content-Security-Policy | +||
Attack | ++ | ||
Evidence | +default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' static.cloudflareinsights.com ajax.cloudflare.com www.googletagmanager.com fundingchoicesmessages.google.com www.google.com www.google.ca analytics.google.com www.google-analytics.com pagead2.googlesyndication.com partner.googleadservices.com tpc.googlesyndication.com www.googletagservices.com adservice.google.com adservice.google.fr;style-src https: 'self' 'unsafe-inline';font-src 'self' data:;img-src 'self' matchid.io a.basemaps.cartocdn.com b.basemaps.cartocdn.com c.basemaps.cartocdn.com upload.wikimedia.org pagead2.googlesyndication.com www.google-analytics.com stats.g.doubleclick.net www.google.fr;connect-src 'self' www.data.gouv.fr cloudflareinsights.com www.google-analytics.com analytics.google.com csi.gstatic.com region1.analytics.google.com stats.g.doubleclick.net pagead2.googlesyndication.com; frame-src 'self' matchid.io www.google.com google.com googleads.g.doubleclick.net tpc.googlesyndication.com | +||
Other Info | +style-src includes unsafe-inline. | +||
URL | @@ -763,7 +896,7 @@|||
Instances | -2 | +3 | |
Solution | @@ -1355,12 +1488,43 @@|||
Evidence | -2FDmbNyrmWGGRzVbs1SmXW8S514bk8sf4Epp5jFe7O4u9d | +2BUSRoYYMPWjsDQLsFXUpmJeYlbOlbF | |
Other Info | -�P�lܫ�a�G5[�T�]o�^���Ji�1^��.� | +�F�0���4�UԦb^bVΕ� | +|
URL | +https://deces.matchid.io | +||
Method | +GET | +||
Parameter | ++ | ||
Attack | ++ | ||
Evidence | +2BkQiSRuvMruOga3WSxZtMwwEibnt9G3K2 | +||
Other Info | +��$n���:�Y,Y��0&�ѷ+ | ||
Evidence | -2FptDxVrPWSL84ih9ibf4GDpHD75vxa35ktX | +2Bo85E0WeajuPYFCJsLJ6PDmv6veC1XTTm0vQl0LZ8B0P26ND8CjcbYvBnQVeLy5lDUynr | |
Other Info | -�Zmk=d���&��`�>����KW | +�<�My��=�B&����濫�U�Nm/B]g�t?n���q�/tx���52� | |
Evidence | -2Fx9V7YsYK8khuRpUPDz51FfHCO5PZlyO2V42TrAJd0BGypBib7UVFQ5 | +2BM1ZVlDr2k4F9W0oudSa2oIuLcXxqyxq57CCz0FGrRxt1KvwEoKVRd5GXlJU9rZaIMRwSjf2PTOHdwJ13z8UieBPb0iRlzB2m9dMATVeUV1 | |
Other Info | -�\}W�,`�$��iP���Q_#�=�r;ex�:�%�*A���TT9 | +�5eYC�i8մ��Rkj��Ƭ����=�q�R��J +UyyIS��h��(����� �|�R'�=�"F\��o]0�yEu | |
Evidence | -2BCNk00YG1JDUV1gTVxBK7YAIv9Y45IJgMA7tD | +2F9TcHtmECgUwBqqyJm07QicD6R5lJ35VFy2uvqq90mrzXmjUaQgi0FbvwKrhabQsM3K | |
Other Info | -���MRCQ]`M\A+� "�X� ��;� | +�_Sp{f(��ș����y���T\�����I��y�Q� �A[����а�� | |
Evidence | -2BcZ1WDFkWxkDFWhL7Pkrp5AYRcGsTa0koqfLNZip5KjwVpA1S | +BJf5QdJwusNdo6kBFRI3Q0XCjvG9XHaMTo3P7E8iV9eT9GP2XLkwvO | |
Other Info | -��`őldU�/�䮞@a�6����,�b����Z@� | +��A�p��]��7CE�\v�N���O"Wד�c�\�0� | |
Evidence | -2FeYjNf8uinrW7pGHu9F0fptkKcfrqQVMUREFx3KiLVE7ZejkK0hY7leNizFIa26UlodFaV8sj9 | +2BBwby0ZrZDCYGeUMC0RrXRPy3bqGQbNf7pz | |
Other Info | -�W�����)�[�F�E��m����1DDʈ�D헣��!c�^6,�!��RZ�|�? | +�po-���`g�0-�tO�v���s | |
Evidence | -2F5vSJomJ2aAS3DJb1wG10eIAd7WaOfjWi9xRQ2f | +2FC0JShVLXYqm8Qi8Unm5lkMmD4eUhC2x73raI8JJrZJ | +|
Other Info | +�P�%(U-v*��"�I��Y�>R�ǽ�h� &�I | +||
URL | +https://deces.matchid.io/favicon.svg | +||
Method | +GET | +||
Parameter | ++ | ||
Attack | ++ | ||
Evidence | +2B9T4ZzohszDpFbgZR8s1VNrwjvyDWY1 | ||
Other Info | -�^oH�&'f�Kp�o\�G���h��Z/qE � | +�S���äV�e,�Sk�;� f5 | |
Evidence | -2B8YzDqghVvdopIemXS3YiU1qjEYO0RVf0BhONsChKeiek6Rt89Z2N8md3cJSAxZurXevMYYKgIfAFUaqpBLHylwWht | +2BILW4FolkJMWdqD6iqXuIOTnWUcU77HTZSh1sxOkU0W | |
Other Info | -��:��[ݢ��t�b%5�1;DU@a8����zN���Y��&ww HY���* U��K)pZ | +�[�h�BLYڃ�*�����eS��M����N�M | +|
URL | +https://deces.matchid.io/manifest.json | +||
