/ / d / ncsheriffs.org / web-standards / security
Security · ncsheriffs.org
pillar failed·Required·2 /5 items passing
The minimum security baseline every site on the modern web should meet — valid TLS, baseline email auth, no exposed admin surfaces.
Items
| Item | Status | Backed by | Evidence |
|---|---|---|---|
| Valid TLS certificate | pass | factor 5 | ssl_days_remaining=72.95205334490741, not_after=2026-07-10T03:53:22.000Z, source=tls_handshake |
| No exposed sensitive paths | fail | factor 7 | findings={"path":"/wp-admin","status":200}|{"path":"/wp-login.php","status":200}, total_checked=6 |
| DMARC published | fail | factor 1 | present=true, policy=none |
| SPF record present | pass | factor 3 | present=true, raw="v=spf1 ip4:69.167.138.64 ip4:24.172.71.146 ip4:208.1.60.234" "ip4:198.71.204.119 ip4:50.63.196.49 ip4:45.40.165.24" "include:smtproutes.com include:smtpout.com ~all include:_netblocks.mimecast.com ~all" "include:spf.protection.out… |
| No WordPress user enumeration | fail | factor 6 | exposed=true, user_count=0 |
Why each item matters
- Valid TLS certificate · methodology →
Every modern browser will block or warn on an invalid certificate. An expired or self-signed cert breaks the site for ordinary visitors.
- No exposed sensitive paths · methodology →
/.git, /.env, exposed /admin, or readable wp-config.php means credentials and source code are leaking. This is a vulnerability, not a polish issue.
- DMARC published · methodology →
Any DMARC policy (even p=none) shows the operator has thought about email spoofing. The bar cares about presence, not enforcement.
- SPF record present · methodology →
Without SPF, anyone can spoof mail from this domain. Required for any site whose domain is also used for email.
- No WordPress user enumeration · methodology →
When WordPress, the REST API leaking usernames hands attackers half of every credential pair. Strict pass — n/a on non-WP.