Test Program Reference

SSL certificate has expired

Certificate notAfter date is in the past

SSL certificate expires soon (< 14 days)

Certificate notAfter date < 14 days from now

SSL certificate expires soon (< 30 days)

Certificate notAfter date < 30 days from now

Outdated TLS version (TLS 1.0 / 1.1)

TLS handshake negotiates version 1.0 or 1.1

TLS 1.2 in use (1.3 recommended)

Highest negotiated TLS version is 1.2

HSTS max-age is less than 1 year

Strict-Transport-Security max-age < 31536000 seconds

HSTS does not include subdomains

Strict-Transport-Security header lacks includeSubDomains directive

Mixed content detected

Page loaded over HTTPS requests subresources via HTTP

Missing Strict-Transport-Security (HSTS) header

Strict-Transport-Security header absent from HTTP response

Missing Content-Security-Policy (CSP) header

Content-Security-Policy header absent from HTTP response

Weak Content-Security-Policy

CSP contains both unsafe-inline and unsafe-eval in script-src

CSP allows 'unsafe-inline'

CSP script-src directive contains unsafe-inline

Missing X-Frame-Options header

X-Frame-Options header absent; no frame-ancestors in CSP

Missing X-Content-Type-Options header

X-Content-Type-Options: nosniff header is absent

Missing Referrer-Policy header

Referrer-Policy header absent from HTTP response

Missing Permissions-Policy header

Permissions-Policy header absent from HTTP response

CORS reflects any origin with credentials

Access-Control-Allow-Origin reflects request Origin AND Access-Control-Allow-Credentials: true

CORS reflects any origin

Access-Control-Allow-Origin reflects arbitrary Origin header value

CORS wildcard (*) with credentials

Access-Control-Allow-Origin: * coexists with Access-Control-Allow-Credentials: true

CORS allows all origins (wildcard)

Access-Control-Allow-Origin: * without credentials

Exposed .env file

GET /.env returns HTTP 200 with key=value content

Exposed .git directory

GET /.git/HEAD returns HTTP 200 with valid git ref content

Exposed wp-config.php

GET /wp-config.php returns HTTP 200 with PHP content

Exposed .htpasswd file

GET /.htpasswd returns HTTP 200 with htpasswd-format content

Exposed SQL backup

GET /backup.sql (or similar) returns HTTP 200 with SQL content

Exposed phpinfo()

GET /phpinfo.php returns HTTP 200 with phpinfo HTML output

Exposed debug log

GET /debug.log (or similar) returns HTTP 200 with log content

Exposed docker-compose.yml

GET /docker-compose.yml returns HTTP 200 with YAML content

Exposed config.json

GET /config.json returns HTTP 200 with JSON configuration content

Source maps exposed

GET /*.map returns HTTP 200 for a detected JS file's source map

Exposed Apache server-status

GET /server-status returns HTTP 200 with Apache status page

Docker environment detected

GET /.dockerenv returns HTTP 200

WordPress admin panel accessible

GET /wp-admin/login.php returns HTTP 200

security.txt found

N/A — positive finding when /.well-known/security.txt returns HTTP 200

Supabase OpenAPI schema is publicly accessible

GET /rest/v1/ returns HTTP 200 with OpenAPI JSON schema

Many database tables exposed via API

OpenAPI schema exposes more than 10 tables with the anon key

Tables allow write operations via API

OPTIONS /rest/v1/{table} indicates writable methods for anon role

Sensitive tables exposed

OpenAPI schema includes tables named users, profiles, payments, tokens, sessions, or secrets

Tables readable without authentication

GET /rest/v1/{table} with anon key returns rows of data

Sensitive fields exposed in table

Readable table rows contain columns named password, secret, token, api_key, or private_key

Tables allow unauthenticated writes

POST /rest/v1/{table} with anon key returns HTTP 201 (data inserted)

Supabase API key has expired

JWT exp claim in the anon key is before the current timestamp

Supabase API key expires soon

JWT exp claim in the anon key is within 30 days from now

Public storage bucket(s) found

Storage API returns buckets with public: true

Firebase Realtime Database is publicly readable

GET /{db}.json?shallow=true returns HTTP 200 without authentication

Firestore collection is publicly readable

Firestore REST API returns documents without a valid auth token

Firebase Storage allows public file listing

Firebase Storage list endpoint returns file listing without authentication

Firebase API key lacks restrictions

Google Cloud API returns no restrictions for the detected Firebase API key

CVE lookup against NVD and OSV.dev

Detected technology version matches a CVE with CVSS ≥ 7.0 and no fixedIn version installed

Outdated WordPress version detected

Detected WordPress version is not the latest stable release

Exposed API key or credential

Regex match for known credential pattern (AWS AKIA*, sk-*, sk_live_*, ghp_*, etc.) found in HTML or JS

Uncaught JavaScript exception on page load

page.on('pageerror') fires during page load (after filtering third-party noise)

Console errors logged during page load

page.on('console') captures messages of type 'error' during page load (after filtering noise)

Tracking scripts loaded without cookie consent

Tracking network requests (analytics, ads) fire before any user interaction with a consent UI

Cookies set without visible consent mechanism

Set-Cookie response headers detected but no consent banner found in DOM

Cookie consent mechanism detected

N/A — positive finding when consent CMP detected

No Privacy Policy found

No page found at common privacy policy paths and no privacy link detected in page navigation

Multiple third-party services require privacy policy updates

3+ third-party services detected whose domains are not mentioned in privacy policy text

