The server roastme.xyz (217.160.0.242) appears to have been located in Germany during our test.
Please note that some sites use CDNs β content delivery networks β in which case the server location might vary depending on the location of the visitor. This tool, Webbkoll, is currently on a server in France.
Insecure connection
roastme.xyz
does not use HTTPS by default.
HTTPS encrypts nearly all information sent between a client and a web service. Properly configured, it guarantees three things:
- Confidentiality. The visitor's connection is encrypted, obscuring URLs, cookies, and other sensitive metadata.
- Authenticity. The visitor is talking to the "real" website, and not to an impersonator or through a "man-in-the-middle".
- Integrity. The data sent between the visitor and the website has not been tampered with or modified.
A plain HTTP connection can be easily monitored, modified, and impersonated. Every unencrypted HTTP request reveals information about a userβs behavior, and the interception and tracking of unencrypted browsing has become commonplace.
The goal of the Internet community is to establish encryption as the norm, and to phase out unencrypted connections. See W3C, IETF, IAB. Also:
- Browsers support HTTP/2 β which improves page loading speeds β only over encrypted connections.
- Google Chrome (1, 2) and Mozilla Firefox (1) will mark plain HTTP as affirmatively non-secure and make powerful features impossible to use on non-secure sites.
- Google has begun to favor HTTPS websites in search rankings.
To enable HTTPS on a website, a certificate for the domain needs to be installed on the web server. To get a certificate that browsers will trust, you need one issued by a trusted certificate authority (otherwise a visitor's browser will show a warning).
Let's Encrypt is a non-profit certificate authority (sponsored by Mozilla, EFF, Cisco, Facebook and others) providing free domain-validated (DV) certificates through an easy, automated process.
To get a DV certificate, you only need to prove that you control the domain. To get an Extended Validation (EV) certificate, you must pass a more thorough identity verification process.
There is no difference in encryption between DV and EV certificates, but they are typically displayed differently in browsers. EV certificates generally result in the domain owner's name appearing in the browser URL bar that visitors see.
DV certificates are the most common. Let's Encrypt only issues DV certificates.
Referrers leaked
When you click a link, your browser will typically send the HTTP referer [sic] header to the webserver where the destination webpage is at. The header contains the full URL of the page you came from. This lets sites see where traffic comes from. The header is also sent when external resources (such as images, fonts, JS and CSS) are loaded.
The referrer header is privacy nightmare as it allows websites and services to track you across the web and learn about your browsing habits (and thus possibly private, sensitive information), particularly when combined with cookies.
Let's say you're logged in on Facebook. You visit a page with the URL http://www.some-hospital.com/some-medical-condition
. On that page, you click a link to their Facebook page. Your browser then sends Referer: http://www.some-hospital.com/some-medical-condition
to facebook.com
, along with your Facebook cookies, allowing Facebook to associate your identity with that particular page.
The problem is made worse by the fact that many websites load resources like images and scripts from dozens of third-parties, sending referrer information to all of them, with the typical visitor having no idea that this is happening.
Thanks to a fairly recent development, Referrer Policy, it's finally possible for websites to tell browsers to not leak referrers. It lets you specify a policy that's applied to all links clicked, as well as all other requests generated by the page (images, JS, etc.).
A few different policies are offered, such as origin
(strips everything except the origin) and origin-when-cross-origin
(sends full URL with same-origin requests, otherwise stripped). We recommend no-referrer
, which kills the referrer header entirely for all requests, no matter the destination; or same-origin
, which kills the referrer for third-party requests but not for requests to the same origin.
A referrer policy can easily be set with a <meta>
element in your HTML. Simply include this inside the <head>
section:
<meta name="referrer" content="no-referrer">
While still a work in progress, Referrer Policy is now supported by all major browsers (except Internet Explorer, although it is supported by Edge, the new browser in Windows 10).
Third-party services
The site is using Google Analytics. While this is a powerful tool, we think you should respect your users' privacy and not tell Google about them β at least not without your users' consent.
Matomo (formerly Piwik) is an excellent alternative. It's free software (PHP & MySQL) and you run it on your own server, meaning you are in control of the data. It offers various privacy settings and, unlike Google Analytics, it can be used without cookies. (While analytics might be considered essential by some websites, another alternative is don't track people just because you can. Visitors do not, in fact, have an implicit obligation to help you optimize things.)
First-party cookies
9 first-party cookies.
