Privacy Bison

Warnings PrivacyBison publishes warnings when it learns a service has announced a data breach or is found misusing user data. If you believe a warning should be published for PrivacyBison.com

Submit Feedback

Share this page:

Observations based on User Activity File

General Security Checks

Check for SSL/TLS Certificate VulnerabilitiesDoes your Web Application use the appropriate level of SSL/TLS Certificates such as Protocol Version, Cipher Strength? 10.0/10

Check for SSL/TLS Certificate VulnerabilitiesDoes your Web Application use the appropriate level of SSL/TLS Certificates such as Protocol Version, Cipher Strength?

10.0/10

Privacy Checks

Check for PII in API Request CookiesAre there any Personally Identifiable Information in the API Request Cookies? This includes all APIs used by the Web Application. It is best practice to avoid PII information in API Requests, unless it is required. 10.0/10

Check for PII in API Request CookiesAre there any Personally Identifiable Information in the API Request Cookies? This includes all APIs used by the Web Application. It is best practice to avoid PII information in API Requests, unless it is required.

10.0/10

Check for PII in API Request HeadersAre there any Personally Identifiable Information in the API Request Headers? This includes all APIs used by the Web Application. It is best practice to completely avoid PII information in API Requests, unless it is required. 10.0/10

Check for PII in API Request HeadersAre there any Personally Identifiable Information in the API Request Headers? This includes all APIs used by the Web Application. It is best practice to completely avoid PII information in API Requests, unless it is required.

10.0/10

Check for PII in API Request QueriesAre there any Personally Identifiable Information in the API GET Requests? This includes all APIs used by the Web Application. It is best practice to completely avoid PII information in API GET Requests parameters. 10.0/10

Check for PII in API Request QueriesAre there any Personally Identifiable Information in the API GET Requests? This includes all APIs used by the Web Application. It is best practice to completely avoid PII information in API GET Requests parameters.

10.0/10

Check for PII in API Response Bodies from the Web ApplicationAre there any Personally Identifiable Information in the Body of the API Responses? This includes all API Responses from the Web Application. 10.0/10

Check for PII in API Response Bodies from the Web ApplicationAre there any Personally Identifiable Information in the Body of the API Responses? This includes all API Responses from the Web Application.

10.0/10

Check for PII in API Cookies from the Web ApplicationAre there any Personally Identifiable Information set in the Cookies of the API Responses? This includes all API Responses from the Web Application. 10.0/10

Check for PII in API Cookies from the Web ApplicationAre there any Personally Identifiable Information set in the Cookies of the API Responses? This includes all API Responses from the Web Application.

10.0/10

Check for PII in API Response Headers from the Web ApplicationAre there any Personally Identifiable Information set in the Headers of the API Responses? This includes all API Responses from the Web Application. 10.0/10

Check for PII in API Response Headers from the Web ApplicationAre there any Personally Identifiable Information set in the Headers of the API Responses? This includes all API Responses from the Web Application.

10.0/10

Check for PII in CacheAre there any Personally Identifiable Information in Caches? 10.0/10

Check for PII in CacheAre there any Personally Identifiable Information in Caches?

10.0/10

Check for Data Exfiltration through CookiesDoes your Web Application set Cookies that are Not Secure? Third Party Cookies such as Marketing or Advertisement related? Does it contain any tracking related cookies? 10.0/10

Check for Data Exfiltration through CookiesDoes your Web Application set Cookies that are Not Secure? Third Party Cookies such as Marketing or Advertisement related? Does it contain any tracking related cookies?

10.0/10

Application Security Checks

Check for JSON Web Token (JWT) VulnerabilitiesIf your Web Application uses JWT, does it expose any known vulnerabilities in JWT Claims? 10.0/10

Check for JSON Web Token (JWT) VulnerabilitiesIf your Web Application uses JWT, does it expose any known vulnerabilities in JWT Claims?

10.0/10

Check for HTTP Strict Transport Security in API ResponsesHSTS Header forces HTTPS upon first visit. This is a fairly old header. Modern Applications should redirect HTTP to HTTPS and should handle at the Application or the Gateway layer 10.0/10

Check for HTTP Strict Transport Security in API ResponsesHSTS Header forces HTTPS upon first visit. This is a fairly old header. Modern Applications should redirect HTTP to HTTPS and should handle at the Application or the Gateway layer

10.0/10

Check for Content Security Policy Statements in API ResponsesDoes the Web Application set the right CSP statements for enforcing security? 10.0/10

Check for Content Security Policy Statements in API ResponsesDoes the Web Application set the right CSP statements for enforcing security?

10.0/10

Check for HTTP Public Key Pinning (HPKP) in API ResponsesHPKP is a deprecated feature. Setting this feature can potentially cause disruptions to Web Application Availability 10.0/10

Check for HTTP Public Key Pinning (HPKP) in API ResponsesHPKP is a deprecated feature. Setting this feature can potentially cause disruptions to Web Application Availability

10.0/10

Check for Certificate Transarency in API ResponsesAre the Certificate Transparency Headers properly set for Max-Age, Enforce and Report-URI? Is the Report-URI hosted by a 3rd Party? 10.0/10

Check for Certificate Transarency in API ResponsesAre the Certificate Transparency Headers properly set for Max-Age, Enforce and Report-URI? Is the Report-URI hosted by a 3rd Party?

10.0/10

Verify X-Frame-Option in API Response HeadersX-Frame-Option controls if 3rd party sites can embed. This can potentially be used to avoid Click-Jacking vulnerabilities 10.0/10

Verify X-Frame-Option in API Response HeadersX-Frame-Option controls if 3rd party sites can embed. This can potentially be used to avoid Click-Jacking vulnerabilities

10.0/10

Check for Access Control Header in API Response HeadersDoes the Web Application appropriately set Accesss-Control-Allow-Origin in API Response Headers? 10.0/10

Check for Access Control Header in API Response HeadersDoes the Web Application appropriately set Accesss-Control-Allow-Origin in API Response Headers?

