Instant cyber security rating
Xion

To get a deeper insight into your entire organization, including surfacing data leaks and identity breaches, as well as your third-party vendors, book a free demo today.

Get a demo
Free trial

Last scanned: 2026-04-21

Powered by Breach Risk

Security Rating

UpGuard's Cyber Security Ratings range from 0 to 950. The higher the score, the better the security practices on the primary domain for Xion.

Website Security

  • CSP is not implemented

    No valid Content Security Policy is implemented. This increases the risk of XSS and clickjacking attacks.

  • X-Content-Type-Options is not nosniff

    Browsers may interpret files as a different MIME type than what is specified in the Content-Type HTTP header. This can lead to MIME confusion attacks.

  • Unmaintained page detected

    This domain appears to be unmaintained based on indicators like page content or status code. Unmaintained pages expand the attack surface for malicious actors.

  • Server information header not exposed

    Ensuring the server information header is not exposed reduces the ability of attackers to exploit certain vulnerabilities.

  • X-Powered-By header not exposed

    Information about specific technology used on the server is obscured.

  • X-Frame-Options is not deny or sameorigin

    Browsers are prevented from displaying this website's content in frames. This helps mitigate clickjacking attacks.

  • CSP implemented without insecure active sources

    The Content Security Policy does not allow any insecure active sources.

  • CSP implemented without broad sources

    A Content Security Policy is implemented to help protect against XSS and clickjacking attacks.

  • Referrer policy is not unsafe-url

    The website's Referrer Policy is not configured to allow unsafe information to be sent in the referrer header.

  • ASP.NET version header not exposing specific ASP.net version

    Ensuring the ASP.NET version header is not exposing a specific version makes it harder for attackers to exploit certain vulnerabilities.

  • ASP.NET version header not exposed

    Ensuring the ASP.NET version header is not exposed makes it harder for attackers to exploit certain vulnerabilities.

  • CSP implemented without insecure passive sources

    The Content Security Policy does not allow any insecure passive (img/media) sources.

  • CSP implemented without unsafe-eval

    A Content Security Policy is implemented to help protect against XSS and clickjacking attacks.

Email

  • DMARC policy is not p=none

    DMARC reject policy provides the most effective protection against fraudulent emails being sent from a domain.

  • DMARC policy exists

    DMARC protects against fraudulent emails being sent from a domain.

  • SPF syntax correct

    Sender Policy Framework (SPF) record passes basic syntax checks.

  • DMARC policy percentage is default

    DMARC policy percentage is set to default 100%, ensuring all mail is covered by the policy.

  • Strict SPF filtering - not using ~all

    Sender Policy Framework (SPF) record strictly enforces specific domains allowed to send email on its behalf.

  • SPF ptr mechanism not used

    Sender Policy Framework (SPF) record does not include the ptr mechanism.

Network

  • 'HTTP' port open

    The 'HTTP' service is running and exposed to the internet. The configuration of the server should be reviewed and unnecessary ports closed.

DNS

  • No unregistered MX records detected

    No unregistered MX records that could lead to receiving mail on behalf of the target organization were detected.

  • Domain has not expired

    Domain has not expired.

  • No subdomain takeover vulnerability detected

    No dangling DNS records that could lead to subdomain takeover were detected.

  • Domain does not expire soon

    Domain does not expire within 30 days.

  • DNSSEC enabled

    DNSSEC records prevent third parties from forging the records that guarantee a domain's identity.

  • CAA enabled

    The domain contains a valid Certification Authority Authorization (CAA) record. A CAA record indicates which Certificate Authorities (CAs) are authorized to issue certificates for a domain.

Encryption

  • SSL not available

    SSL is the standard encryption method for browsing websites. Enabling SSL requires installing an SSL certificate on the site.

  • Weak cipher suites supported in TLS 1.2

    Weak cipher suites can potentially be broken by a well resourced attacker, and should not be supported by the server unless very old devices or browsers must be supported.

  • Certificate not found on our revoked certificate list

    The site's certificate chain was checked against our list of revoked certificates.

  • HTTP requests are redirected to HTTPS

    All HTTP requests are redirected to HTTPS.

