Executive Summary
High-level findings and risk assessment for cscc.com.au
This assessment identified 22 findings across email authentication, web security, DNS infrastructure, and compliance alignment for cscc.com.au (Canberra Southern Cross Club). The most significant risks stem from a complete absence of HTTP security headers (0 of 9 present), no HTTPS enforcement on the primary domain, a PHP runtime that has passed end-of-life, and email authentication policies (SPF softfail, DMARC quarantine with sp=none) that leave the domain vulnerable to spoofing. TLS configuration is strong (1.3 with PFS, no legacy protocol support) and DKIM is well-configured with 7 selectors, but these positives are undermined by the web security and compliance gaps.
CSC-001: Add HTTP→HTTPS redirect in nginx configuration (15min)
CSC-005: Add HSTS header with max-age=31536000 (15min)
CSC-009: Add X-Frame-Options, X-Content-Type-Options headers (15min)
CSC-010: Add X-Content-Type-Options: nosniff header (5min)
| ID | Finding | Severity | Status |
|---|---|---|---|
CSC-001 | HTTPS Not Enforced — No HTTP to HTTPS Redirect | High | Open |
CSC-002 | SPF Record Uses Softfail (~all) Instead of Hardfail (-all) | High | Open |
CSC-003 | DMARC Policy Set to Quarantine Instead of Reject | High | Open |
CSC-004 | DMARC Subdomain Policy Set to None (sp=none) | High | Open |
CSC-005 | HTTP Strict Transport Security (HSTS) Header Not Present | High | Open |
CSC-006 | Content Security Policy (CSP) Not Configured | High | Open |
CSC-007 | PHP Version and Hosting Platform Disclosed via X-Powered-By Header | High | Open |
CSC-008 | SMTP STARTTLS Support Not Verified | High | Open |
CSC-009 | X-Frame-Options Header Not Present | Medium | Open |
CSC-010 | X-Content-Type-Options Header Not Present | Medium | Open |
CSC-011 | MTA-STS Not Configured | Medium | Open |
CSC-012 | DNSSEC Not Enabled | Medium | Open |
CSC-013 | CAA Records Not Configured | Medium | Open |
CSC-014 | Referrer-Policy Header Not Present | Low | Open |
CSC-015 | Permissions-Policy Header Not Present | Low | Open |
CSC-016 | TLS-RPT Not Configured | Low | Open |
CSC-017 | security.txt Not Present | Low | Open |
CSC-018 | DANE/TLSA Records Not Present | Info | Open |
CSC-019 | BIMI Record Not Configured | Info | Open |
CSC-020 | Significant Subdomain Footprint with Test/Development Exposure | Info | Open |
CSC-021 | No IPv6 (AAAA) DNS Record | Info | Open |
CSC-022 | DNSBL Canary Check Blocked — Blacklist Results May Be Unreliable | Info | Open |
Assessment Scope
What was tested, how, and what limitations apply
In Scope
- ✓ DNS records & configuration
- ✓ Email authentication (SPF, DKIM, DMARC, MTA-STS, TLS-RPT, DANE)
- ✓ HTTP security headers
- ✓ SSL/TLS configuration
- ✓ DNSBL / blacklist checking
- ✓ SMTP analysis
- ✓ OSINT & historical intelligence
- ✓ Compliance framework alignment
Out of Scope
- ✗ Application security testing
- ✗ Penetration testing
- ✗ Source code review
- ✗ Social engineering
- ✗ Internal network assessment
This assessment was performed using publicly available information only. No intrusive testing was conducted. Scan timestamp: 2026-03-05T09:13:03Z. Mode: Deep Scan.
Detailed Findings
22 findings identified, sorted by severity.
HTTPS Not Enforced — No HTTP to HTTPS Redirect
The domain cscc.com.au does not redirect HTTP requests to HTTPS. Users accessing http://cscc.com.au are served content over an unencrypted connection, exposing session data, credentials, and page content to interception. This undermines all TLS protections configured on the server.
Evidence
HTTP redirect chain test: Hop 1: http://cscc.com.au → No redirect (status: null) httpsEnforced: false hasSslStripping: false The site responds to HTTPS when explicitly requested but does not force the upgrade from HTTP.
Remediation
Add an HTTP→HTTPS redirect in the nginx configuration:
server {
listen 80;
server_name cscc.com.au www.cscc.com.au;
return 301 https://$host$request_uri;
}
If using Plesk, enable 'Permanent SEO-safe 301 redirect from HTTP to HTTPS' in the domain's SSL/TLS settings.SPF Record Uses Softfail (~all) Instead of Hardfail (-all)
The SPF record terminates with ~all (softfail) rather than -all (hardfail). Softfail instructs receiving mail servers to accept but flag messages from unauthorised senders, rather than rejecting them outright. Combined with the DMARC quarantine policy, this weakens email authentication enforcement.
Evidence
SPF Record: v=spf1 a mx +ip4:103.11.147.216 ip4:122.99.92.170 ip4:103.79.108.181 ip4:20.28.44.31 ip4:35.189.61.203 ip4:52.186.121.110 include:venues.cscc.com.au include:_spf.salesforce.com include:spf.protection.outlook.com include:sendgrid.net include:spf.mandrillapp.com ~all Qualifier: softfail Mechanisms: 6 IP4 addresses, 5 includes Note: +ip4:103.11.147.216 uses an explicit pass (+) qualifier which is redundant but harmless.
Remediation
Change the SPF qualifier from ~all to -all: v=spf1 a mx ip4:103.11.147.216 ip4:122.99.92.170 ip4:103.79.108.181 ip4:20.28.44.31 ip4:35.189.61.203 ip4:52.186.121.110 include:venues.cscc.com.au include:_spf.salesforce.com include:spf.protection.outlook.com include:sendgrid.net include:spf.mandrillapp.com -all Also remove the redundant + prefix from ip4:103.11.147.216 and consider whether all 6 IP addresses and 5 includes are still actively sending mail — unused mechanisms expand the trusted sender scope unnecessarily. Update the TXT record at cscc.com.au via DigiCert DNS (or your DNS provider).
DMARC Policy Set to Quarantine Instead of Reject
The DMARC policy is set to p=quarantine, which instructs receiving servers to deliver suspicious emails to spam/junk rather than rejecting them. This allows spoofed emails to still reach recipients, increasing phishing and brand impersonation risk.
