mpx-scan 1.0.0

package/src/scanners/fingerprint.js

@@ -0,0 +1,325 @@
+/**
+ * Technology Fingerprinting Scanner
+ * 
+ * Identifies the CMS, framework, server software, and libraries
+ * used by the target. Useful for:
+ * - Understanding attack surface
+ * - Checking for known vulnerable versions
+ * - General security posture awareness
+ */
+
+const https = require('https');
+const http = require('http');
+const { fetchBody } = require('./sri');
+
+// Fingerprint signatures — checked against headers, HTML, and cookies
+const SIGNATURES = {
+  // CMS
+  'WordPress': {
+    html: [/wp-content\//i, /wp-includes\//i, /wp-json\//i, /<meta\s+name="generator"\s+content="WordPress[^"]*"/i],
+    headers: { 'x-powered-by': /WordPress/i },
+    cookies: ['wordpress_', 'wp-settings'],
+    paths: ['/wp-login.php', '/wp-admin/'],
+    category: 'CMS',
+    risk: 'medium',
+    note: 'Popular CMS — ensure plugins and core are updated'
+  },
+  'Drupal': {
+    html: [/Drupal\.settings/i, /sites\/default\/files/i, /<meta\s+name="generator"\s+content="Drupal/i],
+    headers: { 'x-generator': /Drupal/i, 'x-drupal-cache': /./ },
+    category: 'CMS',
+    risk: 'medium',
+    note: 'Enterprise CMS — keep core and modules updated'
+  },
+  'Joomla': {
+    html: [/\/media\/jui\//i, /\/components\/com_/i, /<meta\s+name="generator"\s+content="Joomla/i],
+    category: 'CMS',
+    risk: 'medium',
+    note: 'CMS with history of plugin vulnerabilities'
+  },
+  'Shopify': {
+    html: [/cdn\.shopify\.com/i, /Shopify\.theme/i],
+    headers: { 'x-shopify-stage': /./ },
+    category: 'E-commerce',
+    risk: 'low',
+    note: 'Managed platform — security handled by Shopify'
+  },
+  'Squarespace': {
+    html: [/squarespace\.com/i, /static\.squarespace\.com/i],
+    category: 'CMS',
+    risk: 'low',
+    note: 'Managed platform'
+  },
+  'Wix': {
+    html: [/wix\.com/i, /static\.parastorage\.com/i, /wixstatic\.com/i],
+    category: 'CMS',
+    risk: 'low',
+    note: 'Managed platform'
+  },
+
+  // Frameworks
+  'React': {
+    html: [/data-reactroot/i, /react\.production\.min\.js/i, /__NEXT_DATA__/i, /_next\//i],
+    category: 'Framework',
+    risk: 'info'
+  },
+  'Next.js': {
+    html: [/__NEXT_DATA__/i, /_next\/static/i],
+    headers: { 'x-powered-by': /Next\.js/i },
+    category: 'Framework',
+    risk: 'info'
+  },
+  'Vue.js': {
+    html: [/vue\.min\.js/i, /vue\.runtime/i, /data-v-[a-f0-9]/i, /__vue/i],
+    category: 'Framework',
+    risk: 'info'
+  },
+  'Nuxt.js': {
+    html: [/__nuxt/i, /_nuxt\//i],
+    category: 'Framework',
+    risk: 'info'
+  },
+  'Angular': {
+    html: [/ng-version/i, /angular\.min\.js/i, /ng-app/i],
+    category: 'Framework',
+    risk: 'info'
+  },
+  'Ruby on Rails': {
+    headers: { 'x-powered-by': /Phusion Passenger/i, 'server': /Phusion/i },
+    cookies: ['_session_id'],
+    html: [/csrf-token/i],
+    category: 'Framework',
+    risk: 'info'
+  },
+  'Django': {
+    cookies: ['django_language', 'sessionid'],
+    html: [/csrfmiddlewaretoken/i, /django/i],
+    category: 'Framework',
+    risk: 'info'
+  },
+  'Laravel': {
+    cookies: ['laravel_session', 'XSRF-TOKEN'],
+    html: [/laravel/i],
+    category: 'Framework',
+    risk: 'info'
+  },
+  'Express.js': {
+    headers: { 'x-powered-by': /Express/i },
+    category: 'Framework',
+    risk: 'info',
+    note: 'Remove X-Powered-By header in production'
+  },
+
+  // Servers
+  'Nginx': {
+    headers: { 'server': /nginx/i },
+    category: 'Server',
+    risk: 'info'
+  },
+  'Apache': {
+    headers: { 'server': /Apache/i },