Method | +GET | +||
Parameter | ++ | ||
Attack | ++ | ||
Evidence | +mJWTywfi26twQMcdMdYdJvapVLebgY | +||
Other Info | +�����۫p@�1�&��T��� | ||
Evidence | -Tj96Owom9lS9XAIldxSBay5iUpHMbnonVcvzMOACUsdt4qW0BKcPbKDfSdG | +2Bg7Gy1g1BFhPMolG0OgC9Y0kSZzpeBH6bJQg5L | |
Other Info | -N?z; -&�T�\%w�k.bR��nz'U��0�R�m⥴�l��I� | +�;-`�a<�%C��4�&s��G�P�� | |
Instances | -9 | +12 | |
Solution | @@ -1769,7 +1995,7 @@|||
Evidence | -<script defer src="/js/matchid.min.js" type="3c5a37f3a4da82e728707fb6-text/javascript"></script> | +<script defer src="/js/matchid.min.js" type="3e42580513e13eb4c7e96254-text/javascript"></script> | |
Alert Detail | |||
Evidence | -<script defer src="/js/matchid.min.js" type="5baca66a0956a314e6b1f932-text/javascript"></script> | +<script defer src="/js/matchid.min.js" type="fb60056563dc27747d8e1062-text/javascript"></script> | |
Alert Detail | |||
Evidence | -<script defer src="/js/matchid.min.js" type="1862235c15c45fccaa8c8f77-text/javascript"></script> | +<script defer src="/js/matchid.min.js" type="8b9e819b3f076da0fb1f05de-text/javascript"></script> | |
Alert Detail | |||
Evidence | -<script defer src="/js/matchid.min.js" type="75ccb9a288ade751ebeabac4-text/javascript"></script> | +<script defer src="/js/matchid.min.js" type="4a359324d280e793de99f73e-text/javascript"></script> | |
Alert Detail | |||
URL | -https://deces.matchid.io/robots.txt | -||
Method | -GET | -||
Parameter | -cache-control | -||
Attack | -- | ||
Evidence | -max-age=86400 | -||
Other Info | -- | ||
URL | @@ -2076,7 +2271,7 @@|||
Instances | -5 | +4 | |
Solution | @@ -2156,7 +2351,7 @@|||
Evidence | -Age: 153 | +Age: 1321 | |
Alert Detail | |||
Evidence | -Age: 153 | +Age: 1322 | |
Alert Detail | |||
Evidence | -Age: 13 | +Age: 139 | |
Alert Detail | |||
Evidence | -Age: 3959 | +Age: 1324 | |
Alert Detail | |||
Evidence | -Age: 12 | +Age: 1323 | |
Alert Detail | |||
Evidence | -Age: 3959 | +Age: 139 | +|
Other Info | +The presence of the 'Age' header indicates that that a HTTP/1.1 compliant caching server is in use. | +||
URL | +https://deces.matchid.io/robots.txt | +||
Method | +GET | +||
Parameter | ++ | ||
Attack | ++ | ||
Evidence | +Age: 140 | ||
Alert Detail | |||
Instances | -6 | +7 | |
Solution | @@ -2423,7 +2649,7 @@|||
URL | -https://deces.matchid.io/favicon-apple.png | +https://deces.matchid.io/favicon.svg | |
Alert Detail | |||
URL | -https://deces.matchid.io/favicon-apple.png | +https://deces.matchid.io/favicon.svg | |
Alert Detail | |||
URL | -https://deces.matchid.io/favicon-apple.png | +https://deces.matchid.io/favicon.svg | |
Alert Detail | |||
URL | -https://deces.matchid.io/favicon-apple.png | +https://deces.matchid.io/favicon.svg | |
Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.",
"otherinfo": " The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined: style-src, frame-ancestors, form-action The directive(s): frame-ancestors, form-action are among the directives that do not fallback to default-src, missing/excluding them is the same as allowing anything. ", "reference": "https://www.w3.org/TR/CSP/ https://caniuse.com/#search=content+security+policy https://content-security-policy.com/ https://github.com/HtmlUnit/htmlunit-csp https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources ", @@ -62,6 +70,14 @@ "evidence": "default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' static.cloudflareinsights.com ajax.cloudflare.com www.googletagmanager.com