Evidence
DMARC Record: v=DMARC1;p=quarantine;sp=none;adkim=r;aspf=r;pct=100;fo=1;rf=afrf;ri=86400;rua=mailto:netabuse@cscc.com.au;ruf=mailto:netabuse@cscc.com.au Policy: quarantine Subdomain policy: none Alignment: relaxed (adkim=r, aspf=r) Reporting: aggregate + forensic to netabuse@cscc.com.au
Remediation
Upgrade the DMARC policy to reject after confirming legitimate senders are properly authenticated: v=DMARC1;p=reject;sp=reject;adkim=r;aspf=r;pct=100;fo=1;rf=afrf;ri=86400;rua=mailto:netabuse@cscc.com.au;ruf=mailto:netabuse@cscc.com.au Steps: 1. Monitor DMARC aggregate reports for 2-4 weeks at p=quarantine 2. Verify all legitimate senders pass SPF and/or DKIM alignment 3. Change p=quarantine to p=reject 4. Change sp=none to sp=reject (see CSC-004) Update the TXT record at _dmarc.cscc.com.au via DigiCert DNS.
DMARC Subdomain Policy Set to None (sp=none)
The DMARC subdomain policy is sp=none, meaning emails sent from any subdomain of cscc.com.au (e.g., fake.cscc.com.au) have no DMARC enforcement. Attackers can spoof subdomain addresses to bypass the quarantine policy on the parent domain. With 21+ subdomains visible in CT logs, this significantly expands the phishing attack surface.
Evidence
DMARC Record: sp=none Subdomains visible in Certificate Transparency: *.cscc.com.au, intranet.cscc.com.au, shop.cscc.com.au, starrewards.cscc.com.au, bcprod.cscc.com.au, bctest.cscc.com.au, csccapi.cscc.com.au, dev.cscc.com.au, order.cscc.com.au, payments.cscc.com.au, taskportal.cscc.com.au, tasktestportal.cscc.com.au, mobileapi.cscc.com.au, webdisk.cscc.com.au Any of these subdomain addresses can be spoofed without DMARC enforcement.
Remediation
Change sp=none to sp=reject in the DMARC record: sp=reject If subdomains legitimately send email, ensure they have their own SPF and DKIM records. If they don't send email, sp=reject will prevent spoofing without affecting legitimate traffic. Update the TXT record at _dmarc.cscc.com.au.
HTTP Strict Transport Security (HSTS) Header Not Present
The HSTS header is not configured, meaning browsers will not enforce HTTPS connections on subsequent visits. Without HSTS, users are vulnerable to SSL stripping attacks on every page load, even if HTTPS is available. This is compounded by the lack of HTTP→HTTPS redirect (CSC-001).
Evidence
Response Headers (https://cscc.com.au): strict-transport-security: NOT PRESENT HSTS Details: exists: false maxAge: 0 includeSubDomains: false preload: false HSTS Preload List: Not enrolled
Remediation
Add the HSTS header in nginx configuration: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; If using Plesk, add this via Apache & nginx Settings → Additional nginx directives. After confirming HSTS works correctly for at least 6 months, submit for HSTS preload at https://hstspreload.org/
Content Security Policy (CSP) Not Configured
No Content Security Policy header is present. CSP is the primary browser-side defence against Cross-Site Scripting (XSS) and data injection attacks. Without it, the WordPress site is more vulnerable to script injection, especially given the detected third-party integrations (The Events Calendar API, LiteSpeed Cache).
Evidence
Response Headers (https://cscc.com.au): content-security-policy: NOT PRESENT CSP Analysis: directives: [] raw: null Detected technologies that would benefit from CSP: CMS: WordPress API: x-tec-api-version: v1 (The Events Calendar) Cache: x-litespeed-tag: b96_HTTP.200
Remediation
Implement a Content Security Policy. Start with report-only mode to identify violations: add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data: https:; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self'" always; Monitor the browser console for violations, refine the policy, then switch to enforcing mode: add_header Content-Security-Policy "..." always; WordPress may require 'unsafe-inline' and 'unsafe-eval' for script-src initially — work toward nonce-based CSP over time.
PHP Version and Hosting Platform Disclosed via X-Powered-By Header
The X-Powered-By header reveals PHP/8.1.34 and PleskLin (Plesk on Linux). PHP 8.1 reached end of security support on 31 December 2025 and no longer receives security patches. Running an EOL PHP version on a public-facing WordPress site represents a significant vulnerability — known CVEs will not be patched. The version disclosure also aids attackers in targeting version-specific exploits.
Evidence
Response Header: x-powered-by: PHP/8.1.34,PleskLin PHP 8.1 EOL Timeline: Active support ended: 25 November 2023 Security support ended: 31 December 2025 Current status: UNSUPPORTED (64+ days past EOL) Additional disclosure: server: nginx (no version number — good) x-tec-api-version: v1 (The Events Calendar plugin) x-litespeed-tag: b96_HTTP.200 (LiteSpeed Cache plugin)
Remediation
1. IMMEDIATE: Remove the X-Powered-By header: In php.ini: expose_php = Off Or in nginx: fastcgi_hide_header X-Powered-By; Or in Plesk: PHP Settings → expose_php = Off 2. URGENT: Upgrade PHP to a supported version: PHP 8.2 (security support until Dec 2026) PHP 8.3 (security support until Dec 2027) — recommended PHP 8.4 (security support until Dec 2028) — latest Test WordPress and plugins compatibility before upgrading. In Plesk: Websites & Domains → PHP Settings → PHP version. 3. Also hide: x-tec-api-version, x-tec-api-origin, x-tec-api-root, x-litespeed-tag headers: fastcgi_hide_header X-Tec-Api-Version; fastcgi_hide_header X-Tec-Api-Origin; fastcgi_hide_header X-Tec-Api-Root; fastcgi_hide_header X-Litespeed-Tag;
SMTP STARTTLS Support Not Verified
The scan was unable to confirm STARTTLS support on the MX server. The MX record points to Microsoft 365 Exchange Online Protection (cscc-com-au.mail.protection.outlook.com), which typically supports STARTTLS by default. However, the EHLO response captured during scanning only returned the greeting line, not the full capability list including STARTTLS. Without confirmed STARTTLS, inbound email may transit in plaintext.
