3.9 KiB
Nuclei Vulnerability Scan Report
Target: https://inou.com
Date: February 1, 2026
Scanner: Nuclei v3.7.0
Templates: v10.3.8 (9,630 templates)
Scan Type: Monthly SOC2 Compliance
Executive Summary
| Severity | Count |
|---|---|
| 🔴 Critical | 0 |
| 🟠 High | 0 |
| 🟡 Medium | 0 |
| 🔵 Low | 0 |
| ⚪ Info | 16 |
| Total | 16 |
Status: ✅ PASS — No security vulnerabilities detected. All findings are informational.
Findings by Category
Security Headers (3 findings)
| Finding | Severity | URL |
|---|---|---|
| Missing Content-Security-Policy | Info | https://inou.com |
| Missing Cross-Origin-Embedder-Policy | Info | https://inou.com |
| Missing Clear-Site-Data | Info | https://inou.com |
Recommendation: Consider implementing CSP to prevent XSS attacks. COEP and Clear-Site-Data are lower priority for a health platform without embedded third-party content.
TLS Configuration (2 findings)
| Finding | Severity | Details |
|---|---|---|
| TLS 1.2 Supported | Info | inou.com:443 |
| TLS 1.3 Supported | Info | inou.com:443 |
Status: ✅ Good — TLS 1.3 is supported (modern). TLS 1.2 still enabled for compatibility.
Technology Detection (2 findings)
| Finding | Severity | Details |
|---|---|---|
| Caddy Server | Info | https://inou.com |
| Google Font API | Info | https://inou.com |
Status: ✅ Expected — Caddy is our web server, Google Fonts is intentional.
Subresource Integrity (1 finding)
| Finding | Severity | Details |
|---|---|---|
| Missing SRI | Info | Google Fonts CSS |
Recommendation: Low priority — SRI for external CDN resources (Google Fonts) is best practice but impractical when the resource content changes.
Endpoint Discovery (2 findings)
| Finding | Severity | Details |
|---|---|---|
| OAuth Authorization Server | Info | /.well-known/oauth-authorization-server |
| Robots.txt Endpoints | Info | 12 endpoints discovered |
Status: ✅ Expected — OAuth endpoint is required for MCP integration. Robots.txt properly blocks sensitive paths.
Domain Information (6 findings)
| Finding | Details |
|---|---|
| Name Servers | NS1.OPENPROVIDER.NL, NS2.OPENPROVIDER.BE, NS3.OPENPROVIDER.EU |
| DNSSEC | Not enabled |
| Transfer Status | Protected (client transfer prohibited) |
| Registration | 2001-06-29 |
| Last Modified | 2025-07-24 |
| Expiration | 2026-06-29 |
Action Required: Domain expires in ~5 months. Calendar reminder set.
Comparison with Previous Scan
Baseline (Jan 31, 2026): 34 findings (zurich.inou.com)
This Scan (Feb 1, 2026): 16 findings (inou.com)
Note: Different targets — baseline was security infrastructure (zurich.inou.com), this scan targets production (inou.com).
New Issues This Month
- None
Resolved Issues
- N/A (different target)
Recommendations
Priority 1 (Consider for SOC2)
- Content-Security-Policy — Implement a basic CSP to prevent XSS attacks
- Start with
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src https://fonts.gstatic.com
- Start with
Priority 2 (Best Practice)
- DNSSEC — Enable at Openprovider for domain integrity
- Domain Renewal — Renew before June 29, 2026
Priority 3 (Low/Optional)
- Cross-Origin-Embedder-Policy — Only needed if using SharedArrayBuffer
- Clear-Site-Data — Only needed for logout functionality
- Subresource Integrity — Impractical for dynamic CDN resources
Scan Metadata
Scan Started: 2026-02-01 14:04 UTC
Templates Loaded: 9,630
Clustered Templates: 2,207 (saved 2,085 requests)
Interactsh Server: oast.me
Runtime Warnings: 2 templates with errors (non-blocking)
Report generated by James (SOC2 Compliance Automation)
Next scan: March 1, 2026