This summary is designed for management review. It lists the issues observed, their business impact, and the current risk posture visible from the public internet.
The target exposes weaknesses that can make exploitation easier or widen attacker reconnaissance. These issues should be prioritized before expansion or customer growth.
This summary now groups controls and observed issues together by security domain. Each section shows what was checked in that domain and, directly underneath, the issues that matter for customer-facing risk discussion.
This group shows the controls reviewed in this domain and the customer-facing implications of any issues that were observed.
| Security Status | Severity | Escalated to Findings | Control | Result |
|---|---|---|---|---|
| ✓ Security OK | - | No | HTTPS in use |
The target URL uses HTTPS.
https://prep4u.vn/
|
| ⚠ Has security issue | medium | Yes | HSTS |
Strict-Transport-Security was not observed on the landing page.
https://prep4u.vn/
|
| ⚠ Has security issue | medium | Yes | Content Security Policy |
Content-Security-Policy was not observed on the landing page.
https://prep4u.vn/
|
| ⚠ Has security issue | low | Yes | MIME sniffing protection |
X-Content-Type-Options was not observed on the landing page.
https://prep4u.vn/
|
| ⚠ Has security issue | low | Yes | Clickjacking protection |
Neither X-Frame-Options nor CSP frame-ancestors was observed.
https://prep4u.vn/
|
| ✓ Security OK | - | No | Cookie Secure flag |
Observed cookies included the Secure attribute.
https://prep4u.vn/
|
| ✓ Security OK | - | No | Cookie HttpOnly flag |
Observed cookies included the HttpOnly attribute.
https://prep4u.vn/
|
| ✓ Security OK | - | No | Cookie SameSite flag |
Observed cookies included a SameSite attribute.
https://prep4u.vn/
|
The response does not advertise Strict-Transport-Security.
If a victim first reaches the site over an insecure network, an attacker on the same path can attempt SSL stripping, forcing the victim onto HTTP and exposing login sessions or sensitive browsing activity.
The application does not return a Content-Security-Policy header on the affected response.
If any XSS or third-party script compromise occurs, the browser has fewer built-in restrictions. In practice this can enable credential theft, fake payment forms, session hijacking, or malicious content injection on customer-facing pages.
Neither X-Frame-Options nor a CSP frame-ancestors policy was observed on the affected response.
Attackers can potentially embed the site in a malicious page and trick users into clicking hidden buttons or forms. In a real campaign this can lead to unauthorized profile changes, content publishing, or transaction actions.
Browsers may MIME-sniff responses without the nosniff header.
In edge cases, browsers may interpret uploaded or proxied content as executable content rather than inert files. That can widen exploitation paths when combined with upload or content-type confusion flaws.
This group shows the controls reviewed in this domain and the customer-facing implications of any issues that were observed.
| Security Status | Severity | Escalated to Findings | Control | Result |
|---|---|---|---|---|
| ⚠ Has security issue | info | Yes | Login portal surface |
Login portal surface was observed at https://prep4u.vn/login.
https://prep4u.vn/login
|
| ⚠ Has security issue | info | Yes | Password reset surface |
Password reset surface was observed at https://prep4u.vn/password/reset.
https://prep4u.vn/password/reset
|
| ⚠ Has security issue | info | Yes | Registration or invite surface |
Registration or invite surface was observed at https://prep4u.vn/register.
https://prep4u.vn/register
|
| ✓ Security OK | - | No | Client-side token exposure |
No obvious token leakage patterns were detected in the reviewed HTML and auth surfaces.
https://prep4u.vn/
|
| ✓ Security OK | - | No | Sensitive route cache handling |
The observed authentication-related route returned a restrictive Cache-Control policy (no-cache, private).
https://prep4u.vn/login
|
A common login route responded successfully from the public internet.
A clearly exposed login portal gives attackers a focused entry point for password spraying, credential stuffing, and phishing preparation even before a deeper application flaw is found.
A common registration or invite route responded successfully from the public internet.
Visible registration or invite surfaces can be abused for fake-account creation, reconnaissance, or invite token testing if the underlying controls are weak.
A common password reset route responded successfully from the public internet.
Public password reset flows are normal, but they give attackers a direct workflow to test for account enumeration, weak reset tokens, or social-engineering-friendly recovery behavior.
