Phase 1 Rapid External Security Posture Assessment
https://prep4u.vn/
The target exposes weaknesses that can make exploitation easier or widen attacker reconnaissance. These issues should be prioritized before expansion or customer growth.
Overall Assessment
Security posture needs improvement
How To Read This Report
This report has three layers. First come the control groups, which show the full scan scope and whether each control passed, surfaced an issue, or could not be fully assessed. Technical Findings are only the escalated subset of controls that actually produced security-relevant findings. The Escalated column below tells you whether a control was promoted into the Technical Findings section. Execution sections at the end are runtime evidence for the scanner itself, useful for debugging and confidence, not for remediation planning.
✓ Security OK
⚠ Has security issue
• Not observed
• Partial results
• Timed out
Grouped Security Review
Each domain below bundles its checklist and its detailed findings together. Read each group top-to-bottom: first the full list of controls that were checked, then the detailed findings that escalated from that group.
Transport & Session Security
This group shows the controls that were tested in this domain and, directly underneath, the escalated findings that require technical review.
| Security Status |
Severity |
Escalated to Findings |
Control |
Result |
| ✓ Security OK |
- |
No |
HTTPS in use |
The target URL uses HTTPS.
https://prep4u.vn/
|
| ⚠ Has security issue |
medium |
Yes |
HSTS |
Strict-Transport-Security was not observed on the landing page.
https://prep4u.vn/
|
| ⚠ Has security issue |
medium |
Yes |
Content Security Policy |
Content-Security-Policy was not observed on the landing page.
https://prep4u.vn/
|
| ⚠ Has security issue |
low |
Yes |
MIME sniffing protection |
X-Content-Type-Options was not observed on the landing page.
https://prep4u.vn/
|
| ⚠ Has security issue |
low |
Yes |
Clickjacking protection |
Neither X-Frame-Options nor CSP frame-ancestors was observed.
https://prep4u.vn/
|
| ✓ Security OK |
- |
No |
Cookie Secure flag |
Observed cookies included the Secure attribute.
https://prep4u.vn/
|
| ✓ Security OK |
- |
No |
Cookie HttpOnly flag |
Observed cookies included the HttpOnly attribute.
https://prep4u.vn/
|
| ✓ Security OK |
- |
No |
Cookie SameSite flag |
Observed cookies included a SameSite attribute.
https://prep4u.vn/
|
Detailed Findings in This Group
⚠ Has security issue
medium
Missing HSTS
https://prep4u.vn/
What Was Observed
The response does not advertise Strict-Transport-Security.
Business Impact
If a victim first reaches the site over an insecure network, an attacker on the same path can attempt SSL stripping, forcing the victim onto HTTP and exposing login sessions or sensitive browsing activity.
Confidence & Evidence
Confidence: confirmed
Developer Notes & Remediation
Review TLS termination and force HTTPS-only delivery at the application or proxy layer before enabling a long-lived HSTS policy.
Recommended action: Enable HSTS with an appropriate max-age after validating HTTPS coverage.
⚠ Has security issue
medium
Missing CSP
https://prep4u.vn/
What Was Observed
The application does not return a Content-Security-Policy header on the affected response.
Business Impact
If any XSS or third-party script compromise occurs, the browser has fewer built-in restrictions. In practice this can enable credential theft, fake payment forms, session hijacking, or malicious content injection on customer-facing pages.
Confidence & Evidence
Confidence: confirmed
Developer Notes & Remediation
Start with report-only mode, inventory allowed script/style origins, then move to an enforced policy with nonce/hash-based script control where possible.
Recommended action: Add a restrictive CSP and tune it per application behavior.
⚠ Has security issue
medium
Missing Clickjacking Controls
https://prep4u.vn/
What Was Observed
Neither X-Frame-Options nor a CSP frame-ancestors policy was observed on the affected response.
Business Impact
Attackers can potentially embed the site in a malicious page and trick users into clicking hidden buttons or forms. In a real campaign this can lead to unauthorized profile changes, content publishing, or transaction actions.
Confidence & Evidence
Confidence: confirmed
Developer Notes & Remediation
Apply frame restrictions globally, then selectively allow known trusted embeds if the business case requires framing.
Recommended action: Set X-Frame-Options or define frame-ancestors in CSP.
⚠ Has security issue
low
Missing X-Content-Type-Options
https://prep4u.vn/
What Was Observed
Browsers may MIME-sniff responses without the nosniff header.
Business Impact
In edge cases, browsers may interpret uploaded or proxied content as executable content rather than inert files. That can widen exploitation paths when combined with upload or content-type confusion flaws.
