The security hints offer insights in a site’s security issues. Keeping an eye on this may prevent problems with privacy and the site’s appearance in browsers. Solving security related issues can help to build trust and lead to higher user interaction.
With this hints section you can identify security issues.
Example: Audisto Security Check with the security hint reports for the current crawl
Here is the list of all specific hints related to website security, that can be identified with the help of the Audisto Crawler.
An anchor's href contains user and password, like http://user:email@example.com. This may not wanted, and is also not supported by Internet Explorer as of version 10.
This hint points out a serious security issue. Logindata should usually not be linked to directly on a website. The login data may be crawled with malicious intend and abused later on.
If instances of this hint are discovered, we suggest removing all links from your website, that contain logindata.
An anchor's href uses the data: protocol. Detect all documents on the crawled website, that contain links using the data: protocol.
<a href="data:image/png;base64,(...base64-encoded png data...)"></a>
Evaluate all cases in which a link uses the data: protocol on the crawled website and decide wether it has to be replaced or not.
An anchor's href uses the file: protocol, which is used to open files on the users computer.
The file: protocol is used to reference local files. If used on a public website, it might lead to unexpected issues with user experience.
We suggest removing all references with the file: protocol on your website.
The form posts to a HTTPS URL, but resides on a HTTP URL. Use this report to identify all URLs within the website, which contain forms, that are submitting data from a HTTP resource to a HTTPS resource, using the POST method.
http://example.com/form.html posts to https://example.com/form_submit.php
Example form markup
<form action="https://example.com/form_submit.php" method="POST"> ... </form>
If a form action is defined to use the HTTPS protocol, this indicates, that the entered data should be transfered using a secured channel. However, while the data would be sent encrypted, it is still a security issue. If the form data is sent from a URL that is not secured with SSL, then the form itself might be compromised by a man in the middle attack before the data gets posted.
You should deliver all forms encrypted, i.e. use HTTPS.
The form submits itself to a HTTP URL, but resides on a HTTPS URL. The form is using the GET method. Use this report to identify all URLs on the crawled website, which contain forms that use the GET method to submit from HTTPS to HTTP.
Form included in https://example.com/
<form action="http://example.com/form-submit.php" method="GET"> ... </form>
In this situation, the data is tranfered over an unsecured connection to the form action URL and the response will also be sent unsecured. Due to using the GET method, the form input data will be part of the URL and openly visible to anyone able to access the URL. More than that, the GET method is cacheable, which allows the data to be cached on third party systems. This can be a severe security issue.
If you want to transfer your form input data safely, you may consider also delivering the form's target URL over HTTPS and switch from the GET method to the POST method.
The form submits itself to a HTTP URL, but resides on a HTTPS URL. The form is using the POST method. Use this report to identify all URLs on the crawled website, which contain forms that use the POST method to submit from HTTPS to HTTP.
Form included in https://example.com/
<form action="http://example.com/form-submit.php" method="POST"> ... </form>
In this situation, the data is tranfered over an unsecured connection to the form action URL and the response will also be sent unsecured. This can be a severe security issue.
If you want to transfer your form input data safely, you may consider delivering the form's target URL over HTTPS, too.
If a HTTPS URL contains an unsafe resource, that is loaded using HTTP, it is flagged with this hint.
Exampe code for https://www.example.com/
If this happens, the increased risk will be reflected in the SSL symbol in all modern browsers. Instead of displaying a green SSL lock, it would be yellow, orange or red to highlight loading of unsafe resources.
In documents only available over HTTPS, you should only include files loaded via the HTTPS protocol.