Evidence
MX Record: cscc-com-au.mail.protection.outlook.com (priority 0) SMTP Banner: 220 ML1PEPF0000F179.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready EHLO Response (incomplete): ML1PEPF0000F179.mail.protection.outlook.com Hello [[scanner-ip]] STARTTLS: Not detected in scan REQUIRETLS: Not advertised PTR: mail-meupr01cu00200.inbound.protection.outlook.com ✓ Note: Microsoft 365 EOP supports STARTTLS by default. The scan may not have captured the full EHLO capabilities. Manual verification recommended.
Remediation
1. Manually verify STARTTLS support: openssl s_client -connect cscc-com-au.mail.protection.outlook.com:25 -starttls smtp Or: Test-NetConnection cscc-com-au.mail.protection.outlook.com -Port 25 2. If STARTTLS is confirmed working (expected for M365), this finding can be downgraded to informational. 3. Implement MTA-STS (see CSC-011) to enforce TLS for inbound email — this provides a stronger guarantee than opportunistic STARTTLS. 4. Configure REQUIRETLS if supported by your mail provider to mandate TLS for outbound email.
X-Frame-Options Header Not Present
The X-Frame-Options header is not set, leaving the site vulnerable to clickjacking attacks where an attacker embeds the site in a hidden iframe to trick users into unintended actions.
Evidence
Response Headers (https://cscc.com.au): x-frame-options: NOT PRESENT Security Header Score: 0/9 (F)
Remediation
Add the X-Frame-Options header in nginx configuration: add_header X-Frame-Options "SAMEORIGIN" always; Or via Plesk: Apache & nginx Settings → Additional nginx directives. Note: CSP frame-ancestors directive (CSC-006) provides equivalent protection in modern browsers.
X-Content-Type-Options Header Not Present
The X-Content-Type-Options header is not set, allowing browsers to MIME-sniff response content. This can lead to security issues where browsers interpret uploaded files as executable content.
Evidence
Response Headers (https://cscc.com.au): x-content-type-options: NOT PRESENT Security Header Score: 0/9 (F)
Remediation
Add the header in nginx configuration: add_header X-Content-Type-Options "nosniff" always; This is a one-line change with no compatibility risk — it should always be enabled.
MTA-STS Not Configured
No MTA-STS (Mail Transfer Agent Strict Transport Security) record or policy is configured. MTA-STS tells sending mail servers to require TLS when delivering email to the domain, preventing downgrade attacks on email in transit. Without it, email delivery can be silently downgraded to plaintext by a man-in-the-middle attacker.
Evidence
DNS TXT _mta-sts.cscc.com.au: No record found MTA-STS mode: null MX: cscc-com-au.mail.protection.outlook.com (Microsoft 365) STARTTLS: Not verified (see CSC-008)
Remediation
1. Create a DNS TXT record: _mta-sts.cscc.com.au TXT "v=STSv1; id=20260305" 2. Host a policy file at https://mta-sts.cscc.com.au/.well-known/mta-sts.txt: version: STSv1 mode: testing mx: cscc-com-au.mail.protection.outlook.com max_age: 86400 3. Monitor for 2-4 weeks in testing mode, then change to mode: enforce 4. Increment the id value each time the policy changes.
DNSSEC Not Enabled
DNSSEC is not enabled for cscc.com.au, meaning DNS responses are not cryptographically signed. This leaves the domain vulnerable to DNS spoofing and cache poisoning attacks, where an attacker could redirect traffic to malicious servers.
Evidence
DNSSEC: Disabled Nameservers: DigiCert DNS (ns10-15.digicertdns.com/net) Note: DigiCert DNS supports DNSSEC signing.
Remediation
Enable DNSSEC through your DNS provider (DigiCert DNS): 1. Contact DigiCert DNS support or access the DNS management portal 2. Enable DNSSEC signing for cscc.com.au 3. Add the DS record to the .com.au registry via your domain registrar 4. Verify with: dig cscc.com.au +dnssec For .com.au domains, DS record submission goes through the registrar (registrar ID: 802255).
CAA Records Not Configured
No Certification Authority Authorization (CAA) records are present. CAA records specify which Certificate Authorities are permitted to issue certificates for the domain. Without CAA, any CA can issue a certificate for cscc.com.au, increasing the risk of unauthorized certificate issuance. This is notable given the domain uses both Let's Encrypt and Starfield (GoDaddy) certificates.
Evidence
CAA Records: None found Current certificate issuers from CT logs: - Let's Encrypt (cscc.com.au, starrewards.cscc.com.au, intranet.cscc.com.au) - Starfield Technologies (*.cscc.com.au wildcard) - Google Trust Services (starrewards.cscc.com.au, shop.cscc.com.au) Multiple CA usage suggests different teams/services managing subdomains independently.
Remediation
Add CAA records to restrict certificate issuance to known CAs: cscc.com.au. CAA 0 issue "letsencrypt.org" cscc.com.au. CAA 0 issue "starfieldtech.com" cscc.com.au. CAA 0 issue "pki.goog" cscc.com.au. CAA 0 issuewild "starfieldtech.com" cscc.com.au. CAA 0 iodef "mailto:netabuse@cscc.com.au" Add via DigiCert DNS management portal.
Referrer-Policy Header Not Present
No Referrer-Policy header is set. Without it, browsers use the default policy which may leak URL paths and query parameters to third-party sites when users navigate away.
Evidence
Response Headers (https://cscc.com.au): referrer-policy: NOT PRESENT Security Header Score: 0/9 (F)
Remediation
Add the header in nginx configuration: add_header Referrer-Policy "strict-origin-when-cross-origin" always; This provides a good balance between privacy and functionality — same-origin requests get full referrer, cross-origin requests only get the origin.
Permissions-Policy Header Not Present
No Permissions-Policy header is configured. This header controls which browser features (camera, microphone, geolocation, etc.) can be used by the site and embedded content, reducing the attack surface of the application.
Evidence
Response Headers (https://cscc.com.au): permissions-policy: NOT PRESENT Security Header Score: 0/9 (F)
Remediation
Add the header in nginx configuration: add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always; This disables sensitive features that a club website is unlikely to need. Adjust if specific features are required.