Confidence & Evidence
Confidence: confirmed
Developer Notes & Remediation
Set the header at the web server or framework middleware level so all static and dynamic responses inherit it consistently.
Recommended action: Return X-Content-Type-Options: nosniff on web responses.
Authentication & Sensitive Handling
This group shows the controls that were tested in this domain and, directly underneath, the escalated findings that require technical review.
| Security Status |
Severity |
Escalated to Findings |
Control |
Result |
| ⚠ Has security issue |
info |
Yes |
Login portal surface |
Login portal surface was observed at https://prep4u.vn/login.
https://prep4u.vn/login
|
| ⚠ Has security issue |
info |
Yes |
Password reset surface |
Password reset surface was observed at https://prep4u.vn/password/reset.
https://prep4u.vn/password/reset
|
| ⚠ Has security issue |
info |
Yes |
Registration or invite surface |
Registration or invite surface was observed at https://prep4u.vn/register.
https://prep4u.vn/register
|
| ✓ Security OK |
- |
No |
Client-side token exposure |
No obvious token leakage patterns were detected in the reviewed HTML and auth surfaces.
https://prep4u.vn/
|
| ✓ Security OK |
- |
No |
Sensitive route cache handling |
The observed authentication-related route returned a restrictive Cache-Control policy (no-cache, private).
https://prep4u.vn/login
|
Detailed Findings in This Group
⚠ Has security issue
info
Login Portal Surface Exposed
https://prep4u.vn/login
What Was Observed
A common login route responded successfully from the public internet.
Business Impact
A clearly exposed login portal gives attackers a focused entry point for password spraying, credential stuffing, and phishing preparation even before a deeper application flaw is found.
Confidence & Evidence
Confidence: confirmed
Evidence: Confirmed route: https://prep4u.vn/login
Developer Notes & Remediation
Review authentication hardening on the exposed login path, including rate limiting, brute-force controls, MFA coverage, and credential stuffing defenses.
Recommended action: Confirm the login route is intended to be public and protect it with rate limits, MFA, and bot defenses.
⚠ Has security issue
info
Registration or Invite Surface Exposed
https://prep4u.vn/register
What Was Observed
A common registration or invite route responded successfully from the public internet.
Business Impact
Visible registration or invite surfaces can be abused for fake-account creation, reconnaissance, or invite token testing if the underlying controls are weak.
Confidence & Evidence
Confidence: confirmed
Evidence: Confirmed route: https://prep4u.vn/register
Developer Notes & Remediation
Review spam prevention, invite token entropy, tenant isolation, and whether registration flows accidentally expose privileged onboarding paths.
Recommended action: Confirm whether open registration or invite acceptance is intended and monitor it for abuse.
⚠ Has security issue
info
Password Reset Surface Exposed
https://prep4u.vn/password/reset
What Was Observed
A common password reset route responded successfully from the public internet.
Business Impact
Public password reset flows are normal, but they give attackers a direct workflow to test for account enumeration, weak reset tokens, or social-engineering-friendly recovery behavior.
Confidence & Evidence
Confidence: confirmed
Evidence: Confirmed route: https://prep4u.vn/password/reset
Developer Notes & Remediation
Review user enumeration behavior, token lifetime, MFA interaction, and email/SMS recovery controls on the exposed reset path.
Recommended action: Verify the reset flow is intentional and enforce strong reset token, enumeration, and rate-limiting controls.
API Abuse Surface
This group shows the controls that were tested in this domain and, directly underneath, the escalated findings that require technical review.
| Security Status |
Severity |
Escalated to Findings |
Control |
Result |
| ✓ Security OK |
- |
No |
GraphQL introspection |
GraphQL introspection was not confirmed on the common GraphQL routes.
https://prep4u.vn/
|
| ✓ Security OK |
- |
No |
Dangerous HTTP methods |
No risky write-oriented methods were advertised by the root response.
https://prep4u.vn/
|
| • Not observed |
- |
No |
TRACE method handling |
TRACE review did not return a usable response.
https://prep4u.vn/
|
| ✓ Security OK |
- |
No |
File upload surface |
No common upload-related route was confirmed.
https://prep4u.vn/
|
| ✓ Security OK |
- |
No |
API error disclosure |
No verbose API-style error leakage was confirmed in the tested routes.
https://prep4u.vn/
|
| ✓ Security OK |
- |
No |
Authenticated API schema exposure |
No public schema was confirmed to advertise authenticated operations in the tested routes.
https://prep4u.vn/
|
Detailed Findings in This Group
✓ Security OK No escalated findings were grouped under this domain in the current scan.