fundingchoicesmessages.google.com www.google.com www.google.ca analytics.google.com www.google-analytics.com pagead2.googlesyndication.com partner.googleadservices.com tpc.googlesyndication.com www.googletagservices.com adservice.google.com adservice.google.fr;style-src https: 'self' 'unsafe-inline';font-src 'self' data:;img-src 'self' matchid.io a.basemaps.cartocdn.com b.basemaps.cartocdn.com c.basemaps.cartocdn.com upload.wikimedia.org pagead2.googlesyndication.com www.google-analytics.com stats.g.doubleclick.net www.google.fr;connect-src 'self' www.data.gouv.fr cloudflareinsights.com www.google-analytics.com analytics.google.com csi.gstatic.com region1.analytics.google.com stats.g.doubleclick.net pagead2.googlesyndication.com; frame-src 'self' matchid.io www.google.com google.com googleads.g.doubleclick.net tpc.googlesyndication.com", "otherinfo": "script-src includes unsafe-eval." }, + { + "uri": "https://deces.matchid.io/", + "method": "GET", + "param": "Content-Security-Policy", + "attack": "", + "evidence": "default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' static.cloudflareinsights.com ajax.cloudflare.com www.googletagmanager.com fundingchoicesmessages.google.com www.google.com www.google.ca analytics.google.com www.google-analytics.com pagead2.googlesyndication.com partner.googleadservices.com tpc.googlesyndication.com www.googletagservices.com adservice.google.com adservice.google.fr;style-src https: 'self' 'unsafe-inline';font-src 'self' data:;img-src 'self' matchid.io a.basemaps.cartocdn.com b.basemaps.cartocdn.com c.basemaps.cartocdn.com upload.wikimedia.org pagead2.googlesyndication.com www.google-analytics.com stats.g.doubleclick.net www.google.fr;connect-src 'self' www.data.gouv.fr cloudflareinsights.com www.google-analytics.com analytics.google.com csi.gstatic.com region1.analytics.google.com stats.g.doubleclick.net pagead2.googlesyndication.com; frame-src 'self' matchid.io www.google.com google.com googleads.g.doubleclick.net tpc.googlesyndication.com", + "otherinfo": "script-src includes unsafe-eval." + }, { "uri": "https://deces.matchid.io/sitemap.xml", "method": "GET", @@ -71,7 +87,7 @@ "otherinfo": "script-src includes unsafe-eval." } ], - "count": "2", + "count": "3", "solution": "Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header. ", "otherinfo": "script-src includes unsafe-eval. ", "reference": "https://www.w3.org/TR/CSP/ https://caniuse.com/#search=content+security+policy https://content-security-policy.com/ https://github.com/HtmlUnit/htmlunit-csp https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources ", @@ -97,6 +113,14 @@ "evidence": "default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' static.cloudflareinsights.com ajax.cloudflare.com www.googletagmanager.com fundingchoicesmessages.google.com www.google.com www.google.ca analytics.google.com www.google-analytics.com pagead2.googlesyndication.com partner.googleadservices.com tpc.googlesyndication.com www.googletagservices.com adservice.google.com adservice.google.fr;style-src https: 'self' 'unsafe-inline';font-src 'self' data:;img-src 'self' matchid.io a.basemaps.cartocdn.com b.basemaps.cartocdn.com c.basemaps.cartocdn.com upload.wikimedia.org pagead2.googlesyndication.com www.google-analytics.com stats.g.doubleclick.net www.google.fr;connect-src 'self' www.data.gouv.fr cloudflareinsights.com www.google-analytics.com analytics.google.com