TLS-RPT Not Configured
No TLS-RPT (TLS Reporting) record is configured. TLS-RPT provides reports from receiving mail servers about TLS negotiation failures, helping monitor email delivery security. This complements MTA-STS (CSC-011).
Evidence
DNS TXT _smtp._tls.cscc.com.au: No record found
Remediation
Add a DNS TXT record: _smtp._tls.cscc.com.au TXT "v=TLSRPTv1; rua=mailto:netabuse@cscc.com.au" This reuses the existing abuse reporting address. Consider a dedicated address or a third-party TLS-RPT processing service.
security.txt Not Present
No security.txt file exists at /.well-known/security.txt (RFC 9116). This file provides security researchers with a standardised way to report vulnerabilities, contact information, and disclosure policies.
Evidence
security.txt: Not found Checked: https://cscc.com.au/.well-known/security.txt
Remediation
Create a file at /.well-known/security.txt: Contact: mailto:netabuse@cscc.com.au Expires: 2027-03-05T00:00:00.000Z Preferred-Languages: en Canonical: https://www.cscc.com.au/.well-known/security.txt Host in WordPress: add the file to the site root, or use a plugin like WP Security.txt.
DANE/TLSA Records Not Present
No DANE (DNS-Based Authentication of Named Entities) or TLSA records are configured. DANE provides certificate pinning at the DNS level for SMTP. This is informational as DANE adoption remains low and requires DNSSEC (which is also not enabled).
Evidence
DANE/TLSA records: None found DNSSEC: Not enabled (prerequisite for DANE)
Remediation
DANE requires DNSSEC to be enabled first (see CSC-012). After enabling DNSSEC, consider adding TLSA records for the MX server. This is a low priority given current industry adoption rates.
BIMI Record Not Configured
No BIMI (Brand Indicators for Message Identification) record is present. BIMI displays a verified brand logo next to emails in supporting clients (Gmail, Apple Mail, Yahoo). It requires DMARC p=reject as a prerequisite.
Evidence
DNS TXT default._bimi.cscc.com.au: No record found DMARC policy: quarantine (must be reject for BIMI) Prerequisite chain: DMARC p=reject → VMC certificate → BIMI record
Remediation
After upgrading DMARC to p=reject (CSC-003): 1. Obtain a Verified Mark Certificate (VMC) from DigiCert or Entrust 2. Host the SVG logo at a public URL 3. Add DNS record: default._bimi.cscc.com.au TXT "v=BIMI1; l=https://www.cscc.com.au/logo.svg; a=https://www.cscc.com.au/vmc.pem"
Significant Subdomain Footprint with Test/Development Exposure
Certificate Transparency logs reveal 21 subdomains, including several test/development environments that may expose internal systems or unfinished features. While not inherently a vulnerability, this increases the attack surface and provides reconnaissance information.
Evidence
Subdomains found in CT logs (21): Production: cscc.com.au, www.cscc.com.au, shop.cscc.com.au, starrewards.cscc.com.au, order.cscc.com.au, payments.cscc.com.au Internal: intranet.cscc.com.au, www.intranet.cscc.com.au API: csccapi.cscc.com.au, mobileapi.cscc.com.au Test/Dev: bctest.cscc.com.au, dev.cscc.com.au, cscctesttolo.cscc.com.au, tasktestportal.cscc.com.au Production support: bcprod.cscc.com.au, taskportal.cscc.com.au Legacy/Other: cscc-krypton-ex.cscc.com.au, webdisk.cscc.com.au Misconfigured: snapperandco.com.au.cscc.com.au (looks like CNAME misconfiguration) External: snapperandco.com.au Wildcard: *.cscc.com.au, *.intranet.cscc.com.au Test/dev subdomains suggest staging environments that should be access-restricted.
Remediation
1. Audit all subdomains — decommission any that are no longer needed 2. Restrict test/dev subdomains behind VPN or IP allowlist 3. Investigate snapperandco.com.au.cscc.com.au — appears to be a misconfigured CNAME 4. Consider using private CAs for internal/test certificates to avoid CT log exposure 5. Ensure DMARC sp=reject (CSC-004) to prevent subdomain email spoofing
No IPv6 (AAAA) DNS Record
The domain has no AAAA (IPv6) record. While not a security issue, IPv6 support is increasingly expected and may be required by some government compliance frameworks.
Evidence
AAAA records: None A record: 35.189.61.203 (Google Cloud, Sydney) Google Cloud supports IPv6 — enabling it would require a load balancer configuration change.
Remediation
Consider enabling IPv6 on the Google Cloud infrastructure. This is low priority unless required by specific compliance or accessibility mandates.
DNSBL Canary Check Blocked — Blacklist Results May Be Unreliable
The DNSBL canary check returned 'blocked', indicating that the scanning IP may be rate-limited or blocked by some blacklist providers. The blacklist results showing 'clean' for all providers should be independently verified.
Evidence
Canary check: blocked IP blacklist checks (5 providers): All clear zen.spamhaus.org: Not listed bl.spamcop.net: Not listed b.barracudacentral.org: Not listed dnsbl.sorbs.net: Not listed cbl.abuseat.org: Not listed Domain blacklist checks (4 providers): All clear dbl.spamhaus.org: Not listed multi.uribl.com: Not listed multi.surbl.org: Not listed black.uribl.com: Not listed Note: Results may be false negatives due to canary failure.
Remediation
Independently verify blacklist status using: - https://mxtoolbox.com/blacklists.aspx - https://www.dnsbl.info/ - https://hetrixtools.com/blacklist-check/ Set up ongoing monitoring with HetrixTools or UptimeRobot for proactive blacklist alerting.