+    category: 'Server',
+    risk: 'info'
+  },
+  'Cloudflare': {
+    headers: { 'server': /cloudflare/i, 'cf-ray': /./ },
+    category: 'CDN/WAF',
+    risk: 'low',
+    note: 'Protected by Cloudflare WAF'
+  },
+  'AWS CloudFront': {
+    headers: { 'server': /CloudFront/i, 'x-amz-cf-id': /./ },
+    category: 'CDN',
+    risk: 'low'
+  },
+  'Vercel': {
+    headers: { 'server': /Vercel/i, 'x-vercel-id': /./ },
+    category: 'Platform',
+    risk: 'low'
+  },
+  'Netlify': {
+    headers: { 'server': /Netlify/i },
+    category: 'Platform',
+    risk: 'low'
+  },
+
+  // Security
+  'Akamai': {
+    headers: { 'server': /AkamaiGHost/i, 'x-akamai-session-info': /./ },
+    category: 'CDN/WAF',
+    risk: 'low',
+    note: 'Protected by Akamai WAF'
+  },
+
+  // Analytics/Libraries
+  'jQuery': {
+    html: [/jquery[-.][\d.]*\.min\.js/i, /jquery\.min\.js/i],
+    category: 'Library',
+    risk: 'info',
+    note: 'Check for outdated versions with known XSS vulnerabilities'
+  },
+  'Bootstrap': {
+    html: [/bootstrap[-.][\d.]*\.min\.(js|css)/i, /bootstrap\.min\.(js|css)/i],
+    category: 'Library',
+    risk: 'info'
+  },
+  'Google Analytics': {
+    html: [/google-analytics\.com\/analytics/i, /googletagmanager\.com/i, /gtag\(/i],
+    category: 'Analytics',
+    risk: 'info'
+  },
+  'Google Tag Manager': {
+    html: [/googletagmanager\.com\/gtm\.js/i],
+    category: 'Analytics',
+    risk: 'info'
+  },
+};
+
+async function scanFingerprint(parsedUrl, options = {}) {
+  const checks = [];
+  let score = 0;
+  let maxScore = 3; // Based on information exposure
+
+  // Fetch headers and body
+  const [headers, html] = await Promise.all([
+    fetchHeaders(parsedUrl, options),
+    fetchBody(parsedUrl, options)
+  ]);
+
+  const detected = [];
+
+  for (const [tech, sig] of Object.entries(SIGNATURES)) {
+    let found = false;
+    let evidence = '';
+
+    // Check headers
+    if (sig.headers && headers) {
+      for (const [header, pattern] of Object.entries(sig.headers)) {
+        if (headers[header] && pattern.test(headers[header])) {
+          found = true;
+          evidence = `Header: ${header}: ${headers[header]}`;
+          break;
+        }
+      }
+    }
+
+    // Check HTML patterns
+    if (!found && sig.html && html) {
+      for (const pattern of sig.html) {
+        if (pattern.test(html)) {
+          found = true;
+          evidence = 'HTML content match';
+          break;
+        }
+      }
+    }
+
+    // Check cookies
+    if (!found && sig.cookies && headers && headers['set-cookie']) {
+      const cookieStr = Array.isArray(headers['set-cookie']) ? headers['set-cookie'].join(' ') : headers['set-cookie'];
+      for (const cookieName of sig.cookies) {
+        if (cookieStr.toLowerCase().includes(cookieName.toLowerCase())) {
+          found = true;
+          evidence = `Cookie: ${cookieName}`;
+          break;
+        }
+      }
+    }
+
+    if (found) {
+      detected.push({ name: tech, ...sig, evidence });
+    }
+  }
+
+  // Check for version leaks in Server header
+  const serverHeader = headers?.server || '';
+  const versionMatch = serverHeader.match(/([\w.-]+)\/([\d.]+)/);
+  let leaksVersion = false;
+
+  if (versionMatch) {
+    leaksVersion = true;
+    checks.push({ name: 'Server Version Exposure', status: 'warn', 
+      message: `Server header reveals: ${versionMatch[0]}. Attackers can target version-specific exploits.`,
+      value: serverHeader,
+      recommendation: 'Remove version numbers from Server header'
+    });
+  }
+
