HSTS                        ok (max-age=15768000; includeSubDomains; pre)
CSP                         ok (default-src 'self'; script-src 'self' 'u)
X-Frame-Options             ok (SAMEORIGIN)
X-Content-Type-Options      ok (nosniff)
Referrer-Policy             ok (strict-origin-when-cross-origin)
Permissions-Policy          ok (accelerometer=(), camera=(), geolocation)
Cross-Origin-Opener         MISSING

• · low Cross-Origin-Opener-Policy not set
• ✓ ok Referrer-Policy is configured
• ✓ ok X-Frame-Options is configured
• ✓ ok Permissions-Policy is configured
• ✓ ok X-Content-Type-Options is configured
• ✓ ok Content-Security-Policy is configured
• ✓ ok Strict-Transport-Security is configured
• ◐ medium CSP weakness — 'unsafe-inline' in script-src — defeats most XSS protection
• ◐ medium CSP weakness — 'unsafe-eval' in script-src — allows eval() and increases XSS risk
• ◐ medium CSP weakness — no frame-ancestors — clickjacking only protected by X-Frame-Options
• · low No /.well-known/security.txt — researchers cannot find a contact for vulnerability reports

Google Safe Browsing        clean
VirusTotal                  clean
injected scripts            2 detected
malware patterns            2 matches

• ✓ ok Google Safe Browsing — clean
• ✓ ok VirusTotal — clean
• ▲ high Malware pattern detected: Suspicious eval usage ▸ view snippet
• ▲ high Malware pattern detected: Hidden div with suspicious content ▸ view snippet