Risk Matrix
Findings plotted by likelihood and impact
Compliance & Framework Assessment
Alignment against 9 industry frameworks
| Id | Control | Status | Evidence |
|---|---|---|---|
ISM-0574 | SPF specification | pass | SPF record present with comprehensive mechanisms |
ISM-1151 | SPF verification | fail | SPF uses softfail (~all) instead of hardfail (-all) |
ISM-0269 | DKIM records | pass | 7 DKIM selectors found: selector1, selector2, k2, k3, mandrill, s1, s2 |
ISM-1540 | DMARC configuration | pass | DMARC record present with aggregate and forensic reporting |
ISM-1799 | DMARC enforcement | fail | DMARC p=quarantine (not reject), sp=none |
ISM-0569 | Email gateway routing | pass | MX points to Microsoft 365 EOP (cscc-com-au.mail.protection.outlook.com) |
ISM-1589 | MTA-STS enforcement | fail | No MTA-STS record or policy configured |
ISM-1590 | TLS-RPT reporting | fail | No TLS-RPT record configured |
ISM-1026 | SMTP STARTTLS | fail | STARTTLS not verified (scan captured incomplete EHLO) |
ISM-1552 | HTTPS enforcement | fail | HTTP does not redirect to HTTPS |
ISM-1139 | TLS version compliance | pass | TLS 1.2 and 1.3 only — TLS 1.0 and 1.1 disabled |
ISM-1369 | Perfect forward secrecy | pass | PFS enabled (TLS 1.3 with AES-256) |
ISM-1372 | Strong cipher suites | pass | AES-256 cipher via TLS 1.3 |
ISM-1448 | Certificate validity | pass | Certificate valid until 2026-04-12 (38 days remaining) |
ISM-1553 | Certificate authority trust | pass | Let's Encrypt R13 — trusted public CA |
ISM-1563 | Certificate key strength | pass | Certificate issued by trusted CA with standard key strength |
ISM-1485 | Security headers | fail | No HSTS, X-Content-Type-Options, or X-Frame-Options headers present |
ISM-1486 | HSTS configuration | fail | HSTS not configured — no header present |
ISM-1488 | Content Security Policy | fail | No CSP header present |
ISM-1489 | Clickjacking protection | fail | No X-Frame-Options header present |
ISM-0659 | Content filtering | fail | No CAA records and no CSP configured |
ISM-1157 | Gateway security | fail | No WAF or CDN detected — direct nginx exposure on Google Cloud |
ISM-1490 | Cookie security | pass | No cookies set on the homepage response — no cookie security issues detected |
ISM-1706 | DNSSEC | fail | DNSSEC not enabled |
ISM-1707 | CAA records | fail | No CAA records configured |
ISM-1710 | Nameserver diversity | pass | 6 nameservers across 2 provider domains (digicertdns.com and digicertdns.net) |
ISM-0580 | Zone transfer protection | pass | Managed DNS (DigiCert DNS) — zone transfers restricted by provider |
ISM-1373 | HSTS preload enrolment | fail | Not on HSTS preload list and HSTS header not configured |
ISM-1554 | TLS downgrade prevention | pass | TLS 1.0 and 1.1 disabled — only 1.2 and 1.3 supported |
ISM-1374 | Certificate transparency | pass | 50 certificates visible in CT logs — active certificate issuance monitoring possible |
ISM-1579 | Domain reputation | partial | Not listed on checked DNSBLs, but canary check blocked — results may be unreliable |
ISM-1580 | Subdomain management | partial | 21 subdomains in CT including test/dev environments. snapperandco.com.au.cscc.com.au appears misconfigured. |
ISM-1412 | Server info disclosure | fail | X-Powered-By: PHP/8.1.34,PleskLin — reveals PHP version, hosting platform, and plugin versions |
ISM-1416 | Directory listing | pass | No directory listing detected on homepage |
ISM-0994 | HTTP method restriction | pass | Standard methods allowed — no evidence of dangerous methods exposed |
ISM-1557 | CORS policy | pass | No Access-Control-Allow-Origin header — CORS not configured (restrictive by default) |
ISM-1558 | Referrer policy | fail | No Referrer-Policy header present |
ISM-1559 | Permissions policy | fail | No Permissions-Policy header present |
| Control | Status | Evidence |
|---|---|---|
| INFOSEC-3: Email authentication | partial | SPF ✓ (softfail), DKIM ✓ (7 selectors), DMARC ✓ (quarantine) |
| INFOSEC-4: Web security | fail | 0/9 security headers present, PHP version disclosed |
| INFOSEC-5: DMARC enforcement | fail | p=quarantine (not reject), sp=none |
| INFOSEC-6: DNSSEC and CAA | fail | No DNSSEC, no CAA records |
| INFOSEC-7: TLS standards | partial | TLS 1.3 + PFS ✓, but no HSTS and no HTTP→HTTPS redirect |
| INFOSEC-8: Certificate management | pass | Valid Let's Encrypt cert, auto-renewal, 38 days remaining |
| INFOSEC-9: Content security | fail | No CSP configured |
| INFOSEC-10: E8 alignment | fail | ML0 across Application Control, Patch Apps, User App Hardening |
| INFOSEC-11: Email encryption | fail | No MTA-STS, no TLS-RPT, STARTTLS not verified |
| GOVSEC-3: Information disclosure | fail | PHP version, hosting platform (PleskLin), and plugin info disclosed in headers |
| Control | Status | Evidence |
|---|---|---|
| Encrypt sensitive data in transit | partial | TLS 1.3 ✓ but HTTPS not enforced |
| DNS filtering | fail | No DNSSEC enabled |
| DMARC enforcement | fail | DMARC p=quarantine, sp=none (not reject) |
| Content blocking | fail | No CSP configured |
| DNS infrastructure | partial | 6 diverse nameservers ✓, but no DNSSEC and no CAA |
| Network monitoring | fail | No WAF detected, no monitoring indicators |
| Encrypt web traffic | partial | TLS 1.3 ✓ but no HSTS and no HTTP→HTTPS redirect |
Overall CSF Score: 37% (11/30)
| Control | Status | Evidence |
|---|---|---|
| System configuration | fail | PHP version and hosting platform disclosed in headers |
| Strong cryptography | pass | TLS 1.3, AES-256, PFS enabled |
| Web application security | fail | No CSP, no security headers |
| Vulnerability identification | fail | PHP 8.1 EOL — known vulnerabilities unpatched |