Browser Hardening & Isolation
This group shows the controls that were tested in this domain and, directly underneath, the escalated findings that require technical review.
| Security Status |
Severity |
Escalated to Findings |
Control |
Result |
| ⚠ Has security issue |
low |
Yes |
Referrer-Policy |
Referrer-Policy was not observed on the landing page.
https://prep4u.vn/
|
| ⚠ Has security issue |
low |
Yes |
Permissions-Policy |
Permissions-Policy was not observed on the landing page.
https://prep4u.vn/
|
| ⚠ Has security issue |
- |
No |
Cross-Origin-Opener-Policy |
Cross-Origin-Opener-Policy was not observed on the landing page. This control was recorded as hardening guidance and was not escalated into a standalone finding by default.
https://prep4u.vn/
|
| ⚠ Has security issue |
- |
No |
Cross-Origin-Resource-Policy |
Cross-Origin-Resource-Policy was not observed on the landing page. This control was recorded as hardening guidance and was not escalated into a standalone finding by default.
https://prep4u.vn/
|
| ⚠ Has security issue |
- |
No |
Cross-Origin-Embedder-Policy |
Cross-Origin-Embedder-Policy was not observed on the landing page. This control was recorded as hardening guidance and was not escalated into a standalone finding by default.
https://prep4u.vn/
|
Detailed Findings in This Group
⚠ Has security issue
low
Missing Referrer-Policy
https://prep4u.vn/
What Was Observed
The landing page does not define a Referrer-Policy header.
Business Impact
Without a Referrer-Policy, downstream sites may receive fuller URL data than intended. In practice this can leak internal paths, campaign parameters, or identifiers that help attackers and third parties profile user behavior.
Confidence & Evidence
Confidence: confirmed
Developer Notes & Remediation
Apply the policy globally at the framework or reverse-proxy layer and verify analytics, SSO, and third-party redirects still behave as expected.
Recommended action: Set a restrictive Referrer-Policy such as strict-origin-when-cross-origin or stricter as appropriate.
⚠ Has security issue
low
Missing Permissions-Policy
https://prep4u.vn/
What Was Observed
The landing page does not define a Permissions-Policy header.
Business Impact
If third-party code or future features are introduced, unnecessary browser capabilities can remain open by default. That weakens defense-in-depth and can make camera, microphone, or sensor abuse easier to overlook.
Confidence & Evidence
Confidence: confirmed
Developer Notes & Remediation
Inventory the browser capabilities your application genuinely needs, then explicitly deny the rest to reduce future abuse paths and third-party script access.
Recommended action: Return a Permissions-Policy header that disables browser features not required by the application.
Cross-Origin & Content Delivery
This group shows the controls that were tested in this domain and, directly underneath, the escalated findings that require technical review.
| Security Status |
Severity |
Escalated to Findings |
Control |
Result |
| ✓ Security OK |
- |
No |
CORS policy review |
The landing page did not appear to allow arbitrary cross-origin reads from the probe origin.
https://prep4u.vn/
|
| ✓ Security OK |
- |
No |
CORS credentials exposure |
Credentialed cross-origin access was not observed from the probe origin.
https://prep4u.vn/
|
| ✓ Security OK |
- |
No |
Mixed content references |
No insecure HTTP asset references were detected on the landing page.
https://prep4u.vn/
|
Detailed Findings in This Group
✓ Security OK No escalated findings were grouped under this domain in the current scan.
Recon & Fingerprinting Signals
This group shows the controls that were tested in this domain and, directly underneath, the escalated findings that require technical review.
| Security Status |
Severity |
Escalated to Findings |
Control |
Result |
| ⚠ Has security issue |
info |
Yes |
Server header minimization |
The landing page exposed a Server header: cloudflare.
https://prep4u.vn/
|
| ✓ Security OK |
- |
No |
X-Powered-By minimization |
No X-Powered-By header was exposed on the landing page.
https://prep4u.vn/
|
| ✓ Security OK |
- |
No |
Administrative panel surface |
No publicly reachable administrative panel surface was confirmed in the common route set.
https://prep4u.vn/
|
| ✓ Security OK |
- |
No |
Debug/test endpoint exposure |
No publicly reachable debug/test endpoint exposure was confirmed in the common route set.
https://prep4u.vn/
|
| ✓ Security OK |
- |
No |
Directory listing exposure |
No directory listing pattern was detected in the checked public routes.
https://prep4u.vn/
|
| ✓ Security OK |
- |
No |
Metrics endpoint exposure |
No publicly reachable metrics endpoint exposure was confirmed in the common route set.
https://prep4u.vn/
|
| ✓ Security OK |
- |
No |
Environment endpoint exposure |
No publicly reachable environment endpoint exposure was confirmed in the common route set.
https://prep4u.vn/
|
| ✓ Security OK |
- |
No |
Heapdump endpoint exposure |
No publicly reachable heapdump endpoint exposure was confirmed in the common route set.
https://prep4u.vn/
|
Detailed Findings in This Group
⚠ Has security issue
info
Server Banner Exposed
https://prep4u.vn/
What Was Observed
The landing page discloses a Server header.