  • Hostname matches SSL certificate

    The site's hostname matches the SSL certificate.

  • SSL has not expired

    SSL certificate has not expired.

  • Trusted SSL certificate

    The certificate presented by this domain was issued by a trusted certificate authority.

  • HTTP Strict Transport Security (HSTS) enforced

    With HSTS enforced, people browsing this site are less susceptible to man-in-the-middle attacks.

  • No insecure SSL/TLS versions available

    No insecure SSL/TLS versions are available for this site.

  • SSL certificate chain present in server response

    A complete SSL certificate chain was presented by the server for this domain.

  • SSL chain certificates do not expire within 20 days

    SSL intermediate and root certificates do not expire within 20 days.

  • SSL expiration period shorter than 398 days

    The SSL certificate presented by the server has an expiration period shorter than 398 days.

  • SSL has more than 20% of its valid period remaining

    SSL certificate does not expire in less than 20% of its total valid period.

  • Strong SSL algorithm

    Industry standard SHA-256 encryption in use.

  • Domain is included on the HSTS preload list

    Being included on the preload list gives the highest level of protection against MITM attacks for users of all major browsers.

  • Strong public certificate key length

    The site's public certificate provides at least 112 bits of security strength.

Data leakage

  • No listable directories found

    No listable directories were found on the server.

  • WordPress plugin versions not exposed

    Ensuring WordPress plugin versions are not exposed can make it harder for attackers to find exploits against your site.

  • WordPress user list not exposed

    Exposing the list of users on a WordPress site (via the WP-JSON API) can assist attackers in brute forcing credentials, as well as constitute a privacy risk.

  • No open cloud storage service detected

    No cloud storage service configured to allow anonymous file listing was detected.

  • Domain index is not a listable directory

    The domain index is not a listable directory.

IP/Domain Reputation

  • Not a suspected malware provider

    This website does not appear to contain malicious code.

  • No reports of botnet activity in the last 30 days

    This IP/domain has not been reported as a source of botnet activity in the last 30 days.

  • No reports of brute force login attempts in the last 30 days

    This IP/domain did not appear on any list of IPs and domains known to perform brute force login attempts in the last 30 days.

  • No reports of malware distribution in the last 30 days

    This IP/domain has been reported for distributing malware in the last 30 days.

  • No reports of unsolicited scanning in the last 30 days

    This IP/domain has not been reported for performing unsolicited scanning in the last 30 days.

  • Not suspected of unwanted software

    This website does not appear to be attempting to install unwanted software.

  • Not a suspected phishing page

    This site does not appear to be a forgery or imitation of another website.

  • No reports of phishing activity in the last 30 days

    This IP/domain has not been reported as a phishing site in the last 30 days.

  • No reports of botnet activity in the last 90 days

    This IP/domain has not been reported as a source of botnet activity in the last 90 days.

  • No reports of brute force login attempts in the last 90 days

    This IP/domain did not appear on any list of IPs and domains known to perform brute force login attempts in the last 90 days.

  • No reports of malware distribution in the last 90 days

    This IP/domain has been reported for distributing malware in the last 90 days.

  • No reports of unsolicited scanning in the last 90 days

    This IP/domain has not been reported for performing unsolicited scanning in the last 90 days.

  • No reports of phishing activity in the last 90 days

    This IP/domain has not been reported as a phishing site in the last 90 days.

Vulnerability Management

  • Not vulnerable to CVE-2014-0160 (Heartbleed)

    A bug in OpenSSL's implementation of the TLS heartbeat extension allows access to portions of memory on the targeted host e.g. cryptographic keys and passwords.

  • Not vulnerable to CVE-2014-3566 (POODLE)

    The server does not support SSLv3, and is not vulnerable to the POODLE attack.

  • Not vulnerable to CVE-2015-0204 (FREAK)

    The server does not offer RSA_EXPORT cipher suites, so clients are not vulnerable to the FREAK attack.

  • Not vulnerable to CVE-2015-4000 (Logjam)

    The server is using strong Diffie-Hellman parameters and is not vulnerable to the Logjam attack.

More security reports

Compare your security performance with other companies.

View all security reports