No Impressum / Legal Notice found

No page found at common Impressum paths and no legal notice link detected in page navigation

Third-party service usage requires disclosure

Network requests to known third-party tracker/analytics domains detected and not disclosed in privacy policy

AI-generated images without visible labeling

Image metadata contains AI generation markers but no on-page label is visible

AI-edited images detected

Image XMP/IPTC metadata indicates AI editing tools were used

Images with stock photo copyright

Image EXIF/IPTC copyright field contains stock photo agency name

Images with copyright metadata

Image EXIF/IPTC copyright field is non-empty

C2PA provenance verification

Automated WCAG violation checks (axe-core)

axe-core reports violations with impact level critical or serious

Animations ignore prefers-reduced-motion

Elements have non-zero animation-duration or transition-duration after emulating prefers-reduced-motion: reduce

Images missing alt attribute

img element has no alt attribute and no aria-label or aria-labelledby

Images with empty alt but no role

img has alt="" but no role="presentation" or role="none"

Image-only links without alt text

a element contains only img child with empty or absent alt

SVGs lacking accessible names

svg element has no role, aria-label, aria-labelledby, or child title element

Missing landmark regions

Page DOM lacks main, nav, or header landmark elements

No skip navigation link

No element with skip-to or bypass content pattern found as first focusable element

Missing document language

html element has no lang attribute

Form inputs without labels

input or textarea element has no associated label, aria-label, or aria-labelledby

Elements with positive tabindex

Any element has tabindex attribute with value > 0

aria-hidden on focusable elements

Element has aria-hidden="true" but is focusable via keyboard (no tabindex="-1")

Touch targets too small

Clickable element bounding box is smaller than 44x44px at mobile viewport

Touch target pairs too close together

Two adjacent clickable elements have less than 8px of space between them

Horizontal overflow on mobile

document.documentElement.scrollWidth > window.innerWidth at 375px viewport

Page title validation

title element is absent or length < 10 or > 60 characters

Meta description validation

meta description is absent or length < 70 or > 160 characters

Missing Open Graph tags

og:title or og:description meta property absent

Missing Twitter Card meta tag

twitter:card meta name absent

Missing canonical URL

link[rel=canonical] element absent from page head

Missing lang attribute on <html>

html element has no lang attribute

robots.txt blocks all crawlers

robots.txt contains Disallow: / for User-agent: *

No sitemap reference in robots.txt

robots.txt lacks a Sitemap: directive

Missing robots.txt

GET /robots.txt returns HTTP 404 or non-robots content

Invalid sitemap.xml format

sitemap.xml returns HTTP 200 but XML is malformed or missing required elements

Missing sitemap.xml

GET /sitemap.xml returns HTTP 404 or non-XML content

Page is set to noindex

meta[name=robots] contains noindex or X-Robots-Tag header contains noindex

X-Robots-Tag header blocks indexing

X-Robots-Tag HTTP header contains noindex directive

Missing viewport meta tag

meta[name=viewport] element absent from page head

Viewport disables user scaling

meta[name=viewport] content includes user-scalable=no or maximum-scale=1

Fixed-width layout detected

Layout width is fixed in pixels without responsive breakpoints

Small font sizes detected

Computed font-size of text elements is below 12px at mobile viewport

Phone numbers not linked with tel:

Visible phone number pattern detected on page without a wrapping tel: link

Canonical URL protocol mismatch

link[rel=canonical] href uses http:// while page was loaded over https://

Canonical points to different domain

link[rel=canonical] href hostname does not match current page hostname

www and non-www versions both resolve

Both www and non-www variants return HTTP 200 without redirect

Missing hreflang x-default

link[rel=alternate][hreflang] tags present but none with hreflang=x-default

Missing self-referencing hreflang

hreflang tags present but none matches the current page URL and language

Missing H1 heading

No h1 element found in page DOM

Multiple H1 headings

More than one h1 element found in page DOM

Heading level skip

Heading level increases by more than 1 (e.g., h1 → h3)

No structured data (JSON-LD) found

No script[type=application/ld+json] element found

Invalid JSON-LD structured data

script[type=application/ld+json] content fails JSON.parse()

JSON-LD schema missing required fields

Parsed JSON-LD @type has a known required field (e.g. Article missing headline, author, or datePublished)

Large HTML document (> 500 KB)

HTML document transfer size exceeds 500 KB

Too many scripts (> 20)

More than 20 script requests intercepted during page load

Render-blocking resources

Parser-blocking script or render-blocking CSS detected in head

Non-optimal image formats

More than 30% of images are served as JPEG or PNG instead of WebP/AVIF

CO₂ per page view estimation

Page weight exceeds 1 MB (triggers CO₂ calculation)

Heavy page (> 5 MB)

Total page transfer size exceeds 5 MB

Above-average page weight (3–5 MB)

Total page transfer size is between 3 MB and 5 MB

High request count (> 100 requests)

More than 100 network requests intercepted during page load

No HTTP compression detected

Content-Encoding response header absent for HTML, CSS, and JS resources

Using gzip (brotli recommended)

Content-Encoding: gzip (not br) for text resources

No resource preloading hints

No link[rel=preload] or link[rel=prefetch] elements found

Images in legacy formats

More than 30% of image requests return JPEG or PNG content type

Many font files loaded (> 6)

More than 6 font file requests (woff/woff2/ttf) intercepted during load

Missing font-display: swap

@font-face declarations in CSS lack font-display: swap property

Inline base64 images detected

data:image/... URI found in HTML or CSS with decoded size > 1 KB