| Public-facing protection | fail | No WAF detected |
| Vulnerability scanning | partial | No evidence of regular scanning — missing controls suggest gaps |
| Security policy | fail | No security.txt published |
| Control | Status | Evidence |
|---|---|---|
| Firewalls | fail | No WAF detected — direct nginx exposure on Google Cloud |
| Secure configuration | fail | PHP EOL, information disclosure, 0/9 security headers |
| User access control | partial | wp-admin restricted via robots.txt — insufficient for access control |
| Malware protection | fail | No CSP to restrict script execution in browser |
| Patch management | fail | PHP 8.1 past EOL (64+ days) |
| Control | Status | Evidence |
|---|---|---|
| Broken Access Control | partial | No X-Frame-Options — clickjacking possible. CORS restrictive ✓. |
| Cryptographic Failures | partial | TLS 1.3+PFS ✓ but HTTPS not enforced |
| Injection | partial | No CSP to mitigate XSS. WordPress with plugins increases injection risk. |
| Security Misconfiguration | fail | 0/9 security headers, PHP EOL, version disclosure, no security.txt |
| Vulnerable and Outdated Components | fail | PHP 8.1.34 past EOL — 64+ days without security patches |
| Security Logging and Monitoring Failures | fail | No WAF, no security.txt, no evidence of monitoring |
| Control | Status | Evidence |
|---|---|---|
| Information transfer | partial | TLS 1.3 available but email transport security not enforced (no MTA-STS) |
| Cloud services | pass | Google Cloud (australia-southeast1) + Microsoft 365 — reputable cloud providers |
| Legal requirements | partial | Australian hosting (Sydney), but privacy/security controls incomplete |
| Compliance | fail | Multiple ISM/PSPF/E8 compliance gaps identified |
| Endpoint devices (HSTS) | fail | No HSTS — browsers not instructed to enforce HTTPS |
| Malware protection (CSP) | fail | No CSP — no browser-side script injection protection |
| Configuration management | fail | PHP EOL, information disclosure, missing security headers |
| Information deletion | pass | No evidence of exposed data or backup files |
| Data leakage | partial | No Referrer-Policy — potential URL leakage to third parties |
| Network security | partial | TLS 1.3 ✓, PFS ✓, but no DNSSEC and no WAF detected |
| Network services | pass | Managed DNS (DigiCert), managed email (Microsoft 365) |
| Web filtering | fail | No CSP, no CAA records |
| Use of cryptography | pass | TLS 1.3, AES-256, PFS — strong cryptographic configuration |
| Secure development | partial | WordPress CMS detected. PHP EOL is a development lifecycle concern. |
| Application security | fail | No security headers, no CSP, no clickjacking protection |
Email Security Deep Dive
SPF, DKIM, DMARC, MTA-STS, TLS-RPT, DANE, and BIMI analysis
| Protocol | Status | Details |
|---|---|---|
| SPF | Found | v=spf1 a mx +ip4:103.11.147.216 ip4:122.99.92.170 ip4:103.79.108.181 ip4:20.28.44.31 ip4:35.189.61.203 ip4:52.186.121.110 include:venues.cscc.com.au include:_spf.salesforce.com include:spf.protection.outlook.com include:sendgrid.net include:spf.mandrillapp.com ~allQualifier: softfail |
| DKIM | Found | Checked 20 selectors Found: selector1, selector2, k2, k3, mandrill, s1, s2 |
| DMARC | Found | v=DMARC1;p=quarantine;sp=none;adkim=r;aspf=r;pct=100;fo=1;rf=afrf;ri=86400;rua=mailto:netabuse@cscc.com.au;ruf=mailto:netabuse@cscc.com.auPolicy: quarantine |
| MTA-STS | Missing | No MTA-STS policy |
| TLS-RPT | Missing | No TLS-RPT record |
| DANE/TLSA | Not Found | No TLSA records |
| BIMI | Not Found | No BIMI record |
SPF Mechanism Analysis
amx+ip4:103.11.147.216ip4:122.99.92.170ip4:103.79.108.181ip4:20.28.44.31ip4:35.189.61.203ip4:52.186.121.110include:venues.cscc.com.auinclude:_spf.salesforce.cominclude:spf.protection.outlook.cominclude:sendgrid.netinclude:spf.mandrillapp.com~allDNS & Domain Infrastructure
Nameservers, records, and DNSSEC status
| Record Type | Value |
|---|---|
| NS | ns10.digicertdns.com ns11.digicertdns.com ns12.digicertdns.com ns13.digicertdns.net ns14.digicertdns.net ns15.digicertdns.net |
| MX | cscc-com-au.mail.protection.outlook.com |
| A | 35.189.61.203 |
| AAAA | |
| SOA | ns10.digicertdns.com dns.digicertdns.com 2009010166 |
| CAA | |
| DNSSEC | Not Enabled |
Infrastructure Geolocation
| IP | Location | ISP / Org |
|---|---|---|
| 35.189.61.203 | Sydney, Australia | Google LLC |
DNS Quality Metrics
Nameserver diversity, propagation, and configuration health
DNS Propagation Check
DNS resolution is consistent across global resolvers.
| Resolver | Results |
|---|---|
| Google 8.8.8.8 | 35.189.61.203 |
| Cloudflare 1.1.1.1 | 35.189.61.203 |
| Quad9 9.9.9.9 | 35.189.61.203 |
| OpenDNS 208.67.222.222 | 35.189.61.203 |
TTL Values
| Record Type | TTL (seconds) |
|---|---|
| A | 75 |
| MX | 299 |
| NS | 3599 |
HTTP Security Headers
Analysis of security-related HTTP response headers
| Header | Status | Value |
|---|---|---|
| Strict-Transport-Security | Missing | — |
| Content-Security-Policy | Missing | — |
| X-Frame-Options | Missing | — |
| X-Content-Type-Options | Missing | — |
| Referrer-Policy | Missing | — |
| Permissions-Policy | Missing | — |
| X-XSS-Protection | Missing | — |
| Cross-Origin-Opener-Policy | Missing | — |
| Cross-Origin-Resource-Policy | Missing | — |
| Cross-Origin-Embedder-Policy | Missing | — |
| Cache-Control | Missing | — |
| Server | Present | nginx |
Cookie, CORS & Web Security
Cookie flags, CORS policy, mixed content, and CSP analysis
CORS Policy
Access-Control-Allow-Origin: Not set
CSP Analysis
{
"directives": [],
"raw": null,
"missingDirectives": []
}Blacklist & Email Reputation
DNSBL and domain reputation checks
The DNS resolver is blocking DNSBL queries. Blacklist results below may be unreliable.