Domain | Name | Value | Expires on |
---|---|---|---|
.roastme.xyz | _gat_gtag_UA_125015920_1 | 1 | 2018-09-27 11:31:10Z |
.roastme.xyz | _ga | GA1.2.262052316.1538... | 2020-09-26 11:30:10Z |
.roastme.xyz | __stripe_sid | f924fa22-005b-41ca-9... | 2018-09-27 12:00:10Z |
.roastme.xyz | _gid | GA1.2.886018293.1538... | 2018-09-28 11:30:10Z |
.roastme.xyz | __stripe_mid | 972a1065-09a9-4674-b... | 2019-09-27 11:30:10Z |
roastme.xyz | XSRF-TOKEN | eyJpdiI6ImVhT3FjRlQ3... | 2018-09-27 13:30:12Z |
roastme.xyz | roastme_session | eyJpdiI6IitDUWZSUFpn... | 2018-09-27 13:30:12Z |
roastme.xyz | PHPSESSID | 6549b7767b1b31578f15... | session |
roastme.xyz | please_change_this_cookie_name | eyJpdiI6Ik8yYng2aUMw... | session |
Third-party cookies
2 third-party cookies.
Domain | Name | Value | Expires on |
---|---|---|---|
.m.stripe.com | m | cd025fbd-8bf9-41fe-8... | 2028-09-24 11:30:13Z |
m.stripe.network | nsr | 1 | session |
Third-party requests
30 requests (30 secure, 0 insecure) to 9 unique hosts.
A third-party request is a request to a domain that's not roastme.xyz
or one of its subdomains.
Host | Classification |
---|---|
fonts.gstatic.com | Content (Google) |
js.stripe.com | |
m.stripe.com | |
m.stripe.network | |
pbs.twimg.com | Disconnect (Twitter) |
q.stripe.com | |
stripensrq.global.ssl.fastly.net | |
www.google-analytics.com | Disconnect (Google) |
www.googletagmanager.com | Disconnect (Google) |
We use Disconnect's open source list of trackers to classify hosts.
Full list of third-party requests:
- pbs.twimg.com (https://pbs.twimg.com/profile_images/6513538745869...)
- www.googletagmanager.com (https://www.googletagmanager.com/gtag/js?id=UA-125...)
- js.stripe.com (https://js.stripe.com/v3/)
- fonts.gstatic.com (https://fonts.gstatic.com/s/rubik/v7/iJWHBXyIfDnIV...)
- fonts.gstatic.com (https://fonts.gstatic.com/s/rubik/v7/iJWHBXyIfDnIV...)
- fonts.gstatic.com (https://fonts.gstatic.com/s/rubik/v7/iJWKBXyIfDnIV...)
- js.stripe.com (https://js.stripe.com/v3/controller-018e8338405e0f...)
- js.stripe.com (https://js.stripe.com/v3/elements-inner-card-6dab1...)
- www.google-analytics.com (https://www.google-analytics.com/analytics.js)
- js.stripe.com (https://js.stripe.com/v3/fingerprinted/js/shared-4...)
- js.stripe.com (https://js.stripe.com/v3/fingerprinted/js/controll...)
- js.stripe.com (https://js.stripe.com/v3/fingerprinted/css/ui-shar...)
- js.stripe.com (https://js.stripe.com/v3/fingerprinted/js/shared-4...)
- js.stripe.com (https://js.stripe.com/v3/fingerprinted/js/ui-share...)
- js.stripe.com (https://js.stripe.com/v3/fingerprinted/js/elements...)
- q.stripe.com (https://q.stripe.com/?event=elements.controller.lo...)
- js.stripe.com (https://js.stripe.com/v3/fingerprinted/data/countr...)
- www.google-analytics.com (https://www.google-analytics.com/r/collect?v=1&_v=...)
- q.stripe.com (https://q.stripe.com/?event=elements.elements&even...)
- q.stripe.com (https://q.stripe.com/?event=elements.fetch_locale&...)
- q.stripe.com (https://q.stripe.com/?event=elements.create&event_...)
- q.stripe.com (https://q.stripe.com/?event=elements.event.load&ev...)
- q.stripe.com (https://q.stripe.com/?event=elements.timings&event...)
- q.stripe.com (https://q.stripe.com/?event=elements.event.ready&e...)
- js.stripe.com (https://js.stripe.com/v2/m/outer.html)
- m.stripe.network (https://m.stripe.network/inner.html)
- m.stripe.com (https://m.stripe.com/4)
- stripensrq.global.ssl.fastly.net (https://stripensrq.global.ssl.fastly.net/s/e)
- stripensrq.global.ssl.fastly.net (https://stripensrq.global.ssl.fastly.net/s/o)
- m.stripe.com (https://m.stripe.com/4)
Content-Security-Policy not enabled
Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets. It can also help prevent information leakage.
report-uri.io has excellent (free) tools with which you can build or analyze a Content Security Policy.
HTTP headers
Referrer-Policy is a new header that allows a site to control how much information the browser includes with navigations away from a document (or when loading external resources) and should be set by all sites. (It can also be set using a meta element; see above.)
HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.
X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. This helps to reduce the danger of drive-by downloads. The only valid value for this header is "X-Content-Type-Options: nosniff".
X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking.
X-XSS-Protection sets the configuration for the cross-site scripting filters built into most browsers. The best configuration is "X-XSS-Protection: 1; mode=block".