Websites - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Creation date
Last date published
User Guide

Cortex Xpanse scans your public-facing websites, identifying insecure websites, web components, and technologies running on your web assets.

Cortex Xpanse Web Attack Surface Management extends ASM protection by identifying insecure websites and web components and technologies running on your managed and unmanaged web assets. Web ASM scans your public-facing websites, creating a continuously updated inventory of your web assets, including the server software and other technologies powering your web applications.

Web ASM enables you to accomplish the following:

  • Develop a single source of truth for all of your organization's web inventory

  • Track and monitor your risk due to third-party libraries

  • Continuously discover and monitor external web application inventory and third-party technologies

  • Identify insecure and misconfigured websites, vulnerable technologies, and dependencies

  • Improve security ratings by identifying sites failing security best practices

The difference between websites and services

Services are public-facing network services; for example, an RDP server or an HTTP server. Websites represent the content and the software stack that was used to generate it.

An HTTP service represents a single HTTP server (on-prem) or a cohesive group of HTTP servers (cloud). A website can be served by a single or by multiple HTTP servers. Some of these HTTP servers could be hosted in a cloud provider, others on-prem.

Generally, the relationship between HTTP services and websites can be described as follows:

  • A website is supported by one or more HTTP services.

  • A cloud HTTP service serves a single website.

  • An on-prem HTTP service serves multiple websites, potentially hundreds.

The difference between websites and domains

In Expander, a domain is simply the registration of a domain (for example, your organization might own You can have a domain without a website behind it. You can also have a domain that does not resolve to an IP address (which means it does not have a website behind it). Expander displays websites with a domain name or an IP address.

Websites field descriptions

Navigate to InventoryWebsites to view the list of websites in a table format that can be sorted, filtered, and downloaded. Some of the key fields available in the table view are described in the table below.




Detected authentication method. Results could be none, form based authentication (e.g. user ID and password), or a single-sign on method.

Business Units

Business unit this website is associated with.

Externally Detected Providers

Hosting provider.

Failed Security Assessments

Which of the security best practices the website failed.

First Observed

When the website was first observed.


Domain or IP of the website host.

  • A closed lock indicates HTTPS.

  • An open lock indicates HTTP.


HTTPS, HTTP redirecting to HTTPS, or HTTP.

IP Addresses

IP addresses associated with this website.

Is Active

Yes — Indicates the website is active, which means it has been observed recently.

No — Indicates the website is inactive, which means Cortex Xpanse no longer sees it on the internet or it is no longer attributed to your organization.

Last Observed

When the website was most recently observed in a Cortex Xpanse scan.


Port for the website.

Site Category

The inferred business purpose of the website based on the technologies used on that website. Full list of site categories is Ecommerce, Advertising, Affiliate Programs, Appointment scheduling, Blogs, CMS, CRM, Development, Documentation, Issue Tracker, LMS, Reservations & Delivery, Recruitment & Staffing.

If a technology doesn't fit into one of the listed categories, this field will be blank.


Any technologies detected on the website.

Third Party Script Domains

Third-party domains that serve the scripts (not the scripts themselves).

Website ID

Unique ID associated with the website.

Website details

Click a row in the Websites table to open the details page for that website. The following sections describe the information on the website details page.

Site Details, Site Categories, Site Deployment Details

Summarizes key information about the security of the website.

Most Recent Screenshot

A screenshot and link to the website to make it easier to investigate issues. If you don't see a screen shot, the website may have been down when we scanned the page or that access was blocked for our scanner (in which case you probably won't see any technologies listed under Technologies Used either). If the screenshot is incomplete (a blank or invalid layout), the page may have loaded too slowly—we take the screenshot six seconds after we request the page.

Security Best Practices Analysis

Provides an at-a-glance look at whether the website is following broadly accepted security best practices.

We perform only the relevant security best practice assessments on each website. For example, if a website redirects somewhere else, many of the security assessments are performed on the website the user is redirected to; only the Has HTTPS Enabled and Protocol Downgrade assessments are performed on the original website. And some security assessments don’t make sense on non-HTTPS websites (e.g. mixed content and HSTS header), so those assessments are not performed.