csi.gstatic.com region1.analytics.google.com stats.g.doubleclick.net pagead2.googlesyndication.com; frame-src 'self' matchid.io www.google.com google.com googleads.g.doubleclick.net tpc.googlesyndication.com", "otherinfo": "script-src includes unsafe-inline." }, + { + "uri": "https://deces.matchid.io/", + "method": "GET", + "param": "Content-Security-Policy", + "attack": "", + "evidence": "default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' static.cloudflareinsights.com ajax.cloudflare.com www.googletagmanager.com fundingchoicesmessages.google.com www.google.com www.google.ca analytics.google.com www.google-analytics.com pagead2.googlesyndication.com partner.googleadservices.com tpc.googlesyndication.com www.googletagservices.com adservice.google.com adservice.google.fr;style-src https: 'self' 'unsafe-inline';font-src 'self' data:;img-src 'self' matchid.io a.basemaps.cartocdn.com b.basemaps.cartocdn.com c.basemaps.cartocdn.com upload.wikimedia.org pagead2.googlesyndication.com www.google-analytics.com stats.g.doubleclick.net www.google.fr;connect-src 'self' www.data.gouv.fr cloudflareinsights.com www.google-analytics.com analytics.google.com csi.gstatic.com region1.analytics.google.com stats.g.doubleclick.net pagead2.googlesyndication.com; frame-src 'self' matchid.io www.google.com google.com googleads.g.doubleclick.net tpc.googlesyndication.com", + "otherinfo": "script-src includes unsafe-inline." + }, { "uri": "https://deces.matchid.io/sitemap.xml", "method": "GET", @@ -106,7 +130,7 @@ "otherinfo": "script-src includes unsafe-inline." } ], - "count": "2", + "count": "3", "solution": "Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header. ", "otherinfo": "script-src includes unsafe-inline. ", "reference": "https://www.w3.org/TR/CSP/ https://caniuse.com/#search=content+security+policy https://content-security-policy.com/ https://github.com/HtmlUnit/htmlunit-csp https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources ", @@ -132,6 +156,14 @@ "evidence": "default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' static.cloudflareinsights.com ajax.cloudflare.com www.googletagmanager.com fundingchoicesmessages.google.com www.google.com www.google.ca analytics.google.com www.google-analytics.com pagead2.googlesyndication.com partner.googleadservices.com tpc.googlesyndication.com www.googletagservices.com adservice.google.com adservice.google.fr;style-src https: 'self' 'unsafe-inline';font-src 'self' data:;img-src 'self' matchid.io a.basemaps.cartocdn.com b.basemaps.cartocdn.com c.basemaps.cartocdn.com upload.wikimedia.org pagead2.googlesyndication.com www.google-analytics.com stats.g.doubleclick.net www.google.fr;connect-src 'self' www.data.gouv.fr cloudflareinsights.com www.google-analytics.com analytics.google.com csi.gstatic.com region1.analytics.google.com stats.g.doubleclick.net pagead2.googlesyndication.com; frame-src 'self' matchid.io www.google.com google.com googleads.g.doubleclick.net tpc.googlesyndication.com", "otherinfo": "style-src includes unsafe-inline." }, + { + "uri": "https://deces.matchid.io/", + "method": "GET", + "param": "Content-Security-Policy", + "attack": "", + "evidence": "default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' static.cloudflareinsights.com ajax.cloudflare.com www.googletagmanager.com fundingchoicesmessages.google.com www.google.com www.google.ca analytics.google.com www.google-analytics.com