preimpactco2.osc-fr1.scalingo.io

Le site internet qui vulgarise et valorise les données environnementales de l'ADEME

environ 3 heures

startup

homepage

stagging

fiche beta.gouv.fr

Nmap

Scan Summary :

Scan Summary :

B+

Impact	Description	Documentation
-20	Content Security Policy (CSP) implemented unsafely. This includes `'unsafe-inline'` or `data:` inside `script-src`, overly broad sources such as `https:` inside `object-src` or `script-src`, or not restricting the sources for `object-src` or `script-src`.	Remove `unsafe-inline` and `data:` from `script-src`, overly broad sources from `object-src` and `script-src`, and ensure `object-src` and `script-src` are set.

Scan Summary :

A+

risk	name
High (High)	PII Disclosure
Medium (High)	CSP: Failure to Define Directive with No Fallback
Medium (High)	CSP: Wildcard Directive
Medium (High)	CSP: script-src unsafe-inline
Medium (High)	CSP: style-src unsafe-inline
Medium (High)	Sub Resource Integrity Attribute Missing
Medium (Medium)	Missing Anti-clickjacking Header
Low (Medium)	Insufficient Site Isolation Against Spectre Vulnerability
Low (Medium)	Permissions Policy Header Not Set
Low (Medium)	Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)
Low (Low)	Timestamp Disclosure - Unix
Informational (High)	Sec-Fetch-Dest Header is Missing
Informational (High)	Sec-Fetch-Mode Header is Missing
Informational (High)	Sec-Fetch-Site Header is Missing
Informational (High)	Sec-Fetch-User Header is Missing
Informational (Medium)	Base64 Disclosure
Informational (Medium)	Modern Web Application
Informational (Medium)	Non-Storable Content
Informational (Medium)	Storable and Cacheable Content
Informational (Medium)	Storable but Non-Cacheable Content
Informational (Low)	Information Disclosure - Suspicious Comments
Informational (Low)	Re-examine Cache-control Directives
Informational (Low)	User Controllable HTML Element Attribute (Potential XSS)

Séverité	Name	Matcher
info	DNS SaaS Service Detection	dns-saas-service-detection
info	CAA Record	caa-fingerprint
info	Allowed Options Method	options-method
info	XSS-Protection Header - Cross-Site Scripting	xss-deprecated-header
info	Wappalyzer Technology Detection	jsdelivr
info	HTTP Missing Security Headers	cross-origin-resource-policy
info	HTTP Missing Security Headers	permissions-policy
info	HTTP Missing Security Headers	x-frame-options
info	HTTP Missing Security Headers	x-permitted-cross-domain-policies
info	HTTP Missing Security Headers	referrer-policy
info	HTTP Missing Security Headers	clear-site-data
info	HTTP Missing Security Headers	cross-origin-embedder-policy
info	HTTP Missing Security Headers	cross-origin-opener-policy
info	robots.txt endpoint prober	robots-txt-endpoint
info	Sitemap Detection	sitemap-detect
info	Detect SSL Certificate Issuer	ssl-issuer
info	SSL DNS Names	ssl-dns-names
info	Wildcard TLS Certificate	wildcard-tls
info	TLS Version - Detect	tls-version
info	TLS Version - Detect	tls-version