Question 1

How do I check if my website has security headers?

Accepted Answer

Paste your website URL into Flux8Shield and hit scan. It checks all major HTTP security headers — HSTS, Content-Security-Policy, X-Frame-Options, Referrer-Policy, Permissions-Policy, X-Content-Type-Options, and more — and shows which are missing with exact fix instructions.

Question 2

How do I test if my website is vulnerable to clickjacking?

Accepted Answer

Flux8Shield checks for the X-Frame-Options and Content-Security-Policy frame-ancestors directive. If neither is set, your site can be embedded in an iframe on any domain, enabling clickjacking attacks. The scan result shows the exact header to add.

Question 3

How can I tell if my .env file is publicly exposed?

Accepted Answer

Flux8Shield probes for exposed sensitive files including .env, .git/config, wp-config.php, phpinfo.php, and .htaccess. It uses a passive HEAD request and verifies the response is not an HTML fallback page, so you get no false positives.

Question 4

What is a CORS misconfiguration and how do I detect it?

Accepted Answer

A CORS misconfiguration happens when a server allows cross-origin requests from any domain (wildcard) or reflects the Origin header back unchecked. Flux8Shield sends a test request with a fake origin and checks if it is echoed back — one of the most dangerous CORS attack vectors.

Question 5

Is it safe to scan a live production website?

Accepted Answer

Yes. Flux8Shield is a passive scanner — it only makes standard GET and HEAD requests with a declared user-agent, exactly like a regular browser. It sends zero attack payloads, never attempts authentication, and never touches private endpoints. It is safe to run on any live production site.

Question 6

How do I check cookie security flags on my website?

Accepted Answer

Flux8Shield inspects Set-Cookie headers from your site's initial response and checks each cookie for the Secure flag (prevents transmission over HTTP), HttpOnly flag (prevents JavaScript access), and SameSite attribute (prevents CSRF). Missing flags are reported with severity and exact fix syntax.

Question 7

What security headers should every website have?

Accepted Answer

Every website should have: Strict-Transport-Security (HSTS) to enforce HTTPS, Content-Security-Policy to prevent XSS, X-Frame-Options or CSP frame-ancestors to block clickjacking, X-Content-Type-Options to prevent MIME sniffing, Referrer-Policy to control referrer leakage, and Permissions-Policy to restrict browser features. Flux8Shield checks all of these automatically.

Question 8

Does Flux8Shield work for WordPress sites?

Accepted Answer

Yes. Flux8Shield works on any public website regardless of platform — WordPress, Shopify, custom-built, or static sites. It also specifically checks for exposed wp-config.php files, a critical WordPress vulnerability that exposes database credentials.

protect yoursite.

protect

your

data

what we
scan for.

security headers

ssl / tls config

cookie security

info exposure

client-side risks

cors & apis

three steps
to your score.

paste a public url

we run the checks

read the fix list

here's the report
your team can use.

passive only.
no tricks.

need help turning
findings into fixes?