OWASP Juice Shop: what we'd send the owner.
We ran our $49 check on OWASP Juice Shop, a working e-commerce app built for security training. It has genuine holes, so we can show you a finished report with nothing redacted. Yours would look exactly like this, just with your site, your URLs, and your own findings.
If you owned this site, here's the email I'd send you.
Your site has working holes. A public directory is spilling files, an internal metrics page is leaking application data, and your app tells any website on the internet it's okay to read responses. We've added deeper SSL diagnostics and CMS verification to our standard scan — they found issues the basic check missed, at no extra cost.
Browse every file in the /ftp directory (including password databases), read internal server metrics to map your app's infrastructure, make cross-origin requests from any malicious website, or exploit unhardened security headers to plant scripts on your pages.
Restrict or remove the /ftp directory. Lock down /metrics to internal access. Change CORS from "*" to your own domain. Add Content-Security-Policy and HSTS headers. Fix the 500 errors on /api and /rest. Enable TLS 1.3.
Critical findings
Fix these first. Any one of them could leak customer data or hand over an account.
Exposed FTP directory listing
Hitting /ftp returns a full file listing with no login. Anyone on the internet can browse it and download password databases (.kdbx), compiled source code (.pyc), backup configs, or business documents. The /robots.txt clue led us straight to it.
options.dotfiles: 'deny'.Internal Prometheus metrics exposed
The /metrics page leaks internal Prometheus data: 498 server errors logged, file upload counters, memory usage, and internal startup task names like cleanupFtpFolder. We spotted it because the page was 2.6x larger than your normal SPA pages — a technique that catches data leaks standard directory scanners miss.
Wildcard CORS header: Access-Control-Allow-Origin: *
Every response carries a wildcard CORS header, which means any site on the internet can call your API from a user's browser and read the response. An attacker with a malicious page can lift data out of your app one-step.
* for your actual domain(s). Example: Access-Control-Allow-Origin: https://yourdomain.comHigh-severity findings
Fix these soon. They don't break the site on their own, but they make every other attack easier.
No Content-Security-Policy header
There's no CSP set. If a script ever slips in through a customer review, a product description, or a compromised dependency, the browser has nothing telling it to refuse.
default-src 'self'; script-src 'self' https://unpkg.com; style-src 'self' fonts.googleapis.comAPI endpoints returning internal server errors
The /api and /rest routes return HTTP 500 errors. These are live backend endpoints that are broken — they could leak stack traces or database errors that help attackers map your infrastructure.
Medium-severity findings
Not on fire, but worth tidying up before you ship anything new.
TLS 1.3 downgraded, missing HSTS and HTTP/2
We ran deeper SSL diagnostics alongside the basic scan. They found that TLS 1.3 isn't just disabled — the server is downgrading connections to TLS 1.2. No HSTS header is set, and HTTP/2 isn't available. The basic scan only reported "TLS 1.3 disabled" — the deeper check caught the actual downgrade happening.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. Enable HTTP/2 if your infrastructure supports it.Not running WordPress — CMS check confirmed
We added a CMS detection check to our standard scan. It confirmed the site isn't WordPress, so we can drop an entire class of WordPress-specific vulnerabilities from the threat model. One less thing to worry about.
A few security headers are missing
Referrer-Policy, Permissions-Policy, and X-Content-Type-Options aren't set. Small headers, easy wins. They add another layer if something else slips through.
Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy: camera=(), microphone=(), and X-Content-Type-Options: nosniffrobots.txt is acting as a treasure map
robots.txt blocks /ftp, which has the opposite of the intended effect: it tells every attacker exactly where to look. Sensitive paths shouldn't be mentioned there at all.
SSL/TLS check
We ran two scans side-by-side. The basic scan looked fine. The deeper one found downgrades.
Want one of these for your site?
This came from an actual scan, not a template. Yours would have the same format with your URLs, your findings, and your fixes. Our full toolset — including deep SSL analysis and CMS verification — is included in the standard $49 package.