docs/soc2/nuclei-report-2026-02-01.md

# Nuclei Vulnerability Scan Report

**Target:** https://inou.com  
**Date:** February 1, 2026  
**Scanner:** Nuclei v3.7.0  
**Templates:** v10.3.8 (9,630 templates)  
**Scan Type:** Monthly SOC2 Compliance

---

## Executive Summary

| Severity | Count |
|----------|-------|
| 🔴 Critical | 0 |
| 🟠 High | 0 |
| 🟡 Medium | 0 |
| 🔵 Low | 0 |
| ⚪ Info | 16 |
| **Total** | **16** |

**Status: ✅ PASS** — No security vulnerabilities detected. All findings are informational.

---

## Findings by Category

### Security Headers (3 findings)

| Finding | Severity | URL |
|---------|----------|-----|
| Missing Content-Security-Policy | Info | https://inou.com |
| Missing Cross-Origin-Embedder-Policy | Info | https://inou.com |
| Missing Clear-Site-Data | Info | https://inou.com |

**Recommendation:** Consider implementing CSP to prevent XSS attacks. COEP and Clear-Site-Data are lower priority for a health platform without embedded third-party content.

### TLS Configuration (2 findings)

| Finding | Severity | Details |
|---------|----------|---------|
| TLS 1.2 Supported | Info | inou.com:443 |
| TLS 1.3 Supported | Info | inou.com:443 |

**Status:** ✅ Good — TLS 1.3 is supported (modern). TLS 1.2 still enabled for compatibility.

### Technology Detection (2 findings)

| Finding | Severity | Details |
|---------|----------|---------|
| Caddy Server | Info | https://inou.com |
| Google Font API | Info | https://inou.com |

**Status:** ✅ Expected — Caddy is our web server, Google Fonts is intentional.

### Subresource Integrity (1 finding)

| Finding | Severity | Details |
|---------|----------|---------|
| Missing SRI | Info | Google Fonts CSS |

**Recommendation:** Low priority — SRI for external CDN resources (Google Fonts) is best practice but impractical when the resource content changes.

### Endpoint Discovery (2 findings)

| Finding | Severity | Details |
|---------|----------|---------|
| OAuth Authorization Server | Info | /.well-known/oauth-authorization-server |
| Robots.txt Endpoints | Info | 12 endpoints discovered |

**Status:** ✅ Expected — OAuth endpoint is required for MCP integration. Robots.txt properly blocks sensitive paths.

### Domain Information (6 findings)

| Finding | Details |
|---------|---------|
| Name Servers | NS1.OPENPROVIDER.NL, NS2.OPENPROVIDER.BE, NS3.OPENPROVIDER.EU |
| DNSSEC | Not enabled |
| Transfer Status | Protected (client transfer prohibited) |
| Registration | 2001-06-29 |
| Last Modified | 2025-07-24 |
| Expiration | 2026-06-29 |

**Action Required:** Domain expires in ~5 months. Calendar reminder set.

---

## Comparison with Previous Scan

**Baseline (Jan 31, 2026):** 34 findings (zurich.inou.com)  
**This Scan (Feb 1, 2026):** 16 findings (inou.com)

*Note: Different targets — baseline was security infrastructure (zurich.inou.com), this scan targets production (inou.com).*

### New Issues This Month
- None

### Resolved Issues
- N/A (different target)

---

## Recommendations

### Priority 1 (Consider for SOC2)
1. **Content-Security-Policy** — Implement a basic CSP to prevent XSS attacks
   - Start with `Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src https://fonts.gstatic.com`

### Priority 2 (Best Practice)
2. **DNSSEC** — Enable at Openprovider for domain integrity
3. **Domain Renewal** — Renew before June 29, 2026

### Priority 3 (Low/Optional)
4. **Cross-Origin-Embedder-Policy** — Only needed if using SharedArrayBuffer
5. **Clear-Site-Data** — Only needed for logout functionality
6. **Subresource Integrity** — Impractical for dynamic CDN resources

---

## Scan Metadata

```
Scan Started: 2026-02-01 14:04 UTC
Templates Loaded: 9,630
Clustered Templates: 2,207 (saved 2,085 requests)
Interactsh Server: oast.me
Runtime Warnings: 2 templates with errors (non-blocking)
```

---

*Report generated by James (SOC2 Compliance Automation)*  
*Next scan: March 1, 2026*