pagead2.googlesyndication.com partner.googleadservices.com tpc.googlesyndication.com www.googletagservices.com adservice.google.com adservice.google.fr;style-src https: 'self' 'unsafe-inline';font-src 'self' data:;img-src 'self' matchid.io a.basemaps.cartocdn.com b.basemaps.cartocdn.com c.basemaps.cartocdn.com upload.wikimedia.org pagead2.googlesyndication.com www.google-analytics.com stats.g.doubleclick.net www.google.fr;connect-src 'self' www.data.gouv.fr cloudflareinsights.com www.google-analytics.com analytics.google.com csi.gstatic.com region1.analytics.google.com stats.g.doubleclick.net pagead2.googlesyndication.com; frame-src 'self' matchid.io www.google.com google.com googleads.g.doubleclick.net tpc.googlesyndication.com", + "otherinfo": "style-src includes unsafe-inline." + }, { "uri": "https://deces.matchid.io/sitemap.xml", "method": "GET", @@ -141,7 +173,7 @@ "otherinfo": "style-src includes unsafe-inline." } ], - "count": "2", + "count": "3", "solution": "Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header. ", "otherinfo": "style-src includes unsafe-inline. ", "reference": "https://www.w3.org/TR/CSP/ https://caniuse.com/#search=content+security+policy https://content-security-policy.com/ https://github.com/HtmlUnit/htmlunit-csp https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources ", @@ -174,7 +206,7 @@ "reference": "https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity ", "cweid": "345", "wascid": "15", - "sourceid": "25" + "sourceid": "28" }, { "pluginid": "10020", @@ -295,7 +327,7 @@ "reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy https://developer.chrome.com/blog/feature-policy/ https://scotthelme.co.uk/a-new-security-header-feature-policy/ https://w3c.github.io/webappsec-feature-policy/ https://www.smashingmagazine.com/2018/12/feature-policy/ ", "cweid": "693", "wascid": "15", - "sourceid": "20" + "sourceid": "23" }, { "pluginid": "10094", @@ -312,77 +344,101 @@ "method": "GET", "param": "", "attack": "", - "evidence": "2FDmbNyrmWGGRzVbs1SmXW8S514bk8sf4Epp5jFe7O4u9d", - "otherinfo": "\uFFFDP\uFFFDl\u072B\uFFFDa\uFFFDG5[\uFFFDT\uFFFD]o\\x0012\uFFFD^\\x001b\uFFFD\uFFFD\\x001f\uFFFDJi\uFFFD1^\uFFFD\uFFFD.\uFFFD" + "evidence": "2BUSRoYYMPWjsDQLsFXUpmJeYlbOlbF", + "otherinfo": "\uFFFD\\x0015\\x0012F\uFFFD\\x00180\uFFFD\uFFFD\uFFFD4\\x000b\uFFFDU\u0526b^bV\u0395\uFFFD" + }, + { + "uri": "https://deces.matchid.io", + "method": "GET", + "param": "", + "attack": "", + "evidence": "2BkQiSRuvMruOga3WSxZtMwwEibnt9G3K2", + "otherinfo": "\uFFFD\\x0019\\x0010\uFFFD$n\uFFFD\uFFFD\uFFFD:\\x0006\uFFFDY,Y\uFFFD\uFFFD0\\x0012&\uFFFD\u0477+" }, { "uri": "https://deces.matchid.io/", "method": "GET", "param": "", "attack": "", - "evidence": "2FptDxVrPWSL84ih9ibf4GDpHD75vxa35ktX", - "otherinfo": "\uFFFDZm\\x000f\\x0015k=d\uFFFD\uFFFD\uFFFD&\uFFFD\uFFFD`\uFFFD\\x001c>\uFFFD\uFFFD\\x0016\uFFFD\uFFFDKW" + "evidence": "2Bo85E0WeajuPYFCJsLJ6PDmv6veC1XTTm0vQl0LZ8B0P26ND8CjcbYvBnQVeLy5lDUynr", + "otherinfo": "\uFFFD\\x001a<\uFFFDM\\x0016y\uFFFD\uFFFD=\uFFFDB&\uFFFD\uFFFD\uFFFD\uFFFD\u6FEB\uFFFD\\x000bU\uFFFDNm/B]\\x000bg\uFFFDt?n\uFFFD\\x000f\uFFFD\uFFFDq\uFFFD/\\x0006t\\x0015x\uFFFD\uFFFD\uFFFD52\uFFFD" }, { "uri": "https://deces.matchid.io/build/module/bundle.css", "method": "GET", "param": "", "attack": "", - "evidence": "2Fx9V7YsYK8khuRpUPDz51FfHCO5PZlyO2V42TrAJd0BGypBib7UVFQ5", - "otherinfo": "\uFFFD\\}W\uFFFD,`\uFFFD$\uFFFD\uFFFDiP\uFFFD\uFFFD\uFFFDQ_\\x001c#\uFFFD=\uFFFDr;ex\uFFFD:\uFFFD%\uFFFD\\x0001\\x001b*A\uFFFD\uFFFD\uFFFDTT9" + "evidence": "2BM1ZVlDr2k4F9W0oudSa2oIuLcXxqyxq57CCz0FGrRxt1KvwEoKVRd5GXlJU9rZaIMRwSjf2PTOHdwJ13z8UieBPb0iRlzB2m9dMATVeUV1", + "otherinfo": "\uFFFD\\x00135eYC\uFFFDi8\\x0017\u0574\uFFFD\uFFFDRkj\\x0008\uFFFD\uFFFD\\x0017\u01AC\uFFFD\uFFFD\uFFFD\uFFFD\\x000b=\\x0005\\x001a\uFFFDq\uFFFDR\uFFFD\uFFFDJ\nU\\x0017y\\x0019yIS\uFFFD\uFFFDh\uFFFD\\x0011\uFFFD(\uFFFD\uFFFD\uFFFD\uFFFD\\x001d\uFFFD\t\uFFFD|\uFFFDR'\uFFFD=\uFFFD\"F\\\uFFFD\uFFFDo]0\\x0004\uFFFDyEu" }, { "uri": "https://deces.matchid.io/cdn-cgi/scripts/7d0fa10a/cloudflare-static/rocket-loader.min.js", "method": "GET", "param": "", "attack": "", - "evidence": "2BCNk00YG1JDUV1gTVxBK7YAIv9Y45IJgMA7tD", - "otherinfo": "\uFFFD\\x0010\uFFFD\uFFFDM\\x0018\\x001bRCQ]`M\\A+\uFFFD\\x0000\"\uFFFDX\uFFFD\t\uFFFD\uFFFD;\uFFFD" + "evidence": "2F9TcHtmECgUwBqqyJm07QicD6R5lJ35VFy2uvqq90mrzXmjUaQgi0FbvwKrhabQsM3K", + "otherinfo": "\uFFFD_Sp{f\\x0010(\\x0014\uFFFD\\x001a\uFFFD\u0219\uFFFD\uFFFD\\x0008\uFFFD\\x000f\uFFFDy\uFFFD\uFFFD\uFFFDT\\\uFFFD\uFFFD\uFFFD\uFFFD\uFFFDI\uFFFD\uFFFDy\uFFFDQ\uFFFD \uFFFDA[\uFFFD\\x0002\uFFFD\uFFFD\uFFFD\u0430\uFFFD\uFFFD" }, { "uri": "https://deces.matchid.io/css/global.css", "method": "GET", "param": "", "attack": "", - "evidence": "2BcZ1WDFkWxkDFWhL7Pkrp5AYRcGsTa0koqfLNZip5KjwVpA1S", - "otherinfo": "\uFFFD\\x0017\\x0019\uFFFD`\u0151ld\\x000cU\uFFFD/\uFFFD\u4B9E@a\\x0017\\x0006\uFFFD6\uFFFD\uFFFD\uFFFD\uFFFD,\uFFFDb\uFFFD\uFFFD\uFFFD\uFFFDZ@\uFFFD" + "evidence": "BJf5QdJwusNdo6kBFRI3Q0XCjvG9XHaMTo3P7E8iV9eT9GP2XLkwvO", + "otherinfo": "\\x0004\uFFFD\uFFFDA\uFFFDp\uFFFD\uFFFD]\uFFFD\uFFFD\\x0001\\x0015\\x00127CE\u008E\uFFFD\\v\uFFFDN\uFFFD\uFFFD\uFFFDO\"W\u05D3\uFFFDc\uFFFD\\\uFFFD0\uFFFD" }, { "uri": "https://deces.matchid.io/css/matchid.min.css", "method": "GET", "param": "", "attack": "", - "evidence": "2FeYjNf8uinrW7pGHu9F0fptkKcfrqQVMUREFx3KiLVE7ZejkK0hY7leNizFIa26UlodFaV8sj9", - "otherinfo": "\uFFFDW\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD)\uFFFD[\uFFFDF\\x001e\uFFFDE\uFFFD\uFFFDm\uFFFD\uFFFD\\x001f\uFFFD\uFFFD\\x00151DD\\x0017\\x001d\u0288\uFFFDD\uD5E3\uFFFD\uFFFD!c\uFFFD^6,\uFFFD!\uFFFD\uFFFDRZ\\x001d\\x0015\uFFFD|\uFFFD?" + "evidence": "2BBwby0ZrZDCYGeUMC0RrXRPy3bqGQbNf7pz", + "otherinfo": "\uFFFD\\x0010po-\\x0019\uFFFD\uFFFD\uFFFD`g\uFFFD0-\\x0011\uFFFDtO\uFFFDv\uFFFD\\x0019\\x0006\uFFFD\uFFFDs" }, { "uri": "https://deces.matchid.io/favicon-apple.png", "method": "GET", "param": "", "attack": "", - "evidence": "2F5vSJomJ2aAS3DJb1wG10eIAd7WaOfjWi9xRQ2f", - "otherinfo": "\uFFFD^oH\uFFFD&'f\uFFFDKp\uFFFDo\\\\x0006\uFFFDG\uFFFD\\x0001\uFFFD\uFFFDh\uFFFD\uFFFDZ/qE\r\uFFFD" + "evidence": "2FC0JShVLXYqm8Qi8Unm5lkMmD4eUhC2x73raI8JJrZJ", + "otherinfo": "\uFFFDP\uFFFD%(U-v*\uFFFD\uFFFD\"\uFFFDI\uFFFD\uFFFDY\\x000c\uFFFD>\\x001eR\\x0010\uFFFD\u01FD\uFFFDh\uFFFD\t&\uFFFDI" + }, + { + "uri": "https://deces.matchid.io/favicon.svg", + "method": "GET", + "param": "", + "attack": "", + "evidence": "2B9T4ZzohszDpFbgZR8s1VNrwjvyDWY1", + "otherinfo": "\uFFFD\\x001fS\uFFFD\uFFFD\uFFFD\u00E4V\uFFFDe\\x001f,\uFFFDSk\uFFFD;\uFFFD\rf5" }, { "uri": "https://deces.matchid.io/js/matchid.min.js", "method": "GET", "param": "", "attack": "", - "evidence": "2B8YzDqghVvdopIemXS3YiU1qjEYO0RVf0BhONsChKeiek6Rt89Z2N8md3cJSAxZurXevMYYKgIfAFUaqpBLHylwWht", - "otherinfo": "\uFFFD\\x001f\\x0018\uFFFD:\uFFFD\uFFFD[\