SPAT CLI
| Finding | Category | Severity | Description | Remediation | |
|---|---|---|---|---|---|
| ✔ | DNS Resolution | DNS | INFO | Resolved to 104.20.23.154, 172.66.147.243 | — |
| ✔ | TLS Certificate Valid | TLS/SSL | INFO | Valid for 64 days. CN=example.com, Issuer=CLOUDFLARE, INC. | — |
| ✔ | Strong TLS Protocols | TLS/SSL | INFO | Modern TLS supported: TLSv1.2, TLSv1.3 | — |
| ✔ | Forward Secrecy Supported | TLS/SSL - Ciphers | INFO | Forward secrecy confirmed. TLS 1.3 guarantees ephemeral key exchange | — |
| ✔ | No Weak Cipher Suites | TLS/SSL - Ciphers | INFO | Server rejected RC4, 3DES, NULL, and EXPORT cipher suites. | — |
| ✘ | Missing Security Headers | HTTP Security | MEDIUM | Missing: HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy | Add missing headers to your web server or application config. |
| ⚠ | Server Version Disclosure | HTTP Security | LOW | Server is leaking version information. | Remove or genericize Server and X-Powered-By headers. |
| ✘ | No HTTP→HTTPS Redirect | HTTP Security | HIGH | Site is accessible over plain HTTP without redirect. | Add a 301 redirect from HTTP to HTTPS. |
| ℹ | No Cookies Set | Cookie Security | INFO | No Set-Cookie headers found on the home page. | — |
| ✔ | CORS Not Enabled | CORS | INFO | No Access-Control-Allow-Origin header — CORS requests blocked by default. | — |
| ✔ | MX Records Present | Email Security | INFO | Found 1 MX record(s) for example.com. | — |
| ✔ | SPF Policy: hard fail (-all) | Email Security | INFO | SPF record found. Policy: hard fail (-all) | Use "-all" (hard fail) instead of "~all" or weaker. |
| ✔ | DMARC Policy: reject | Email Security | INFO | DMARC policy=reject — full enforcement. Subdomain policy: reject | Set p=reject and sp=reject. Add rua= for aggregate reports. |
| ✔ | DKIM Key Found | Email Security | INFO | DKIM public key found for selector(s): default, google, selector1, selector2, k1, dkim, mail, smtp, s1, s2 | — |
| ⚠ | DNSSEC Not Configured | DNSSEC | MEDIUM | No DNSSEC records detected. DNS responses can be spoofed (DNS cache poisoning). | Enable DNSSEC signing at your DNS registrar/provider and add DS records. |
| ⚠ | Non-Standard Ports Open | Network | MEDIUM | Open: 8443/HTTPS-Alt, 8080/HTTP-Alt | Review if these ports need to be publicly accessible. |
| ⚠ | robots.txt Missing | Web | LOW | No robots.txt found. | Add a robots.txt to control crawler access. |
| ✔ | VirusTotal: Clean | Threat Intelligence | INFO | No malicious detections. 63 vendors marked clean, 0 malicious, 0 suspicious. | — |
| ℹ | URLhaus Lookup Failed | Threat Intelligence | INFO | URLhaus malware check could not be completed. | — |
| ℹ | SSH Port 22 Closed | SSH | INFO | No SSH service detected on port 22. | — |