This group shows the controls reviewed in this domain and the customer-facing implications of any issues that were observed.
| Security Status | Severity | Escalated to Findings | Control | Result |
|---|---|---|---|---|
| ✓ Security OK | - | No | GraphQL introspection |
GraphQL introspection was not confirmed on the common GraphQL routes.
https://prep4u.vn/
|
| ✓ Security OK | - | No | Dangerous HTTP methods |
No risky write-oriented methods were advertised by the root response.
https://prep4u.vn/
|
| • Not observed | - | No | TRACE method handling |
TRACE review did not return a usable response.
https://prep4u.vn/
|
| ✓ Security OK | - | No | File upload surface |
No common upload-related route was confirmed.
https://prep4u.vn/
|
| ✓ Security OK | - | No | API error disclosure |
No verbose API-style error leakage was confirmed in the tested routes.
https://prep4u.vn/
|
| ✓ Security OK | - | No | Authenticated API schema exposure |
No public schema was confirmed to advertise authenticated operations in the tested routes.
https://prep4u.vn/
|
This group shows the controls reviewed in this domain and the customer-facing implications of any issues that were observed.
| Security Status | Severity | Escalated to Findings | Control | Result |
|---|---|---|---|---|
| ⚠ Has security issue | low | Yes | Referrer-Policy |
Referrer-Policy was not observed on the landing page.
https://prep4u.vn/
|
| ⚠ Has security issue | low | Yes | Permissions-Policy |
Permissions-Policy was not observed on the landing page.
https://prep4u.vn/
|
| ⚠ Has security issue | - | No | Cross-Origin-Opener-Policy |
Cross-Origin-Opener-Policy was not observed on the landing page. This control was recorded as hardening guidance and was not escalated into a standalone finding by default.
https://prep4u.vn/
|
| ⚠ Has security issue | - | No | Cross-Origin-Resource-Policy |
Cross-Origin-Resource-Policy was not observed on the landing page. This control was recorded as hardening guidance and was not escalated into a standalone finding by default.
https://prep4u.vn/
|
| ⚠ Has security issue | - | No | Cross-Origin-Embedder-Policy |
Cross-Origin-Embedder-Policy was not observed on the landing page. This control was recorded as hardening guidance and was not escalated into a standalone finding by default.
https://prep4u.vn/
|
The landing page does not define a Referrer-Policy header.
Without a Referrer-Policy, downstream sites may receive fuller URL data than intended. In practice this can leak internal paths, campaign parameters, or identifiers that help attackers and third parties profile user behavior.
The landing page does not define a Permissions-Policy header.
If third-party code or future features are introduced, unnecessary browser capabilities can remain open by default. That weakens defense-in-depth and can make camera, microphone, or sensor abuse easier to overlook.
This group shows the controls reviewed in this domain and the customer-facing implications of any issues that were observed.
| Security Status | Severity | Escalated to Findings | Control | Result |
|---|---|---|---|---|
| ✓ Security OK | - | No | CORS policy review |
The landing page did not appear to allow arbitrary cross-origin reads from the probe origin.
https://prep4u.vn/
|
| ✓ Security OK | - | No | CORS credentials exposure |
Credentialed cross-origin access was not observed from the probe origin.
https://prep4u.vn/
|
| ✓ Security OK | - | No | Mixed content references |
No insecure HTTP asset references were detected on the landing page.
https://prep4u.vn/
|
This group shows the controls reviewed in this domain and the customer-facing implications of any issues that were observed.
| Security Status | Severity | Escalated to Findings | Control | Result |
|---|---|---|---|---|
| ⚠ Has security issue | info | Yes | Server header minimization |
The landing page exposed a Server header: cloudflare.
https://prep4u.vn/
|
| ✓ Security OK | - | No | X-Powered-By minimization |
No X-Powered-By header was exposed on the landing page.
https://prep4u.vn/
|
| ✓ Security OK | - | No | Administrative panel surface |
No publicly reachable administrative panel surface was confirmed in the common route set.
https://prep4u.vn/
|
| ✓ Security OK | - | No | Debug/test endpoint exposure |
No publicly reachable debug/test endpoint exposure was confirmed in the common route set.
https://prep4u.vn/
|
| ✓ Security OK | - | No | Directory listing exposure |
No directory listing pattern was detected in the checked public routes.
https://prep4u.vn/
|
| ✓ Security OK | - | No | Metrics endpoint exposure |
No publicly reachable metrics endpoint exposure was confirmed in the common route set.
https://prep4u.vn/
|
| ✓ Security OK | - | No | Environment endpoint exposure |
No publicly reachable environment endpoint exposure was confirmed in the common route set.
https://prep4u.vn/
|
| ✓ Security OK | - | No | Heapdump endpoint exposure |
No publicly reachable heapdump endpoint exposure was confirmed in the common route set.
https://prep4u.vn/
|
The landing page discloses a Server header.