+  // Check X-Powered-By
+  const poweredBy = headers?.['x-powered-by'];
+  if (poweredBy) {
+    leaksVersion = true;
+    checks.push({ name: 'X-Powered-By Exposure', status: 'warn',
+      message: `Reveals technology: "${poweredBy}". Aids attacker reconnaissance.`,
+      value: poweredBy,
+      recommendation: 'Remove X-Powered-By header entirely'
+    });
+  }
+
+  // Score based on information exposure
+  if (!leaksVersion && detected.filter(d => d.risk !== 'info').length === 0) {
+    score = 3;
+    checks.unshift({ name: 'Technology Fingerprint', status: 'pass', message: 'Minimal technology exposure — good operational security' });
+  } else if (!leaksVersion) {
+    score = 2;
+    checks.unshift({ name: 'Technology Fingerprint', status: 'pass', message: 'No version information leaked in headers' });
+  } else {
+    score = 1;
+    checks.unshift({ name: 'Technology Fingerprint', status: 'warn', message: 'Server exposes technology/version information' });
+  }
+
+  // List detected technologies
+  if (detected.length > 0) {
+    const byCategory = {};
+    for (const tech of detected) {
+      if (!byCategory[tech.category]) byCategory[tech.category] = [];
+      byCategory[tech.category].push(tech);
+    }
+
+    for (const [category, techs] of Object.entries(byCategory)) {
+      const names = techs.map(t => t.name).join(', ');
+      checks.push({ name: `Detected: ${category}`, status: 'info', message: names, value: names });
+      
+      // Add notes for notable detections
+      for (const tech of techs) {
+        if (tech.note) {
+          checks.push({ name: tech.name, status: tech.risk === 'medium' ? 'warn' : 'info', message: tech.note });
+        }
+      }
+    }
+  } else {
+    checks.push({ name: 'Technologies', status: 'info', message: 'No technologies confidently identified from external scan' });
+  }
+
+  return { score, maxScore, checks };
+}
+
+function fetchHeaders(parsedUrl, options = {}) {
+  return new Promise((resolve) => {
+    const timeout = options.timeout || 10000;
+    const protocol = parsedUrl.protocol === 'https:' ? https : http;
+    let resolved = false;
+    const done = (val) => { if (!resolved) { resolved = true; resolve(val); } };
+    const timer = setTimeout(() => done(null), timeout + 2000);
+
+    const req = protocol.request(parsedUrl.href, {
+      method: 'HEAD', timeout,
+      headers: { 'User-Agent': 'SiteGuard/0.1 Security Scanner' },
+      rejectUnauthorized: false,
+    }, (res) => {
+      clearTimeout(timer);
+      // Follow redirects
+      if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
+        const redirectUrl = new URL(res.headers.location, parsedUrl.href);
+        fetchHeaders(redirectUrl, options).then(done);
+        return;
+      }
+      done(res.headers);
+    });
+    req.on('error', () => { clearTimeout(timer); done(null); });
+    req.on('timeout', () => { clearTimeout(timer); req.destroy(); done(null); });
+    req.end();
+  });
+}
+
+module.exports = { scanFingerprint };

package/src/scanners/headers.js

@@ -0,0 +1,203 @@
+/**
+ * Security Headers Scanner
+ * 
+ * Checks for presence and configuration of security headers:
+ * - Strict-Transport-Security (HSTS)
+ * - Content-Security-Policy (CSP)
+ * - X-Content-Type-Options
+ * - X-Frame-Options
+ * - Referrer-Policy
+ * - Permissions-Policy
+ * - X-XSS-Protection (deprecated but still checked)
+ * - Cross-Origin-Opener-Policy
+ * - Cross-Origin-Resource-Policy
+ * - Cross-Origin-Embedder-Policy
+ */
+
+const https = require('https');
+const http = require('http');
+
