Hey There,
I noticed a few things in the HTTP response headers on https://app.contrast-finder.org/:
The CSP includes unsafe-inline and unsafe-eval in script-src, which could weaken XSS protection quite a bit. Maybe consider switching to nonce or hash-based directives.
Session cookie (JSESSIONID) is missing Secure and SameSite flags. Adding secure; SameSite=Lax would be a quick fix.
X-XSS-Protection: 1 without mode=block is deprecated and can actually be a vulnerability in some browsers.
The Server header exposes the Server OS and version. (which is a bit outdated) and could lead to version-specific attack surface.
HSTS could be strengthened with includeSubDomains; preload.
None of these would be critical (if i'm even right about them) given the nature of the tool, but they'd be an easy fix and could harden the setup.
I found all of this with a quick check with the Browser dev tools. So no fancy toolkit or anything.
Best regards
D4rkStar // Lasse
HTTP/1.1 200
Date: Sun, 29 Mar 2026 18:23:39 GMT
Server: (redacted - Apache/2.4.x on Ubuntu, see finding #4)
X-XSS-Protection: 1
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Content-Type: text/html;charset=UTF-8
Content-Language: de
Set-Cookie: lang=de; Max-Age=5184000; Expires=Thu, 28-May-2026 18:23:35 GMT; Path=/
Set-Cookie: algo=Rgb; Max-Age=2592000; Expires=Tue, 28-Apr-2026 18:23:35 GMT
Set-Cookie: JSESSIONID=214663765D5F7CCE45C62AD5A1993865; Path=/contrast-finder; HttpOnly
Vary: Accept-Encoding
Content-Encoding: gzip
Strict-Transport-Security: max-age=15768000
Content-Security-Policy: default-src 'none'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://stats.contrast-finder.org ; img-src 'self' https://stats.contrast-finder.org ; font-src 'self'; manifest-src 'self'; form-action 'self'; frame-ancestors 'none'; base-uri 'self';
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Hey There,
I noticed a few things in the HTTP response headers on https://app.contrast-finder.org/:
The CSP includes unsafe-inline and unsafe-eval in script-src, which could weaken XSS protection quite a bit. Maybe consider switching to nonce or hash-based directives.
Session cookie (JSESSIONID) is missing Secure and SameSite flags. Adding secure; SameSite=Lax would be a quick fix.
X-XSS-Protection: 1 without mode=block is deprecated and can actually be a vulnerability in some browsers.
The Server header exposes the Server OS and version. (which is a bit outdated) and could lead to version-specific attack surface.
HSTS could be strengthened with includeSubDomains; preload.
None of these would be critical (if i'm even right about them) given the nature of the tool, but they'd be an easy fix and could harden the setup.
I found all of this with a quick check with the Browser dev tools. So no fancy toolkit or anything.
Best regards
D4rkStar // Lasse