SECURITY AUDIT ยท MAY 20, 2026

Threat model

12 passive recon checks โ€” no active exploitation. 742 ms.

vectory.space
2
Critical
0
High
5
Medium
5
Info / OK

๐Ÿ›ก๏ธ Findings (12 total)

๐Ÿ”ด CRITICAL DMARC record missing
Without DMARC, even SPF-failing emails reach inboxes โ€” attackers can still phish your customers. Email spoofing is the #1 vector for B2C phishing scams that hit trade businesses.
Fix: Add a TXT record at _dmarc.vectory.space: "v=DMARC1; p=quarantine; rua=mailto:postmaster@vectory.space" (start with p=quarantine, move to p=reject after 30 days).
๐Ÿ”ด CRITICAL 8 sensitive path(s) publicly accessible
Found: /.env, /.git/HEAD, /wp-admin/install.php, /config.php, /phpinfo.php, /server-status, /.aws/credentials, /backup.zip. These can leak API keys, source code, or admin credentials.
Fix: Configure nginx/Apache to deny access to dotfiles and known sensitive paths. Move secrets out of webroot.
๐Ÿ”ต MEDIUM Content-Security-Policy header missing
No CSP means injected scripts can run from any origin โ€” XSS attacks succeed if any input is mis-escaped.
Fix: Start with a permissive CSP: `Content-Security-Policy: default-src 'self' https:; script-src 'self' https: 'unsafe-inline';`
๐Ÿ”ต MEDIUM X-Frame-Options header missing
Without X-Frame-Options, your site can be embedded in an iframe and used for clickjacking attacks.
Fix: Add response header: `X-Frame-Options: SAMEORIGIN`
๐Ÿ”ต MEDIUM X-Content-Type-Options header missing
Without this header, browsers may execute uploaded files as JavaScript via MIME-sniffing.
Fix: Add response header: `X-Content-Type-Options: nosniff`
๐Ÿ”ต MEDIUM Referrer-Policy header missing
Default browser behavior leaks full URLs (including form data) to external sites you link to.
Fix: Add response header: `Referrer-Policy: strict-origin-when-cross-origin`
๐Ÿ”ต MEDIUM DKIM record not found at common selectors
Tried selectors: default, google, selector1, k1, mailo, smtpapi. DKIM signs outgoing emails so receivers can verify they're really from you. Without DKIM, your bulk emails (invoices, quotes) hit spam more often.
Fix: Enable DKIM in your email provider's dashboard (Google Workspace, Microsoft 365, Mailgun, etc.). Add the published TXT record to DNS.
โœ… INFO Strict-Transport-Security configured
Value: "max-age=31536000; includeSubDomains; preload"
โœ… INFO Permissions-Policy header missing
Modern replacement for Feature-Policy. Locks down camera/microphone/geolocation/USB access.
Fix: Add response header: `Permissions-Policy: geolocation=(), microphone=(), camera=()`
โœ… INFO SPF configured
Record: v=spf1 include:spf.efwd.registrar-servers.com ~all
โœ… INFO SSL valid (35d to expiry)
Cert valid until Jun 25 08:45:49 2026 GMT.
โœ… INFO Subdomain enum skipped (deep=False)

Need help applying these fixes?

Enterprise tier includes a 30-min security walkthrough with founder + nginx/Apache config snippets for your stack. Or apply our recommendations yourself โ€” all 12 checks include exact fix instructions above.

Talk to founder ยท 30-min โ†’