Some security best practice assessments are performed only on webpages without "transient errors". We consider a page to have a transient error if the HTTP status code is 405, 407, 408, 409 or greater than 411. In this case, we assume this is not a normal condition of the website and visiting the page later or in different conditions would yield a different result.

If we have no matching observation for an assessment, the assessment will not be displayed. For example, if has a single page with a 404 status code, the Mixed Content assessment would be performed (404 is not a transient error) but the X-Frame-Options assessment would not be.

The table below lists each of the security best practices, which websites and webpages the analysis is performed on, and the criteria we use to determine whether the website Passes or Fails the assessment.

Website Security Best Practice

Performed on these websites

Performed on these pages

Pass/Fail Criteria

Has HTTPS Enabled

All websites


Passes if the website is accessed over TLS or redirects to an HTTPS website.

Secure Forms

HTTPS websites that do not always redirect

Pages without transient errors

Fails if we find an HTML form with an action to an insecure website. This applies only to static forms and will not detect dynamically rendered forms.

No Mixed Content

HTTPS websites that do not always redirect

Pages without transient errors

Fails if we find a page that is using a resource (image, stylesheet, script but not just a <a> link) loaded over HTTP.

Protocol Downgrade

All websites


Fails if we find a transition from HTTPS to HTTP in the redirect chain.

Sets Valid X-Frame-Options Header

Websites that do not always redirect

Pages with 2xx status code

Fails if:

  • X-Frame-Options header is not empty and is neither DENY or SAMEORIGIN

  • Content-Security-Policy header is not set or  syntactically invalid

Sets Valid X-Content-Type-Options Header

Websites that do not always redirect

Pages with 2xx status code

Fails if X-Content-Type-Options is not set or not “nosniff”

Sets valid Content-Type Header

Websites that do not always redirect

Pages with 2xx status code

Fails if Content-Type is not set or set to an invalid value.

Sets HTTP Strict Transport-Security-Header

HTTPS websites that do not always redirect

Pages without transient errors

Fails if there is no “Strict-Transport-Security” header.

Sets valid Referrer-Policy Header

Websites that do not always redirect

Pages without transient errors

Fails if Referrer-Policy header not set or set to an invalid value.

Technologies Used

List of the technologies used on your website.

HTML Form Analysis

List of login forms. Login forms are only detected in a static environment, so if the form is created by JavaScript, it will not be detected. Only login forms are displayed in analysis.

Domain Details

Information about the website domain, including a link to the domain in the Inventory.

Third Party Resources

List of the scripts and CSS loaded from domains that are not owned by your organization.

Other Websites Hosted with This Website

List of other websites owned by your organization and hosted on the same IP addresses.

Services Hosting This Website

List of services hosting the website in the last 30 days.


Map indicating the IP region of the website.

Externally Inferred CVEs

Externally inferred CVEs associated with the technologies used on your website.

Websites dashboard

The Websites dashboard provides an overview of the security of your entire web attack surface. It enables you to continuously monitor your web resources at a high level and drill down into the details as needed. Some of the key data displayed on the Websites dashboard includes the following:

  • Website security misconfigurations and best practice failures

  • Websites using HTTP and HTTPS

  • Authentication providers, server software, technologies detected

  • A breakdown of your websites by category

  • Third-party technologies used on your websites

  • Privacy-impacting packages your websites are using

    Privacy-impacting packages are technologies that track users. The "privacy-impacting" designation is based on the purpose of the technology and is not an evaluation of whether the technology itself has privacy problems. Any technology in the following categories is considered “privacy impacting”:

    • Analytics

    • Geolocation

    • Browser fingerprinting

    • Loyalty and rewards

    • Marketing automation

    • Referral marketing

    • Retargeting

Navigate to DashboardsWebsites to view the dashboard.

Like the other Expander dashboards, you can download the the Websites dashboard as a report.