External reconnaissance and vulnerability assessment for myseodesk developer portfolio.
An external security reconnaissance of myseodesk.com was conducted on March 17, 2026. The assessment examined the site's SSL/TLS configuration, HTTP security headers, DNS records, email authentication, subdomain exposure, and technology stack from an unauthenticated external perspective.
The site runs behind Cloudflare with solid basics including HSTS with includeSubDomains, X-Frame-Options, and X-Content-Type-Options. However, critical gaps exist: there is no Content-Security-Policy header, the origin server IP is exposed in the SPF record (allowing Cloudflare bypass), and the robots.txt reveals internal application paths. The site hosts multiple backend services (portal, phonesys, sillygames) and has 10 subdomains discoverable via Certificate Transparency logs.
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' fonts.googleapis.com; and iterate. Consider CSP report-only mode first.ip4:45.32.160.36, which is the origin server IP. This allows attackers to bypass Cloudflare entirely by sending requests directly to the origin, circumventing WAF rules, rate limiting, and DDoS protection./api/, /portal/, /nexus/, /phonesys/, /sillygames/, /jesse-panel/, and /jmfield/zaps/. While intended to block crawlers, this serves as a public directory of internal applications for any attacker to probe.Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=() to restrict unused APIs.~all (softfail), which marks unauthorized senders as suspicious but does not reject them outright.~all to -all (hardfail).p=quarantine at 100% enforcement. Spoofed emails are quarantined rather than rejected, meaning some may still reach recipients' spam folders.p=reject to fully block spoofed emails.0 issue "pki.goog" and 0 issue "letsencrypt.org".X-XSS-Protection: 1; mode=block header is set, but this header is deprecated in modern browsers and can introduce vulnerabilities in older browsers. Modern CSP is the correct replacement./.well-known/security.txt file exists. This RFC 9116 standard file provides security researchers a way to report vulnerabilities responsibly./.well-known/security.txt.git.myseodesk.com, voip.myseodesk.com, and ringnow.myseodesk.com.| Control | Status | Details |
|---|---|---|
| TLS Configuration | Strong | TLSv1.3 with AES-256-GCM-SHA384 cipher suite. |
| HTTP to HTTPS Redirect | Enabled | 301 permanent redirect from HTTP to HTTPS. |
| HSTS | Active | max-age=15552000 with includeSubDomains. |
| X-Frame-Options | Active | SAMEORIGIN prevents clickjacking. |
| X-Content-Type-Options | Active | nosniff prevents MIME-sniffing attacks. |
| Referrer-Policy | Active | same-origin prevents referrer leakage. |
| X-Permitted-Cross-Domain-Policies | Active | master-only restricts Flash/PDF cross-domain access. |
| No Sensitive Files Exposed | Clean | .env, .git/config, phpinfo.php all return 404. |
| API Path Protected | Blocked | /api/ returns 403 Forbidden. |
| No Session Cookies | Clean | No cookies set on homepage response. |
| Layer | Technology |
|---|---|
| CDN / Proxy | Cloudflare (Miami POP) |
| Origin Server | nginx (CloudPanel) |
| SSL | Google Trust Services / Cloudflare (TLSv1.3) |
| Frontend | Static HTML, Tailwind CSS (app.min.css) |
| Backend | PHP (chat API, portal), FastAPI (phonesys) |
| Fonts | Google Fonts (Inter, JetBrains Mono) |
| Cloudflare Email Routing + smtp2go.com + Brevo | |
| DNS | Cloudflare (lennox, princess) |
| SEO | Schema.org JSON-LD (Person, WebSite, Organization, FAQPage) |
Source: Certificate Transparency logs (crt.sh). Highlighted entries indicate potentially sensitive infrastructure.
| Record | Value |
|---|---|
| A | 104.21.44.67, 172.67.196.115 (Cloudflare proxy) |
| AAAA | None (no IPv6) |
| NS | princess.ns.cloudflare.com, lennox.ns.cloudflare.com |
| MX | Cloudflare Email Routing (route1/2/3.mx.cloudflare.net) |
| SPF | v=spf1 ip4:45.32.160.36 include:_spf.mx.cloudflare.net include:spf.smtp2go.com ~all |
| DMARC | v=DMARC1; p=quarantine; pct=100; rua=mailto:rua@dmarc.brevo.com |
| # | Action | Impact |
|---|---|---|
| 1 | Add Content-Security-Policy header (start in report-only mode) | XSS mitigation layer for all hosted applications |
| 2 | Remove origin IP (45.32.160.36) from SPF record | Prevents Cloudflare bypass attacks |
| 3 | Remove internal paths from robots.txt | Stops advertising internal application structure |
| # | Action | Impact |
|---|---|---|
| 4 | Add Permissions-Policy header | Restricts browser API access |
| 5 | Change SPF from ~all to -all (hardfail) | Stronger email spoofing rejection |
| 6 | Add CAA DNS records | Restricts certificate issuance to authorized CAs |
| 7 | Lock origin firewall to Cloudflare IP ranges only | Prevents direct-to-origin attacks |
| # | Action | Impact |
|---|---|---|
| 8 | Upgrade DMARC from quarantine to reject | Full email spoofing protection |
| 9 | Add security.txt file | Responsible disclosure channel |
| 10 | Remove deprecated X-XSS-Protection header | Eliminates legacy attack surface |
| 11 | Increase HSTS max-age to 31536000 and add preload | HSTS preload list eligibility |
This assessment was performed from an external, unauthenticated perspective using publicly available information and standard reconnaissance techniques. It does not constitute a full penetration test. No exploitation of vulnerabilities was attempted. Findings are based on data available at the time of assessment and may change as the target environment evolves. This report is confidential and intended solely for the authorized recipient.