Codes

Code format

All twa codes come in the format TWA-XXYY, where XX is the stage number and YY uniquely identifies the code. The order of unique code identifiers (the YYs) is not guaranteed.

For example, the hypothetical TWA-3522 would indicate a negative result in stage 35, identified as 22.

These are all of the codes twa currently uses.

If a link is red, it doesn't have a page yet! You can help contribute one by following the format in TWA-0001.

Stage 00 codes

TWA-0001: "Expected port 443 to be open, but it isn't"

Stage 01 codes

TWA-0101: "HTTP redirects to HTTPS using a 302"
TWA-0102: "HTTP redirects to HTTP (not secure)"
TWA-0103: "HTTP doesn't redirect at all"

Stage 02 codes

TWA-0201: "Skipping security checks due to no secure channel"
TWA-0202: "Strict-Transport-Security max-age is less than 6 months"
TWA-0203: "Strict-Transport-Security, but no includeSubDomains"
TWA-0204: "Strict-Transport-Security, but no preload"
TWA-0205: "Strict-Transport-Security missing"
TWA-0206: "X-Frame-Options is 'sameorigin', consider 'deny'"
TWA-0207: "X-Frame-Options is 'allow-from', consider 'deny' or 'none'"
TWA-0208: "X-Frame-Options missing"
TWA-0209: "X-Content-Type-Options missing"
TWA-0210: "X-XSS-Protection is '0'; XSS filtering disabled"
TWA-0211: "X-XSS-Protection sanitizes but doesn't block, consider mode=block?"
TWA-0212: "X-XSS-Protection missing"
TWA-0213: "Referrer-Policy specifies '${rp}', consider 'no-referrer'?"
TWA-0214: "Referrer-Policy missing"
TWA-0215: "Content-Security-Policy 'default-src' is '${csp_default_src}'"
TWA-0216: "Content-Security-Policy 'default-src' is missing"
TWA-0217: "Content-Security-Policy has one or more 'unsafe-inline' policies"
TWA-0218: "Content-Security-Policy has one or more 'unsafe-eval' policies"
TWA-0219: "Content-Security-Policy missing"
TWA-0220: "Feature-Policy missing"
TWA-0221: "Expect-CT missing 'enforce' directive"
TWA-0222: "Expect-CT missing 'report-uri' directive"
TWA-0223: "Expect-CT requires missing 'max-age' directive"
TWA-0224: "Access-Control-Allow-Origin' field '*' allows resources to be accessable by any domain."
TWA-0225: "Access-Control-Allow-Origin' field 'null' allows the 'Origin' header to be crafted to grant access to resources on this domain."
TWA-0226: "Access-Control-Allow-Origin' header is not configured properly."
TWA-0227: "Access-Control-Allow-Credentials' value is set to 'false'."
TWA-0228: "Access-Control-Allow-Credentials' header is not configured properly."
TWA-0229: "Cross-Origin-Embedder-Policy' allows cross-origin resources to be fetched without giving explicit permission."
TWA-0230: "Cross-Origin-Opener-Policy' allows the document to be added to its opener's browsing context group."

Stage 03 codes

TWA-0301: "Site sends 'Server' with what looks like a version tag: ${server}"
TWA-0302: "Site sends a long 'Server', probably disclosing version info: ${server}"
TWA-0303: "Site sends '${badheader}, probably disclosing version info: ${content}'"

Stage 04 codes

TWA-0401: "SCM repository being served at: ${url}"
TWA-0402: "Possible SCM repository being served (maybe protected?) at: ${url}"
TWA-0403: "Environment file being served at: ${url}"
TWA-0404: "Possible environment file being served (maybe protected?) at: ${url}"
TWA-0405: "Config file being served at: ${url}"
TWA-0406: "Possible config file being served (maybe protected?) at: ${url}"
TWA-0407: "Package management file being served at: ${url}"
TWA-0408: "Possible package management file being served (maybe protected?) at: ${url}"
TWA-0409: "Build file being served at: ${url}"
TWA-0410: "Possible build file being served (maybe protected?) at: ${url}"

Stage 05 codes

TWA-0501: "No robots file found at: ${domain}/robots.txt"
TWA-0502: "robots.txt lists what looks like an admin panel"
TWA-0503: "robots.txt lists what looks like CGI scripts"
TWA-0504: "No security file found at: ${domain}/.well-known/security.txt"

Stage 06 codes

TWA-0601: "No CAA records found"
TWA-0602: "Domain doesn't specify any valid issuers"
TWA-0603: "Domain explicitly disallows all issuers"
TWA-0604: "Domain doesn't specify any violation reporting endpoints"

Stage 07 codes

TWA-0701: "Domain is listening on a development/backend port: ${dev_port}"

Stage 08 codes

TWA-0801: "cookie '${cookie_name}' has 'secure' but no 'httponly' flag"
TWA-0802: "cookie '${cookie_name}' has no 'secure' flag"
TWA-0803: "cookie '${cookie_name}' has SameSite set to 'lax'"
TWA-0804: "cookie '${cookie_name}' has SameSite set to 'none' or is not set properly"
TWA-0805: "cookie '${cookie_name}' has missing or empty 'SameSite' flag"
TWA-0806: "cookie '${cookie_name}' must contain a 'Domain' attribute"
TWA-0807: "cookie '${cookie_name}' must not contain a 'Domain' attribute"
TWA-0808: "cookie '${cookie_name}' must contain a 'Path' attribute"
TWA-0809: "cookie '${cookie_name}' 'Domain' attribute must match the domain being tested"
TWA-0810: "cookie '${cookie_name}' 'Path' attribute must contain a value of '/'"

Stage 09 codes

TWA-0901: "testssl reports '${finding}' ('${id}')"

Home
Codes
TWA-00YY
- TWA-0001
TWA-01YY
TWA-02YY
- TWA-0201
- TWA-0202
- TWA-0203
- TWA-0204
- TWA-0205
- TWA-0206
- TWA-0207
- TWA-0208
- TWA-0209
- TWA-0210
- TWA-0211
- TWA-0212
- TWA-0213
- TWA-0214
- TWA-0215
- TWA-0216
- TWA-0217
- TWA-0218
- TWA-0219
- TWA-0220
- TWA-0221
- TWA-0222
- TWA-0223
- TWA-0224
- TWA-0225
- TWA-0226
- TWA-0227
- TWA-0228
- TWA-0229
- TWA-0230
TWA-03YY
TWA-04YY
- TWA-0401
- TWA-0402
- TWA-0403
- TWA-0404
- TWA-0405
- TWA-0406
- TWA-0407
- TWA-0408
- TWA-0409
- TWA-0410
TWA-05YY
- TWA-0501
- TWA-0502
- TWA-0503
- TWA-0504
TWA-06YY
- TWA-0601
- TWA-0602
- TWA-0603
- TWA-0604
TWA-07YY
- TWA-0701
TWA-08YY
- TWA-0801
- TWA-0802
- TWA-0803
- TWA-0804
- TWA-0805
- TWA-0806
- TWA-0807
- TWA-0808
- TWA-0809
- TWA-0810
TWA-09YY
- TWA-0901

Provide feedback

Saved searches

Use saved searches to filter your results more quickly