Business Impact
Server banners help attackers narrow down the likely technology stack and patch level, reducing the time needed to prioritize exploit research or fingerprinting.
Confidence & Evidence
Confidence: confirmed
Evidence: Server: cloudflare
Developer Notes & Remediation
Review reverse-proxy, CDN, and application server defaults to avoid revealing exact stack details unless operationally required.
Recommended action: Minimize or suppress detailed server banners where feasible.
Disclosure & Trust Signals
This group shows the controls that were tested in this domain and, directly underneath, the escalated findings that require technical review.
| Security Status |
Severity |
Escalated to Findings |
Control |
Result |
| ⚠ Has security issue |
low |
Yes |
security.txt contact field |
security.txt was present but did not include a Contact field.
https://prep4u.vn/.well-known/security.txt
|
| ⚠ Has security issue |
info |
Yes |
security.txt expiry field |
security.txt was present but its Expires field was missing, invalid, or already expired.
https://prep4u.vn/.well-known/security.txt
|
Detailed Findings in This Group
⚠ Has security issue
low
security.txt Missing Contact
https://prep4u.vn/.well-known/security.txt
What Was Observed
security.txt was present but did not include a Contact field.
Business Impact
When researchers or customers find a real vulnerability, a missing Contact field can delay responsible disclosure and increase the chance that a fixable issue turns into an incident or public disclosure gap.
Confidence & Evidence
Confidence: confirmed
Evidence: security.txt present without Contact field.
Developer Notes & Remediation
Publish a monitored security contact channel in security.txt, such as a mail alias or disclosure portal, and verify ownership regularly.
Recommended action: Add one or more Contact entries so external reporters know how to reach the security team.
⚠ Has security issue
info
security.txt Expiry Missing or Invalid
https://prep4u.vn/.well-known/security.txt
What Was Observed
security.txt was present but its Expires field was missing, invalid, or already expired.
Business Impact
Expired or malformed disclosure metadata creates uncertainty about whether the published security channel is still trustworthy, which can slow inbound reporting when time matters.
Confidence & Evidence
Confidence: confirmed
Evidence: No valid Expires field found in security.txt.
Developer Notes & Remediation
Treat security.txt as maintained metadata: rotate the expiry date on a schedule and verify the published contact details remain active.
Recommended action: Add a valid future Expires value and keep it refreshed.
Public Exposure Surface
This group shows the controls that were tested in this domain and, directly underneath, the escalated findings that require technical review.
| Security Status |
Severity |
Escalated to Findings |
Control |
Result |
| ⚠ Has security issue |
info |
Yes |
robots.txt exposure |
robots.txt is accessible.
https://prep4u.vn/robots.txt
|
| ✓ Security OK |
- |
No |
security.txt exposure |
The path returned HTTP 200, but the body looked like a soft-404 rather than a real exposed endpoint.
https://prep4u.vn/.well-known/security.txt
|
| ✓ Security OK |
- |
No |
Swagger route |
The path returned HTTP 200, but the body looked like a soft-404 rather than a real exposed endpoint.
https://prep4u.vn/swagger
|
| ✓ Security OK |
- |
No |
Swagger UI |
The path returned HTTP 200, but the body looked like a soft-404 rather than a real exposed endpoint.
https://prep4u.vn/swagger-ui
|
| ✓ Security OK |
- |
No |
OpenAPI document |
The path returned HTTP 200, but the body looked like a soft-404 rather than a real exposed endpoint.
https://prep4u.vn/openapi.json
|
| ✓ Security OK |
- |
No |
API docs endpoint |
The path returned HTTP 200, but the body looked like a soft-404 rather than a real exposed endpoint.
https://prep4u.vn/v3/api-docs
|
| ✓ Security OK |
- |
No |
GraphQL endpoint |
The path returned HTTP 200, but the body looked like a soft-404 rather than a real exposed endpoint.
https://prep4u.vn/graphql
|
| ✓ Security OK |
- |
No |
GraphiQL console |
The path returned HTTP 200, but the body looked like a soft-404 rather than a real exposed endpoint.
https://prep4u.vn/graphiql
|
| ✓ Security OK |
- |
No |
.env file exposure |
The path returned HTTP 200, but the body looked like a soft-404 rather than a real exposed endpoint.
https://prep4u.vn/.env
|
| ✓ Security OK |
- |
No |
.git/config exposure |
The path returned HTTP 200, but the body looked like a soft-404 rather than a real exposed endpoint.
https://prep4u.vn/.git/config
|
| ✓ Security OK |
- |
No |
Backup archive exposure |
The path returned HTTP 200, but the body looked like a soft-404 rather than a real exposed endpoint.
https://prep4u.vn/backup.zip
|
Detailed Findings in This Group
⚠ Has security issue
info
robots.txt Exposed
https://prep4u.vn/robots.txt
What Was Observed
robots.txt is accessible.
