Skip to main content

Security Checks

Auditoro identifies security issues that could affect user trust, trigger browser warnings, or expose your site to attacks.

HTTPS Errors

Severity: Critical

Problems with your site's SSL/TLS configuration that prevent secure connections.

Common issues:

  • Invalid or expired SSL certificate
  • Certificate doesn't match domain
  • Self-signed certificate (not trusted by browsers)
  • Incomplete certificate chain
  • Site not redirecting HTTP to HTTPS

How to fix:

  1. Get a valid certificate:

    • Use Let's Encrypt for free certificates
    • Purchase from a trusted certificate authority
    • Use your hosting provider's SSL feature

  2. Ensure proper installation:

    • Include the full certificate chain
    • Configure your server correctly
    • Test with SSL Labs

  3. Redirect HTTP to HTTPS:

    server {
      listen 80;
      server_name example.com;
      return 301 https://$server_name$request_uri;
    }

Mixed Content

Severity: Caution

Your HTTPS page loads resources (images, scripts, stylesheets) over insecure HTTP. This triggers browser warnings and can break functionality.

Types of mixed content:

  • Passive mixed content - Images, audio, video (warning only)
  • Active mixed content - Scripts, stylesheets, iframes (blocked by browsers)

How to fix:

  1. Update resource URLs to HTTPS:

    <!-- Before -->
    <img src="http://example.com/image.jpg">

    <!-- After -->
    <img src="https://example.com/image.jpg">

  2. Use protocol-relative URLs (less recommended):

    <img src="//example.com/image.jpg">

  3. Use Content-Security-Policy to detect issues:

    <meta http-equiv="Content-Security-Policy"
          content="upgrade-insecure-requests">

  4. Check third-party resources:

    • Ensure CDNs and external resources support HTTPS
    • Replace resources that don't support HTTPS

Missing Security Headers

Severity: Caution

Important security headers are missing from your server responses. These headers protect against common web attacks.

X-Content-Type-Options Prevents browsers from MIME-type sniffing, reducing exposure to drive-by download attacks.

X-Content-Type-Options: nosniff

X-Frame-Options Prevents your page from being embedded in iframes, protecting against clickjacking.

X-Frame-Options: DENY

Or to allow same-origin:

X-Frame-Options: SAMEORIGIN

Content-Security-Policy (CSP) Controls which resources can be loaded, mitigating XSS attacks.

Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-cdn.com

Strict-Transport-Security (HSTS) Forces browsers to use HTTPS for all future requests.

Strict-Transport-Security: max-age=31536000; includeSubDomains

Referrer-Policy Controls how much referrer information is sent with requests.

Referrer-Policy: strict-origin-when-cross-origin

Permissions-Policy Controls which browser features can be used.

Permissions-Policy: geolocation=(), microphone=()

How to Add Security Headers

Nginx:

add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

Apache:

Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "DENY"
Header always set Referrer-Policy "strict-origin-when-cross-origin"

Caddy:

header {
  X-Content-Type-Options "nosniff"
  X-Frame-Options "DENY"
  Referrer-Policy "strict-origin-when-cross-origin"
}

Security Impact

Security issues affect your site in multiple ways:

  • User trust - Browser warnings scare visitors away
  • SEO rankings - Google prefers secure sites
  • Data protection - Insecure connections expose user data
  • Compliance - Many regulations require HTTPS

Addressing security issues should be a high priority, especially for sites handling user data or transactions.