IP Blacklist Checks
| DNSBL | Status |
|---|---|
| zen.spamhaus.org | Clean |
| bl.spamcop.net | Clean |
| b.barracudacentral.org | Clean |
| dnsbl.sorbs.net | Clean |
| cbl.abuseat.org | Clean |
Domain Blacklist Checks
| DNSBL | Status |
|---|---|
| dbl.spamhaus.org | Clean |
| multi.uribl.com | Clean |
| multi.surbl.org | Clean |
| black.uribl.com | Clean |
MITM Attack Surface
Man-in-the-Middle resistance across web and email channels
Lower is better. Score based on detected vulnerabilities.
TLS Version Support
| Version | Supported | Status |
|---|---|---|
| TLSv1 | No | OK |
| TLSv1.1 | No | OK |
| TLSv1.2 | Yes | OK |
| TLSv1.3 | Yes | OK |
HSTS Preload Status
| Check | Result |
|---|---|
| Preloaded | No |
| Status | unknown |
HTTP → HTTPS Redirect Chain
Mixed Content
No mixed content detected
SMTP STARTTLS
| Check | Result |
|---|---|
| Connected | Yes |
| STARTTLS | Not Supported |
| Required (REQUIRETLS) | Opportunistic |
SMTP Analysis
Mail server banner, capabilities, and encryption
| Check | Result |
|---|---|
| Banner | 220 ML1PEPF0000F179.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Wed, 4 Mar 2026 23:13:17 +0000 [08DE79953A7B947B] |
| EHLO Capabilities | ML1PEPF0000F179.mail.protection.outlook.com Hello [[scanner-ip]] |
| STARTTLS | Not Supported |
| PTR Record | mail-meupr01cu00200.inbound.protection.outlook.com |
OSINT & Historical Intelligence
Certificate transparency, archived snapshots, and subdomain enumeration
Certificate Transparency Logs
| Common Name | Issuer | Not Before |
|---|---|---|
| *.cscc.com.au | C=US, ST=Arizona, L=Scottsdale, O="Starfield Technologies, Inc.", OU=http://certs.starfieldtech.com/repository/, CN=Starfield Secure Certificate Authority - G2 | 2026-02-15T22:31:13 |
| starrewards.cscc.com.au | C=US, O=Let's Encrypt, CN=E8 | 2026-02-04T02:11:35 |
| starrewards.cscc.com.au | C=US, O=Let's Encrypt, CN=E8 | 2026-02-04T02:11:35 |
| starrewards.cscc.com.au | C=US, O=Google Trust Services, CN=WE1 | 2026-01-25T04:20:50 |
| starrewards.cscc.com.au | C=US, O=Google Trust Services, CN=WR1 | 2026-01-25T04:20:38 |
| cscc.com.au | C=US, O=Let's Encrypt, CN=R13 | 2026-01-11T22:00:47 |
| cscc.com.au | C=US, O=Let's Encrypt, CN=R13 | 2026-01-11T22:00:47 |
| starrewards.cscc.com.au | C=US, O=Let's Encrypt, CN=E7 | 2025-12-08T18:33:03 |
| starrewards.cscc.com.au | C=US, O=Let's Encrypt, CN=E7 | 2025-12-08T18:33:03 |
| starrewards.cscc.com.au | C=US, O=Google Trust Services, CN=WE1 | 2025-11-26T23:54:46 |
| starrewards.cscc.com.au | C=US, O=Google Trust Services, CN=WE1 | 2025-11-26T23:54:46 |
| starrewards.cscc.com.au | C=US, O=Google Trust Services, CN=WR1 | 2025-11-26T23:54:30 |
| cscc.com.au | C=US, O=Let's Encrypt, CN=R12 | 2025-11-12T22:01:16 |
| cscc.com.au | C=US, O=Let's Encrypt, CN=R12 | 2025-11-12T22:01:16 |
| starrewards.cscc.com.au | C=US, O=Let's Encrypt, CN=E8 | 2025-11-10T20:04:34 |
| starrewards.cscc.com.au | C=US, O=Let's Encrypt, CN=E8 | 2025-11-10T20:04:34 |
| starrewards.cscc.com.au | C=US, O=Let's Encrypt, CN=E8 | 2025-11-08T03:32:35 |
| starrewards.cscc.com.au | C=US, O=Let's Encrypt, CN=E8 | 2025-11-08T03:32:35 |
| starrewards.cscc.com.au | C=US, O=Google Trust Services, CN=WE1 | 2025-09-28T19:25:57 |
| starrewards.cscc.com.au | C=US, O=Google Trust Services, CN=WE1 | 2025-09-28T19:25:57 |
Showing 20 of 50 certificates
Typosquatting & Similar Domains
Common misspellings and confusable domain variants that could be used for phishing or brand impersonation. These should be monitored or defensively registered.
39 variants generated: 12 tld variant, 3 homoglyph, 2 transposed, 16 adjacent key, 3 missing letter, 3 doubled letter
Showing 24 of 39 variants (highest-threat first)
Discovered Subdomains (21)
| Subdomain |
|---|
| *.cscc.com.au |
| *.intranet.cscc.com.au |
| bcprod.cscc.com.au |
| bctest.cscc.com.au |
| csccapi.cscc.com.au |
| cscc-krypton-ex.cscc.com.au |
| cscctesttolo.cscc.com.au |
| dev.cscc.com.au |
| intranet.cscc.com.au |
| mobileapi.cscc.com.au |
| order.cscc.com.au |
| payments.cscc.com.au |
| shop.cscc.com.au |
| snapperandco.com.au |
| snapperandco.com.au.cscc.com.au |
| starrewards.cscc.com.au |
| taskportal.cscc.com.au |
| tasktestportal.cscc.com.au |
| webdisk.cscc.com.au |
| www.cscc.net.au |
| www.intranet.cscc.com.au |
Technology Stack
Detected platform, CDN, WAF, and server details
| Component | Details |
|---|---|
| Server | nginx |
| TLS Version | TLS 1.3 |
| Cipher Suite | Aes256 |
| SSL Expiry | 2026-04-12 |
| Perfect Forward Secrecy | Yes |
Hosting & Infrastructure
Hosting provider, server software, CMS detection, and certificate history
| Component | Details |
|---|---|
| Hosting Provider | Google Cloud |
| ASN Organization | Google Cloud (australia-southeast1) |
| CMS Detected | WordPress |
Certificate Issuer History
| Issuer | Certificates | First Seen | Last Seen |
|---|---|---|---|
| 50 | 2025-06-02T10:26:43 | 2025-11-08T03:32:35 |
WHOIS & Domain Intelligence
Domain registration, expiry, registrant contacts, and TLD-specific status analysis via RDAP
Registrant contact details are redacted by a privacy/proxy service. The domain owner's identity is not publicly visible.