Business Impact
robots.txt itself is normal, but it can leak a roadmap of sensitive areas to attackers and accelerate reconnaissance toward admin panels, staging pages, or private content paths.
Confidence & Evidence
Confidence: confirmed
Evidence: HTTP 200 | Content-Type: text/plain
Developer Notes & Remediation
Review whether sensitive internal paths are unnecessarily advertised in robots.txt.
Recommended action: Keep robots.txt public if needed, but avoid listing sensitive administrative or private endpoints there.
Control Outcome Summary
This final summary compresses every small control into one overview so the reader can compare domains quickly without reading each detailed section in full.
| Group |
Total controls |
Pass |
Issues |
Not fully assessed |
Escalated findings |
| Transport & Session Security |
8 |
4 |
4 |
0 |
4 |
| Authentication & Sensitive Handling |
5 |
2 |
3 |
0 |
3 |
| API Abuse Surface |
6 |
5 |
0 |
1 |
0 |
| Browser Hardening & Isolation |
5 |
0 |
5 |
0 |
2 |
| Cross-Origin & Content Delivery |
3 |
3 |
0 |
0 |
0 |
| Recon & Fingerprinting Signals |
8 |
7 |
1 |
0 |
1 |
| Disclosure & Trust Signals |
2 |
0 |
2 |
0 |
2 |
| Public Exposure Surface |
11 |
10 |
1 |
0 |
1 |
Execution Trace
This is a scan-engine trace, not a remediation section. It records which high-level checks were attempted and whether they completed, skipped, or timed out.
| Check |
Security Status |
Summary |
| TLS Posture |
✓ Security OK |
Target uses HTTPS. |
| Cookie Flags |
✓ Security OK |
Cookie flags looked acceptable from the root response. |
| Security Headers |
⚠ Has security issue |
Landing page header posture reviewed. |
| Cross-Origin Controls |
✓ Security OK |
Cross-origin and content delivery controls looked acceptable for the tested landing page. |
| Login portal surface |
⚠ Has security issue |
Login portal surface was observed. |
| Registration or invite surface |
⚠ Has security issue |
Registration or invite surface was observed. |
| Password reset surface |
⚠ Has security issue |
Password reset surface was observed. |
| API Abuse Surface |
✓ Security OK |
No significant API abuse surface issues were confirmed in the tested routes. |
| /robots.txt |
⚠ Has security issue |
robots.txt Exposed |
| Common Exposure Paths |
⚠ Has security issue |
Observed 3 potentially exposed paths. |
| Environment endpoint exposure |
✓ Security OK |
No public environment endpoint exposure was confirmed. |
| Administrative panel surface |
✓ Security OK |
No public administrative panel surface was confirmed. |
| Metrics endpoint exposure |
✓ Security OK |
No public metrics endpoint exposure was confirmed. |
| Debug/test endpoint exposure |
✓ Security OK |
No public debug/test endpoint exposure was confirmed. |
| Heapdump endpoint exposure |
✓ Security OK |
No public heapdump endpoint exposure was confirmed. |
Local Scanner Adapters
This table shows runtime state for optional local scanners such as Nuclei and ZAP baseline. It supports confidence and troubleshooting, but it is not itself a security verdict on the target.
| Adapter |
Status |
Summary |
Details |
| Nuclei |
unavailable |
The `nuclei` binary was not found on this machine. Install it to enable local template-based scanning. |
- |
| ZAP Baseline |
unavailable |
Neither `zap-baseline.py` nor `docker` was found on this machine, so ZAP baseline could not run. |
- |
| Playwright Screenshots |
unavailable |
The `playwright` package was not found on this machine. Install it to enable screenshot evidence capture. |
- |
Artifacts
Phase 2 local-first mode stores scan artifacts on disk. Screenshot artifacts are previewed directly here so the report stays visual, while raw scanner outputs remain available as supporting evidence.
| Artifact |
Type |
Preview |
Notes |
| summary.json |
scan-summary |
Stored in scan artifacts |
Raw scanner artifact |