u0762\uFFFD\\x001e\uFFFDt\uFFFDb%5\uFFFD1\\x0018;DU@a8\uFFFD\\x0002\uFFFD\uFFFD\uFFFDzN\uFFFD\uFFFD\uFFFDY\uFFFD\uFFFD&ww\tH\\x000cY\uFFFD\uFFFD\u07BC\uFFFD\\x0018*\\x0002\\x001f\\x0000U\\x001a\uFFFD\uFFFDK\\x001f)pZ\\x001b" + "evidence": "2BILW4FolkJMWdqD6iqXuIOTnWUcU77HTZSh1sxOkU0W", + "otherinfo": "\uFFFD\\x0012\\x000b[\uFFFDh\uFFFDBLY\u0683\uFFFD*\uFFFD\uFFFD\uFFFD\uFFFD\uFFFDe\\x001cS\uFFFD\uFFFDM\uFFFD\uFFFD\uFFFD\uFFFDN\uFFFDM\\x0016" + }, + { + "uri": "https://deces.matchid.io/manifest.json", + "method": "GET", + "param": "", + "attack": "", + "evidence": "mJWTywfi26twQMcdMdYdJvapVLebgY", + "otherinfo": "\uFFFD\uFFFD\uFFFD\uFFFD\\x0007\uFFFD\u06EBp@\uFFFD\\x001d1\uFFFD\\x001d&\uFFFD\uFFFDT\uFFFD\uFFFD\uFFFD" }, { "uri": "https://deces.matchid.io/sitemap.xml", "method": "GET", "param": "", "attack": "", - "evidence": "Tj96Owom9lS9XAIldxSBay5iUpHMbnonVcvzMOACUsdt4qW0BKcPbKDfSdG", - "otherinfo": "N?z;\n&\uFFFDT\uFFFD\\\\x0002%w\\x0014\uFFFDk.bR\uFFFD\uFFFDnz'U\uFFFD\uFFFD0\uFFFD\\x0002R\uFFFDm\u2974\\x0004\uFFFD\\x000fl\uFFFD\uFFFDI\uFFFD" + "evidence": "2Bg7Gy1g1BFhPMolG0OgC9Y0kSZzpeBH6bJQg5L", + "otherinfo": "\uFFFD\\x0018;\\x001b-`\uFFFD\\x0011a<\uFFFD%\\x001bC\uFFFD\\x000b\uFFFD4\uFFFD&s\uFFFD\uFFFDG\uFFFDP\uFFFD\uFFFD" } ], - "count": "9", + "count": "12", "solution": "Manually confirm that the Base64 data does not leak sensitive information, and that the data cannot be aggregated/used to exploit other vulnerabilities. ", - "otherinfo": "\uFFFDP\uFFFDl\u072B\uFFFDa\uFFFDG5[\uFFFDT\uFFFD]o\\x0012\uFFFD^\\x001b\uFFFD\uFFFD\\x001f\uFFFDJi\uFFFD1^\uFFFD\uFFFD.\uFFFD ", + "otherinfo": "\uFFFD\\x0015\\x0012F\uFFFD\\x00180\uFFFD\uFFFD\uFFFD4\\x000b\uFFFDU\u0526b^bV\u0395\uFFFD ", "reference": "https://projects.webappsec.org/w/page/13246936/Information%20Leakage ", "cweid": "200", "wascid": "13", @@ -413,7 +469,7 @@ "reference": "", "cweid": "200", "wascid": "13", - "sourceid": "20" + "sourceid": "23" }, { "pluginid": "10109", @@ -430,7 +486,7 @@ "method": "GET", "param": "", "attack": "", - "evidence": "", + "evidence": "", "otherinfo": "No links have been found while there are scripts, which is an indication that this is a modern web application." }, { @@ -438,7 +494,7 @@ "method": "GET", "param": "", "attack": "", - "evidence": "", + "evidence": "", "otherinfo": "No links have been found while there are scripts, which is an indication that this is a modern web application." }, { @@ -446,7 +502,7 @@ "method": "GET", "param": "", "attack": "", - "evidence": "", + "evidence": "", "otherinfo": "No links have been found while there are scripts, which is an indication that this is a modern web application." }, { @@ -454,7 +510,7 @@ "method": "GET", "param": "", "attack": "", - "evidence": "", + "evidence": "", "otherinfo": "No links have been found while there are scripts, which is an indication that this is a modern web application." } ], @@ -464,7 +520,7 @@ "reference": "", "cweid": "-1", "wascid": "-1", - "sourceid": "1" + "sourceid": "8" }, { "pluginid": "10015", @@ -500,14 +556,6 @@ "evidence": "", "otherinfo": "" }, - { - "uri": "https://deces.matchid.io/robots.txt", - "method": "GET", - "param": "cache-control", - "attack": "", - "evidence": "max-age=86400", - "otherinfo": "" - }, { "uri": "https://deces.matchid.io/sitemap.xml", "method": "GET", @@ -517,7 +565,7 @@ "otherinfo": "" } ], - "count": "5", + "count": "4", "solution": "For secure content, ensure