10.0/10

Check for MIME-type Sniffing Opt Out through X-Content-Type-Options HeaderDoes the Web Application appropriately set X-Content-Type-Options in API Response Headers? 10.0/10

Check for MIME-type Sniffing Opt Out through X-Content-Type-Options HeaderDoes the Web Application appropriately set X-Content-Type-Options in API Response Headers?

10.0/10

Check for Referrer Policy in API Response HeadersDoes the Web Application appropriately set Referer-Policy in API Response Headers? 10.0/10

Check for Referrer Policy in API Response HeadersDoes the Web Application appropriately set Referer-Policy in API Response Headers?

10.0/10

Check for E-Tag settings in API Response HeadersE-Tags are used for Concurrency Control. Does your Web Application have weaker tags? 10.0/10

Check for E-Tag settings in API Response HeadersE-Tags are used for Concurrency Control. Does your Web Application have weaker tags?

10.0/10

Check for Javascript Vulnerabilities in Web ApplicationDoes the Web Application, across all the APIs, contain any known Javascript Vulnerabilities? 10.0/10

Check for Javascript Vulnerabilities in Web ApplicationDoes the Web Application, across all the APIs, contain any known Javascript Vulnerabilities?

10.0/10

Verify Session Token in URLs for Cross-Site Request Forgery VulnerabilitiesDoes the Web Application exhibit any Session Token pattern in the GET Requests calls, and if so, Is it vulnerable for Cross Session Attacks? 10.0/10

Verify Session Token in URLs for Cross-Site Request Forgery VulnerabilitiesDoes the Web Application exhibit any Session Token pattern in the GET Requests calls, and if so, Is it vulnerable for Cross Session Attacks?

10.0/10

How we calculate Scoring?

Warnings

Check for SSL/TLS Certificate VulnerabilitiesDoes your Web Application use the appropriate level of SSL/TLS Certificates such as Protocol Version, Cipher Strength?

10.0/10

Check for PII in API Request CookiesAre there any Personally Identifiable Information in the API Request Cookies? This includes all APIs used by the Web Application. It is best practice to avoid PII information in API Requests, unless it is required.

10.0/10

Check for PII in API Request HeadersAre there any Personally Identifiable Information in the API Request Headers? This includes all APIs used by the Web Application. It is best practice to completely avoid PII information in API Requests, unless it is required.

10.0/10

Check for PII in API Request QueriesAre there any Personally Identifiable Information in the API GET Requests? This includes all APIs used by the Web Application. It is best practice to completely avoid PII information in API GET Requests parameters.

10.0/10

Check for PII in API Response Bodies from the Web ApplicationAre there any Personally Identifiable Information in the Body of the API Responses? This includes all API Responses from the Web Application.

10.0/10

Check for PII in API Cookies from the Web ApplicationAre there any Personally Identifiable Information set in the Cookies of the API Responses? This includes all API Responses from the Web Application.

10.0/10

Check for PII in API Response Headers from the Web ApplicationAre there any Personally Identifiable Information set in the Headers of the API Responses? This includes all API Responses from the Web Application.

10.0/10

Check for PII in CacheAre there any Personally Identifiable Information in Caches?

10.0/10

Check for Data Exfiltration through CookiesDoes your Web Application set Cookies that are Not Secure? Third Party Cookies such as Marketing or Advertisement related? Does it contain any tracking related cookies?

10.0/10

Check for JSON Web Token (JWT) VulnerabilitiesIf your Web Application uses JWT, does it expose any known vulnerabilities in JWT Claims?

10.0/10

Check for HTTP Strict Transport Security in API ResponsesHSTS Header forces HTTPS upon first visit. This is a fairly old header. Modern Applications should redirect HTTP to HTTPS and should handle at the Application or the Gateway layer

10.0/10

Check for Content Security Policy Statements in API ResponsesDoes the Web Application set the right CSP statements for enforcing security?

10.0/10

Check for HTTP Public Key Pinning (HPKP) in API ResponsesHPKP is a deprecated feature. Setting this feature can potentially cause disruptions to Web Application Availability

10.0/10

Check for Certificate Transarency in API ResponsesAre the Certificate Transparency Headers properly set for Max-Age, Enforce and Report-URI? Is the Report-URI hosted by a 3rd Party?

10.0/10

Verify X-Frame-Option in API Response HeadersX-Frame-Option controls if 3rd party sites can embed. This can potentially be used to avoid Click-Jacking vulnerabilities

10.0/10

Check for Access Control Header in API Response HeadersDoes the Web Application appropriately set Accesss-Control-Allow-Origin in API Response Headers?

10.0/10

Check for MIME-type Sniffing Opt Out through X-Content-Type-Options HeaderDoes the Web Application appropriately set X-Content-Type-Options in API Response Headers?

10.0/10

Check for Referrer Policy in API Response HeadersDoes the Web Application appropriately set Referer-Policy in API Response Headers?

10.0/10

Check for E-Tag settings in API Response HeadersE-Tags are used for Concurrency Control. Does your Web Application have weaker tags?

10.0/10

Check for Javascript Vulnerabilities in Web ApplicationDoes the Web Application, across all the APIs, contain any known Javascript Vulnerabilities?

10.0/10

Verify Session Token in URLs for Cross-Site Request Forgery VulnerabilitiesDoes the Web Application exhibit any Session Token pattern in the GET Requests calls, and if so, Is it vulnerable for Cross Session Attacks?

10.0/10