Security Report Summary
A
Site: | https://server.nonstate.net/ |
---|---|
IP Address: | 65.19.143.6 |
Report Time: | 27 Feb 2021 06:53:49 UTC |
Headers: |
|
Raw Headers
HTTP/1.1 | 200 OK |
---|---|
Date | Sat, 27 Feb 2021 06:53:49 GMT |
Server | Apache |
Accept-Ranges | bytes |
Content-Length | 31086 |
Connection | keep-alive |
Time-Zone | America/New_York |
Keep-Alive | timeout=100,max=500 |
Accept | text/html, text/css, application/xhtml+xml, application/xml;q=0.9, */*;q=0.8 |
Expires | Mon, 10 Apr 1972 00:00:00 GMT |
Link | <https://server.nonstate.net/index>; rel='canonical' |
Access-Control-Allow-Origin | https://sites.google.com https://*.blogspot.com https://*.google.com https://*.googleapis.com https://*.globcal.net https://feeds.feedburner.com http://feeds.globcal.net https://*.ekobius.org https://*.nonstate.net https://server.nonstate.net |
Access-Control-Allow-Headers | Accept, Accept-Charset, Accept-Datetime, Accept-Encoding, Accept-Ext, Accept-Features, Accept-Language, Accept-Params, Accept-Ranges, Access-Control-Allow-Credentials, Access-Control-Allow-Headers, Access-Control-Allow-Methods, Access-Control-Allow-Origin, Access-Control-Expose-Headers, Access-Control-Max-Age, Access-Control-Request-Headers, Access-Control-Request-Method, Age, Allow, Alternates, Authentication-Info, Authorization, Cache-Control, Compliance, Connection, Content-Base, Content-Disposition, Content-Encoding, Content-ID, Content-Language, Content-Length, Content-Location, Content-MD5, Content-Range, Content-Script-Type, Content-Security-Policy, Content-Style-Type, Content-Transfer-Encoding, Content-Type, Content-Version, Cookie, Cost, DNT, Date, Default-Style, Delta-Base, Depth, Derived-From, Destination, Differential-ID, Digest, ETag, Expect-CT, Expires, From, GetProfile, HTTP-date, Host, Keep-Alive, Label, Last-Event-ID, Last-Modified, Link, Location,Lock-Token, MIME-Version, Max-Forwards, Media-Range, Message-ID, Meter, Negotiate, Non-Compliance, Optional, Origin, P3P, PEP, PICS-Label, Pep-Info, Permanent, Position, Pragma, ProfileObject, Protocol, Protocol-Query, Protocol-Request, Proxy-Authenticate, Proxy-Authentication-Info, Proxy-Authorization, Proxy-Features, Proxy-Instruction, Public, Range, Referer, Refresh, Resolution-Hint, Resolver-Location, Retry-After, Safe, Sec-Websocket-Extensions, Sec-Websocket-Key, Sec-Websocket-Origin, Sec-Websocket-Protocol, Sec-Websocket-Version, Security-Scheme, Server, Set-Cookie, SetProfile, SoapAction, Status, Status-URI, Strict-Transport-Security, SubOK, Subst, Surrogate-Capability, Surrogate-Control, TE, Timeout, Title, Trailer, Transfer-Encoding, UA-Color, UA-Media, UA-Pixels, UA-Resolution, UA-Windowpixels, URI, Upgrade, User-Agent, Variant-Vary, Vary, Version, Via, Viewport-Width, WWW-Authenticate, Want-Digest, Warning, Width, X-Content-Duration, X-Content-Security-Policy, X-Content-Type-Options |
Access-Control-Expose-Headers | Accept, Accept-Charset, Accept-Datetime, Accept-Encoding, Accept-Ext, Accept-Features, Accept-Language, Accept-Params, Accept-Ranges, Access-Control-Allow-Credentials, Access-Control-Allow-Headers, Access-Control-Allow-Methods, Access-Control-Allow-Origin, Access-Control-Expose-Headers, Access-Control-Max-Age, Access-Control-Request-Headers, Access-Control-Request-Method, Age, Allow, Alternates, Authentication-Info, Authorization, Cache-Control, Compliance, Connection, Content-Base, Content-Disposition, Content-Encoding, Content-ID, Content-Language, Content-Length, Content-Location, Content-MD5, Content-Range, Content-Script-Type, Content-Security-Policy, Content-Style-Type, Content-Transfer-Encoding, Content-Type, Content-Version, Cookie, Cost, DNT, Date, Default-Style, Delta-Base, Depth, Derived-From, Destination, Differential-ID, Digest, ETag, Expect-CT, Expires, From, GetProfile, HTTP-date, Host, Keep-Alive, Label, Last-Event-ID, Last-Modified, Link, Location, Lock-Token, MIME-Version, Max-Forwards, Media-Range, Message-ID, Meter, Negotiate, Non-Compliance, Optional, Origin, P3P, PEP, PICS-Label, Pep-Info, Permanent, Position, Pragma, ProfileObject, Protocol, Protocol-Query, Protocol-Request, Proxy-Authenticate, Proxy-Authentication-Info, Proxy-Authorization, Proxy-Features, Proxy-Instruction, Public, Range, Referer, Refresh, Resolution-Hint, Resolver-Location, Retry-After, Safe, Sec-Websocket-Extensions, Sec-Websocket-Key, Sec-Websocket-Origin, Sec-Websocket-Protocol, Sec-Websocket-Version, Security-Scheme, Server, Set-Cookie, SetProfile, SoapAction, Status, Status-URI, Strict-Transport-Security, SubOK, Subst, Surrogate-Capability, Surrogate-Control, TE, Timeout, Title, Trailer, Transfer-Encoding, UA-Color, UA-Media, UA-Pixels, UA-Resolution, UA-Windowpixels, URI, Upgrade, User-Agent, Variant-Vary, Vary, Version, Via, Viewport-Width, WWW-Authenticate, Want-Digest, Warning, Width, X-Content-Duration, X-Content-Security-Policy, X-Content-Type-Options |