the cache-control HTTP header is set with \"no-cache, no-store, must-revalidate\". If an asset should be cached consider setting the directives \"public, max-age, immutable\". ", "otherinfo": "", "reference": "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control https://grayduck.mn/2021/09/13/cache-control-recommendations/ ", @@ -540,7 +588,7 @@ "method": "GET", "param": "", "attack": "", - "evidence": "Age: 153", + "evidence": "Age: 1321", "otherinfo": "The presence of the 'Age' header indicates that that a HTTP/1.1 compliant caching server is in use." }, { @@ -548,7 +596,7 @@ "method": "GET", "param": "", "attack": "", - "evidence": "Age: 153", + "evidence": "Age: 1322", "otherinfo": "The presence of the 'Age' header indicates that that a HTTP/1.1 compliant caching server is in use." }, { @@ -556,7 +604,7 @@ "method": "GET", "param": "", "attack": "", - "evidence": "Age: 13", + "evidence": "Age: 139", "otherinfo": "The presence of the 'Age' header indicates that that a HTTP/1.1 compliant caching server is in use." }, { @@ -564,7 +612,7 @@ "method": "GET", "param": "", "attack": "", - "evidence": "Age: 3959", + "evidence": "Age: 1324", "otherinfo": "The presence of the 'Age' header indicates that that a HTTP/1.1 compliant caching server is in use." }, { @@ -572,7 +620,7 @@ "method": "GET", "param": "", "attack": "", - "evidence": "Age: 12", + "evidence": "Age: 1323", "otherinfo": "The presence of the 'Age' header indicates that that a HTTP/1.1 compliant caching server is in use." }, { @@ -580,17 +628,25 @@ "method": "GET", "param": "", "attack": "", - "evidence": "Age: 3959", + "evidence": "Age: 139", + "otherinfo": "The presence of the 'Age' header indicates that that a HTTP/1.1 compliant caching server is in use." + }, + { + "uri": "https://deces.matchid.io/robots.txt", + "method": "GET", + "param": "", + "attack": "", + "evidence": "Age: 140", "otherinfo": "The presence of the 'Age' header indicates that that a HTTP/1.1 compliant caching server is in use." } ], - "count": "6", + "count": "7", "solution": "Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user: Cache-Control: no-cache, no-store, must-revalidate, private Pragma: no-cache Expires: 0 This configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. ", "otherinfo": "The presence of the 'Age' header indicates that that a HTTP/1.1 compliant caching server is in use. ", "reference": "https://tools.ietf.org/html/rfc7234 https://tools.ietf.org/html/rfc7231 https://www.rfc-editor.org/rfc/rfc9110.html ", "cweid": "-1", "wascid": "-1", - "sourceid": "29" + "sourceid": "30" }, { "pluginid": "90005", @@ -611,7 +667,7 @@ "otherinfo": "" }, { - "uri": "https://deces.matchid.io/favicon-apple.png", + "uri": "https://deces.matchid.io/favicon.svg", "method": "GET", "param": "Sec-Fetch-Dest", "attack": "", @@ -654,7 +710,7 @@ "otherinfo": "" }, { - "uri": "https://deces.matchid.io/favicon-apple.png", + "uri": "https://deces.matchid.io/favicon.svg", "method": "GET", "param": "Sec-Fetch-Mode", "attack": "", @@ -697,7 +753,7 @@ "otherinfo": "" }, { - "uri": "https://deces.matchid.io/favicon-apple.png", + "uri": "https://deces.matchid.io/favicon.svg", "method": "GET", "param": "Sec-Fetch-Site", "attack": "", @@ -740,7 +796,7 @@ "otherinfo": "" }, { - "uri": "https://deces.matchid.io/favicon-apple.png", + "uri": "https://deces.matchid.io/favicon.svg", "method": "GET", "param": "Sec-Fetch-User", "attack": "", |