Loading BreachVector
Preparing the report canvas and latest scan state.
Persistence live
Identity on
Worker open
Preparing the report canvas and latest scan state.
https://civic-portal.demo
Civic Portal is publicly reachable over HTTPS, but several foundational controls are absent or inconsistent. The site would benefit from transport hardening, stronger browser headers, and clearer cookie protections before it would present as security-mature to a stakeholder or procurement team.
Designed for executive walkthroughs and technical follow-up in the same screen.
Open a print-ready layout, export a deliverable PDF, or generate a read-only share link.
This report can move from live product view to boardroom PDF or read-only share link without changing context.
Prioritized observations from the passive website security review.
The HTTP endpoint answered directly instead of redirecting to HTTPS, leaving room for users and old links to hit a weaker channel first.
Helpful for founders, PMs, recruiters, and judges.
HSTS tells the browser to keep using HTTPS so a visitor is less likely to land on an insecure version of the site later.
SameSite limits when browsers send cookies with cross-site requests, which helps reduce some account abuse and request forgery scenarios.
Transport, headers, cookies, and email-auth posture at a glance.
Strict-Transport-Security was not visible, so browsers are not instructed to keep using HTTPS after the first secure visit.
Two visible cookies did not include the full set of expected Secure, HttpOnly, or SameSite protections.
Readable enough for judges and still credible to technical reviewers.
This surface is good enough for a live demo but not for a confident security posture story. HTTPS exists, yet transport controls are incomplete because HTTP remains open, HSTS is absent, and certificate renewal should be monitored closely due to the short remaining lifetime.
What to fix first, next, and later.
Add a permanent redirect from every HTTP request to the equivalent HTTPS URL and verify legacy paths behave consistently.
Once HTTP redirect behavior is stable, instruct browsers to prefer HTTPS automatically.
Review application and marketing cookies, then standardize Secure, HttpOnly, and SameSite flags.