External reconnaissance and vulnerability assessment for Fancy Pet Salon.
An external security reconnaissance of fancypetsalon.com was conducted on March 17, 2026. The assessment examined the site's SSL/TLS configuration, HTTP security headers, DNS records, email authentication, subdomain exposure, and technology stack from an unauthenticated external perspective.
The site is well-secured overall, running as static HTML behind Cloudflare with a comprehensive set of security headers including HSTS, CSP, X-Frame-Options, and Permissions-Policy. The primary concerns are a CSP policy that allows unsafe-inline scripts, an HSTS max-age below the recommended 1-year minimum, SPF using softfail instead of hardfail, and DMARC set to quarantine rather than reject. Two accessible paths (/admin/ and /dev/) should be restricted.
'unsafe-inline' in the script-src directive. This significantly weakens XSS protection because any injected inline script will execute, bypassing the CSP entirely. The style-src directive also allows unsafe-inline, though this is lower risk.'unsafe-inline' from script-src and use nonce-based or hash-based CSP instead. Move all inline scripts to external files or add nonce attributes./admin/ returns HTTP 200 and /dev/ returns a 301 redirect, indicating both are accessible. While /dev/ is blocked in robots.txt, robots.txt is advisory only and does not prevent direct access. These paths may expose development tools or admin interfaces to the public./admin/ and /dev/ using Cloudflare Access rules or nginx IP allowlists. Return 403 or 404 for unauthorized requests.max-age=15552000 (180 days) without includeSubDomains or preload directives. OWASP recommends a minimum of 31536000 (1 year) with both flags for HSTS preload list eligibility.Strict-Transport-Security: max-age=31536000; includeSubDomains; preload in Cloudflare SSL/TLS settings and submit to the HSTS preload list.~all (softfail), which marks unauthorized senders as suspicious but does not reject them outright. An attacker spoofing the domain may still have emails delivered to spam rather than rejected entirely.~all to -all (hardfail) in the DNS TXT record.p=quarantine at 100% enforcement. Spoofed emails are quarantined rather than rejected outright, meaning some may still reach recipients' spam folders.p=reject to fully block spoofed emails.0 issue "letsencrypt.org" and 0 issue "pki.goog" (for Cloudflare's Google Trust Services certs)./.well-known/security.txt file exists (returns 403). This RFC 9116 standard file provides security researchers a way to report vulnerabilities responsibly./.well-known/security.txt.*.fancypetsalon.com) covers all subdomains without exposing individual names. This is a positive finding.| Control | Status | Details |
|---|---|---|
| Content-Security-Policy | Active | Full CSP with defined sources for scripts, styles, fonts, images, and connections. |
| TLS Configuration | Strong | TLSv1.3 with AES-256-GCM-SHA384 cipher suite. |
| HTTP to HTTPS Redirect | Enabled | 301 permanent redirect from HTTP to HTTPS. |
| HSTS | Active | Strict-Transport-Security with 180-day max-age. |
| X-Frame-Options | Active | SAMEORIGIN prevents clickjacking. |
| X-Content-Type-Options | Active | nosniff prevents MIME-sniffing attacks. |
| Referrer-Policy | Active | strict-origin-when-cross-origin prevents URL parameter leakage. |
| Permissions-Policy | Active | Camera, microphone, geolocation, and payment APIs restricted. |
| Origin IP Protection | Hidden | Origin server fully hidden behind Cloudflare proxy. |
| Wildcard SSL | Yes | Covers *.fancypetsalon.com without exposing subdomain names in CT logs. |
| DMARC Enforcement | Active | p=quarantine at 100% with reporting. |
| SPF Record | Present | Covers Cloudflare MX and smtp2go.com. |
| Structured Data | Present | JSON-LD with LocalBusiness and Organization schemas. |
| Layer | Technology |
|---|---|
| CDN / Proxy | Cloudflare (Miami POP) |
| Origin Server | nginx (hidden behind CF) |
| SSL | Google Trust Services / Cloudflare Universal (TLSv1.3) |
| CMS | None (static HTML) |
| CSS | Custom v2-styles.css |
| Analytics | Google Tag Manager (AW-17919035865) |
| Fonts | Google Fonts (Playfair Display) |
| Cloudflare Email Routing + smtp2go.com | |
| DNS | Cloudflare (lennox, princess) |
| i18n | Bilingual EN/ES with hreflang |
| Record | Value |
|---|---|
| A | 172.67.166.197, 104.21.83.13 (Cloudflare proxy) |
| AAAA | None (no IPv6) |
| NS | lennox.ns.cloudflare.com, princess.ns.cloudflare.com |
| MX | Cloudflare Email Routing (route1/2/3.mx.cloudflare.net) |
| SPF | v=spf1 include:_spf.mx.cloudflare.net include:spf.smtp2go.com ~all |
| DMARC | v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@fancypetsalon.com |
| # | Action | Impact |
|---|---|---|
| 1 | Restrict /admin/ and /dev/ paths via Cloudflare Access or nginx rules | Prevents unauthorized access to internal paths |
| 2 | Remove 'unsafe-inline' from CSP script-src; use nonces or hashes | Strengthens XSS protection |
| # | Action | Impact |
|---|---|---|
| 3 | Increase HSTS max-age to 31536000 and add includeSubDomains + preload | HSTS preload list eligibility |
| 4 | Change SPF from ~all to -all (hardfail) | Stronger email spoofing rejection |
| 5 | Add CAA DNS records to restrict certificate issuance | Prevents unauthorized cert issuance |
| # | Action | Impact |
|---|---|---|
| 6 | Upgrade DMARC from quarantine to reject | Full email spoofing protection |
| 7 | Add security.txt file at /.well-known/security.txt | Responsible disclosure channel |
| 8 | Enable IPv6 (AAAA records) via Cloudflare | Future-proofing and broader accessibility |
This assessment was performed from an external, unauthenticated perspective using publicly available information and standard reconnaissance techniques. It does not constitute a full penetration test. No exploitation of vulnerabilities was attempted. Findings are based on data available at the time of assessment and may change as the target environment evolves. This report is confidential and intended solely for the authorized recipient.