Domain Profile
| Field | Value |
|---|---|
| Registrar | 802255 |
| TLD | .com.au |
| Registrant Privacy | Yes (WHOIS privacy enabled) |
| RDAP Source | https://rdap.org/domain/cscc.com.au |
Domain Status Codes
| Status Code | Interpretation | Severity |
|---|---|---|
server renew prohibited | Normal auDA behaviour — renewal handled at registry level | info |
Governed by the Australian Domain Administration (auDA). Registrants must meet Australian presence requirements.
serverRenewProhibited is standard auDA behaviour and does not indicate a problem.RDAP Nameservers
ns11.digicertdns.com
ns12.digicertdns.com
ns13.digicertdns.net
ns14.digicertdns.net
SEO & Visibility
Meta tags, Open Graph, structured data, and sitemap analysis
| Check | Status | Details |
|---|---|---|
| Title Tag | Found | Canberra Southern Cross Club | (30 chars) |
| Meta Description | Missing | — |
| Canonical URL | Found | https://www.cscc.com.au/ |
| Viewport Meta | Found | Present |
| JSON-LD Structured Data | Missing | — |
| Twitter Card | Missing | — |
| Sitemap | Found | Accessible (15 URLs) |
robots.txt Directives (4)
User-agent: * Disallow: /wp-admin/ Allow: /wp-admin/admin-ajax.php Sitemap: https://www.cscc.com.au/wp-sitemap.xml
⚠ Sensitive Paths Disclosed in robots.txt
These paths are publicly visible in robots.txt, revealing internal application structure to attackers.
/wp-admin/
Proactive Monitoring Recommendations
Recommended monitoring and alerting setup
| Monitor | Tool | Frequency |
|---|---|---|
| DNSBL monitoring | HetrixTools / MXToolbox | Every 6 hours |
| Certificate expiry monitoring | UptimeRobot / Cert Spotter | Daily |
| DMARC aggregate report analysis | Valimail / dmarcian / PowerDMARC | Weekly |
| Security header validation | securityheaders.com / Mozilla Observatory | Monthly |
| WordPress + PHP version monitoring | WPScan / Wordfence | Weekly |
| SSL/TLS configuration | SSL Labs / Qualys | Monthly |
Recommendations & Remediation Roadmap
Prioritized actions grouped by timeline
Immediate (0-48 hours)
| Finding | Severity | Action | Effort |
|---|---|---|---|
CSC-007 | High | Remove X-Powered-By header and upgrade PHP 8.1 to PHP 8.3 or 8.4 | 1-2h |
CSC-001 | High | Add HTTP→HTTPS redirect in nginx configuration | 15min |
CSC-005 | High | Add HSTS header with max-age=31536000 | 15min |
CSC-009 | Medium | Add X-Frame-Options, X-Content-Type-Options headers | 15min |
CSC-010 | Medium | Add X-Content-Type-Options: nosniff header | 5min |
Short Term (1-2 weeks)
| Finding | Severity | Action | Effort |
|---|---|---|---|
CSC-002 | High | Change SPF from ~all to -all after audit of sending sources | 1h |
CSC-004 | High | Change DMARC sp=none to sp=reject | 15min |
CSC-003 | High | Upgrade DMARC to p=reject after 2-4 weeks monitoring at quarantine | 1h |
CSC-006 | High | Implement CSP in report-only mode, then enforcing | 2-4h |
CSC-013 | Medium | Add CAA records for authorized CAs | 15min |
CSC-011 | Medium | Configure MTA-STS in testing mode | 1h |
Medium Term (1-3 months)
| Finding | Severity | Action | Effort |
|---|---|---|---|
CSC-012 | Medium | Enable DNSSEC via DigiCert DNS and registrar | 2-4h |
CSC-008 | High | Verify STARTTLS and implement MTA-STS enforcement mode | 1h |
CSC-020 | Info | Audit subdomain footprint, restrict test/dev environments | 4-8h |
CSC-017 | Low | Create and publish security.txt | 15min |
Appendices
Raw data, glossary, and disclaimers
A. robots.txt
User-agent: * Disallow: /wp-admin/ Allow: /wp-admin/admin-ajax.php Sitemap: https://www.cscc.com.au/wp-sitemap.xml
B. Sitemap
https://cscc.com.au/sitemap.xml
C. Glossary
| Term | Definition |
|---|---|
| SPF | Sender Policy Framework — restricts which servers can send email for a domain |
| DKIM | DomainKeys Identified Mail — cryptographic email authentication |
| DMARC | Domain-based Message Authentication, Reporting & Conformance |
| MTA-STS | Mail Transfer Agent Strict Transport Security — enforces TLS for email |
| TLS-RPT | TLS Reporting — receive reports about email TLS failures |
| DANE/TLSA | DNS-based Authentication of Named Entities — binds certificates to DNS |
| DNSSEC | Domain Name System Security Extensions — cryptographic DNS validation |
| CAA | Certificate Authority Authorization — restricts which CAs can issue certificates |
| BIMI | Brand Indicators for Message Identification — brand logo in email clients |
| HSTS | HTTP Strict Transport Security — forces HTTPS connections |
| CSP | Content Security Policy — controls which resources a page can load |
| DNSBL | DNS-based Blackhole List — real-time email/IP reputation service |
D. Disclaimer
This security assessment was performed using publicly available information only. No intrusive testing, penetration testing, or vulnerability exploitation was conducted.
Severity ratings use a qualitative likelihood x impact risk matrix aligned with ISO 27005. Risk scores are indicative and based on professional judgement.
This document is classified CONFIDENTIAL and is intended solely for the named recipient.
Assessment methodology references: NIST SP 800-177 Rev. 1, OWASP Secure Headers Project, PCI DSS v4.0, UK Cyber Essentials, ACSC Essential Eight, ISO 27005.