Server banners help attackers narrow down the likely technology stack and patch level, reducing the time needed to prioritize exploit research or fingerprinting.
This group shows the controls reviewed in this domain and the customer-facing implications of any issues that were observed.
| Security Status | Severity | Escalated to Findings | Control | Result |
|---|---|---|---|---|
| ⚠ Has security issue | low | Yes | security.txt contact field |
security.txt was present but did not include a Contact field.
https://prep4u.vn/.well-known/security.txt
|
| ⚠ Has security issue | info | Yes | security.txt expiry field |
security.txt was present but its Expires field was missing, invalid, or already expired.
https://prep4u.vn/.well-known/security.txt
|
security.txt was present but did not include a Contact field.
When researchers or customers find a real vulnerability, a missing Contact field can delay responsible disclosure and increase the chance that a fixable issue turns into an incident or public disclosure gap.
security.txt was present but its Expires field was missing, invalid, or already expired.
Expired or malformed disclosure metadata creates uncertainty about whether the published security channel is still trustworthy, which can slow inbound reporting when time matters.
This group shows the controls reviewed in this domain and the customer-facing implications of any issues that were observed.
| Security Status | Severity | Escalated to Findings | Control | Result |
|---|---|---|---|---|
| ⚠ Has security issue | info | Yes | robots.txt exposure |
robots.txt is accessible.
https://prep4u.vn/robots.txt
|
| ✓ Security OK | - | No | security.txt exposure |
The path returned HTTP 200, but the body looked like a soft-404 rather than a real exposed endpoint.
https://prep4u.vn/.well-known/security.txt
|
| ✓ Security OK | - | No | Swagger route |
The path returned HTTP 200, but the body looked like a soft-404 rather than a real exposed endpoint.
https://prep4u.vn/swagger
|
| ✓ Security OK | - | No | Swagger UI |
The path returned HTTP 200, but the body looked like a soft-404 rather than a real exposed endpoint.
https://prep4u.vn/swagger-ui
|
| ✓ Security OK | - | No | OpenAPI document |
The path returned HTTP 200, but the body looked like a soft-404 rather than a real exposed endpoint.
https://prep4u.vn/openapi.json
|
| ✓ Security OK | - | No | API docs endpoint |
The path returned HTTP 200, but the body looked like a soft-404 rather than a real exposed endpoint.
https://prep4u.vn/v3/api-docs
|
| ✓ Security OK | - | No | GraphQL endpoint |
The path returned HTTP 200, but the body looked like a soft-404 rather than a real exposed endpoint.
https://prep4u.vn/graphql
|
| ✓ Security OK | - | No | GraphiQL console |
The path returned HTTP 200, but the body looked like a soft-404 rather than a real exposed endpoint.
https://prep4u.vn/graphiql
|
| ✓ Security OK | - | No | .env file exposure |
The path returned HTTP 200, but the body looked like a soft-404 rather than a real exposed endpoint.
https://prep4u.vn/.env
|
| ✓ Security OK | - | No | .git/config exposure |
The path returned HTTP 200, but the body looked like a soft-404 rather than a real exposed endpoint.
https://prep4u.vn/.git/config
|
| ✓ Security OK | - | No | Backup archive exposure |
The path returned HTTP 200, but the body looked like a soft-404 rather than a real exposed endpoint.
https://prep4u.vn/backup.zip
|
robots.txt is accessible.
robots.txt itself is normal, but it can leak a roadmap of sensitive areas to attackers and accelerate reconnaissance toward admin panels, staging pages, or private content paths.
This final summary compresses every small control into one overview so the reader can compare domains quickly without reading each detailed section in full.
| Group | Total controls | Pass | Issues | Not fully assessed | Escalated findings |
|---|---|---|---|---|---|
| Transport & Session Security | 8 | 4 | 4 | 0 | 4 |
| Authentication & Sensitive Handling | 5 | 2 | 3 | 0 | 3 |
| API Abuse Surface | 6 | 5 | 0 | 1 | 0 |
| Browser Hardening & Isolation | 5 | 0 | 5 | 0 | 2 |
| Cross-Origin & Content Delivery | 3 | 3 | 0 | 0 | 0 |
| Recon & Fingerprinting Signals | 8 | 7 | 1 | 0 | 1 |
| Disclosure & Trust Signals | 2 | 0 | 2 | 0 | 2 |
| Public Exposure Surface | 11 | 10 | 1 | 0 | 1 |
The scanned target shows externally visible weaknesses that increase reconnaissance value, widen attack paths, or reduce defensive controls. While this document does not include remediation steps, the findings are sufficient to justify a deeper hardening and remediation engagement before an attacker can chain them into a broader incident.