Access-Control-Allow-Methods | CONNECT, DEBUG, DELETE, DONE, GET, HEAD, HTTP, HTTP/0.9, HTTP/1.0, HTTP/1.1, HTTP/2, OPTIONS, ORIGIN, ORIGINS, PATCH, POST, PUT, QUIC, REST, SESSION, SHOULD, SPDY, TRACE, TRACK |
DNT | 0 |
Vary | Accept-Encoding,User-Agent |
Access-Control-Allow-Credentials | true |
Strict-Transport-Security | max-age=31536000; includeSubDomains; preload |
Referrer-Policy | no-referrer-when-downgrade |
Permissions-Policy | geolocation=(self); midi=(); ambient-light-sensor=(); microphone=(); camera=(); accelerometer=(); magnetometer=(); gyroscope=(); speaker=(); notifications=(); push=(); vibrate=(); payment=(); fullscreen=(); animations=(); autoplay=(); vr=(); encrypted-media=(); picture-in-picture=(); usb=(self); sync-xhr=(self) https://server.nonstate.net |
Expect-CT | max-age=86400, report, report-uri='https://globcal.report-uri.com/r/d/ct/reportOnly' |
Expect-Staple | max-age=86400; report, report-uri='https://globcal.report-uri.com/r/d/staple/reportOnly' |
X-Webkit-CSP | default-src 'self'; script-src 'self'; |
X-Content-Type-Options | nosniff |
X-XSS-Protection | 1 |
X-Frame-Options | ALLOW-FROM https://*.globcal.net http://feeds.globcal.net https://feeds.feedburner.com https://*.blogspot.com https://en.wikipedia.org https://docs.google.com https://server.nonstate.net https://www.nonstate.net https://blog.nonstate.net |
X-Blockchain-Server | 5G Semantic Dev Registry|Blockchain FE/1.0 |
X-Forwarded-Proto | https |
X-Forwarded-Host | 65.19.143.6 |
X-Robots-Tag | all,index,follow |
X-Arena | Noosphere, Offshore, Internet, United Nations, International Theater, Non-State Actor, High-Seas, Global Citizenship, Non-Government, Private-Sector, Public, Trusted, Civil and Social Networks |
X-Blogs | Blogger, Steem, WordPress, Self-Hosted |
X-Co-Op-Domains | globcal.net|nonstate.net |
X-Jurisdiction | Understood Indigenous Anarchy: Non-State International Cooperative Trust Foundation governing human and natural capital operating under Private International Law; the Hague Convention; Admiralty Law; Civil Law; Law of the Rights of Mother Earth, Bolivia; Rights of Nature, Ecuador; United Nations Declaration on the Rights of Indigenous Peoples (UNDRIP); Universal Declaration of Human Rights; Law of the Sea; Belize International Foundation; Caribbean Community (CARICOM) |
X-NoSpam-Policy | Project HoneyPot, MxToolbox, Google Business, Report-Abuse |
X-Powered-By | Human Hard-Coded Technology: mySQL, PHP/7.1, HTML5, MathML 2.0, xHTML, CSS3, ARIA, SVG 1.1, XML, RSS, Atom, JavaScript, JSON-LD, GitHub, RPM, Blockchain DB, RDFa, Semantic, IoT, OWL-S, WSMO, SADI, Microdata, Schema, OpenGraph, CORS, Skype, Google Cloud, Analytics 360, COMODO SSL |
Pragma | no-cache |
Cache-Control | max-age=0, no-cache, no-store, must-revalidate |
Content-Type | text/html; charset=UTF-8 |
Missing Headers
Content-Security-Policy | Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets. |
---|
Upcoming Headers
Cross-Origin-Embedder-Policy | Cross-Origin Embedder Policy allows a site to prevent assets being loaded that do not grant permission to load them via CORS or CORP. |
---|---|
Cross-Origin-Opener-Policy | Cross-Origin Opener Policy allows a site to opt-in to Cross-Origin Isolation in the browser. |
Cross-Origin-Resource-Policy | Cross-Origin Resource Policy allows a resource owner to specify who can load the resource. |
Additional Information
Server | This Server header seems to advertise the software being run on the server but you can remove or change this value. |
---|---|
Access-Control-Allow-Origin | The Access-Control-Allow-Origin header is used to configure CORS. |
Strict-Transport-Security | HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS. |
Referrer-Policy | Referrer Policy is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites. |
Permissions-Policy | Permissions Policy is a new header that allows a site to control which features and APIs can be used in the browser. |
Expect-CT | Expect-CT allows a site to determine if they are ready for the upcoming Chrome requirements and/or enforce their CT policy. |
X-Webkit-CSP | X-Webkit-CSP is required for CSP support in older Chrome, Safari and other Webkit based browsers. For other modern browsers the Content-Security-Policy header should be used. |
X-Content-Type-Options | X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is "X-Content-Type-Options: nosniff". |
X-XSS-Protection | X-XSS-Protection sets the configuration for the XSS Auditor built into older browsers. The recommended value was "X-XSS-Protection: 1; mode=block" but you should now look at Content Security Policy instead. |
X-Frame-Options | X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. |
X-Powered-By | X-Powered-By can usually be seen with values like "PHP/5.5.9-1ubuntu4.5" or "ASP.NET". Trying to minimise the amount of information you give out about your server is a good idea. This header should be removed or the value changed. |