Blog
Contact
Sign in
Scan complete
C
74/100
onet.pl
Regressed · −2
Compare
1 critical issue needs immediate attention.
16/16
checks
56
passed
finished
Scan timestamps
Created
Jul 18, 2026, 12:22 AM
Started
Jul 18, 2026, 12:22 AM
Finished
Jul 18, 2026, 12:22 AM
Updated
Jul 18, 2026, 12:22 AM
Export PDF
Re-scan
Findings by severity
72 results
1
Critical
5
High
6
Medium
4
Low
56
Pass
Report coverage
93.09%
1 couldn’t be evaluated · 22 skipped - these limit completeness.
1 error
22 skipped
All
95
Critical
1
High
5
Medium
6
Low
4
Pass
56
Error
1
Skipped
22
Email
82%
Domain Alignment (DMARC)
Learn how it works
Info
4/7 pass
Domain Alignment (DMARC)
DMARC policy quarantines unauthenticated mail
The DMARC policy asks receivers to treat failing mail as suspicious, but does not request full rejection.
Medium
Domain Alignment (DMARC)
DMARC subdomain policy uses quarantine
Subdomains are protected by quarantine, but failing mail is not explicitly rejected.
Medium
Domain Alignment (DMARC)
DMARC alignment is relaxed
The DMARC record allows relaxed identifier alignment for DKIM or SPF.
Low
Transport Encryption (SMTP TLS)
Learn how it works
Info
1/5 pass
Transport Encryption (SMTP TLS)
SMTP probe connection failed for one or more MX hosts
The SMTP session could not be established for at least one MX host, so STARTTLS support could not be confirmed for every inbound path.
Doesn’t affect score · lowers coverage
Error
Certificate Binding (DANE)
Learn how it works
Info
1/5 pass
Certificate Binding (DANE)
No MX host TLSA zone is protected by DNSSEC
None of the MX hosts have DNSSEC on their TLSA lookup zones. DANE SMTP cannot function without DNSSEC, as sending servers will ignore TLSA records from unsigned zones.
Critical
Transport Policy (MTA-STS)
Learn how it works
Info
5/6 pass
Transport Policy (MTA-STS)
MTA-STS policy does not enforce TLS
The MTA-STS policy is not in enforce mode and does not protect against SMTP downgrade attacks.
High
DNS
100%
DNS Integrity (DNSSEC)
Learn how it works
Info
0/7 pass
DNS Integrity (DNSSEC)
DNSSEC is not enabled
The parent zone does not publish a DS record for this domain.
Medium
DNS Health (Delegation & Exposure)
Learn how it works
Info
7/8 pass
DNS Health (Delegation & Exposure)
SOA serial does not use the recommended format
The SOA record is otherwise valid, but the serial number does not follow the recommended YYYYMMDDnn date format.
Low
CAA and Certificate Issuance Surface
Learn how it works
Info
1/6 pass
CAA and Certificate Issuance Surface
No CAA record is published
The domain does not publish a CAA record, so any publicly trusted certificate authority may issue certificates for it after standard validation.
Low
TLS
100%
TLS Configuration
Learn how it works
Info
5/6 pass
TLS Configuration
Weak elliptic curve accepted for key exchange
The server negotiates an elliptic curve below 256 bits for at least one ECDHE cipher suite. Weak curves reduce the effective security margin of the key exchange well below modern standards.
High
Web
100%
Disclosure Policy (security.txt)
Learn how it works
Info
3/4 pass
Disclosure Policy (security.txt)
Expires field is missing, invalid, or expired
The security.txt file does not contain exactly one valid, in-date Expires field with an explicit timezone. The field is either absent, present more than once, not a valid date-time with a timezone offset, or its date is in the past. An expired file should not be used by security researchers.
Medium
HTTP Security Headers
Learn how it works
Info
1/7 pass
HTTP Security Headers
HSTS is not enforced
The site does not send a usable Strict-Transport-Security header, so browsers do not automatically upgrade future requests to HTTPS.
High
HTTP Security Headers
Content-Security-Policy is not enforced
The site does not send an enforced Content-Security-Policy header, leaving no restriction on script execution, framing, or resource loading beyond what other headers provide.
High
HTTP Security Headers
Clickjacking protection is missing
The site does not restrict framing through CSP frame-ancestors or a usable X-Frame-Options value, so it can be embedded in a frame on any origin.
High
HTTP Security Headers
Referrer-Policy is not declared
The site does not send a Referrer-Policy header. Modern browsers default to a reasonably safe behavior, but the site does not explicitly guarantee it.
Medium
HTTP Security Headers
Permissions-Policy is missing or ineffective
The site either does not send a Permissions-Policy header, or the header only lists directives with a wildcard allowlist that does not restrict anything.
Medium
HTTP Security Headers
Deprecated security headers are present
The response sends one or more deprecated headers (X-XSS-Protection, Expect-CT, or Public-Key-Pins) that modern browsers ignore or that carry their own operational risk (HPKP).
Low
Feedback