+async function scanHeaders(parsedUrl, options = {}) {
+  const headers = await fetchHeaders(parsedUrl, options);
+  const checks = [];
+  let score = 0;
+  let maxScore = 0;
+
+  // --- Strict-Transport-Security ---
+  maxScore += 3;
+  const hsts = headers['strict-transport-security'];
+  if (hsts) {
+    const maxAge = parseInt((hsts.match(/max-age=(\d+)/) || [])[1] || '0');
+    const includesSubs = /includesubdomains/i.test(hsts);
+    const preload = /preload/i.test(hsts);
+    
+    if (maxAge >= 31536000 && includesSubs && preload) {
+      checks.push({ name: 'Strict-Transport-Security', status: 'pass', message: `Excellent. max-age=${maxAge}, includeSubDomains, preload`, value: hsts });
+      score += 3;
+    } else if (maxAge >= 31536000) {
+      checks.push({ name: 'Strict-Transport-Security', status: 'pass', message: `Good. max-age=${maxAge}${includesSubs ? ', includeSubDomains' : ''}${preload ? ', preload' : ''}`, value: hsts });
+      score += 2;
+    } else if (maxAge > 0) {
+      checks.push({ name: 'Strict-Transport-Security', status: 'warn', message: `max-age=${maxAge} is low. Recommend >= 31536000 (1 year)`, value: hsts });
+      score += 1;
+    }
+  } else {
+    checks.push({ name: 'Strict-Transport-Security', status: 'fail', message: 'Missing. Allows downgrade attacks to HTTP.', recommendation: 'Add: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload' });
+  }
+
+  // --- Content-Security-Policy ---
+  maxScore += 3;
+  const csp = headers['content-security-policy'];
+  if (csp) {
+    const hasDefaultSrc = /default-src/i.test(csp);
+    const hasUnsafeInline = /unsafe-inline/i.test(csp);
+    const hasUnsafeEval = /unsafe-eval/i.test(csp);
+    
+    if (hasDefaultSrc && !hasUnsafeInline && !hasUnsafeEval) {
+      checks.push({ name: 'Content-Security-Policy', status: 'pass', message: 'Strong policy without unsafe directives', value: csp.substring(0, 200) + (csp.length > 200 ? '...' : '') });
+      score += 3;
+    } else if (hasDefaultSrc) {
+      const issues = [];
+      if (hasUnsafeInline) issues.push('unsafe-inline');
+      if (hasUnsafeEval) issues.push('unsafe-eval');
+      checks.push({ name: 'Content-Security-Policy', status: 'warn', message: `Present but uses ${issues.join(', ')}`, value: csp.substring(0, 200) });
+      score += 1.5;
+    } else {
+      checks.push({ name: 'Content-Security-Policy', status: 'warn', message: 'Present but missing default-src directive', value: csp.substring(0, 200) });
+      score += 1;
+    }
+  } else {
+    checks.push({ name: 'Content-Security-Policy', status: 'fail', message: 'Missing. Vulnerable to XSS and data injection attacks.', recommendation: "Add: Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'" });
+  }
+
+  // --- X-Content-Type-Options ---
+  maxScore += 1;
+  const xcto = headers['x-content-type-options'];
+  if (xcto && xcto.toLowerCase() === 'nosniff') {
+    checks.push({ name: 'X-Content-Type-Options', status: 'pass', message: 'nosniff — prevents MIME-type sniffing', value: xcto });
+    score += 1;
+  } else {
+    checks.push({ name: 'X-Content-Type-Options', status: 'fail', message: 'Missing or incorrect. Browsers may MIME-sniff responses.', recommendation: 'Add: X-Content-Type-Options: nosniff' });
+  }
+
+  // --- X-Frame-Options ---
+  maxScore += 1;
+  const xfo = headers['x-frame-options'];
+  if (xfo) {
+    const val = xfo.toUpperCase();
+    if (val === 'DENY' || val === 'SAMEORIGIN') {
+      checks.push({ name: 'X-Frame-Options', status: 'pass', message: `${val} — prevents clickjacking`, value: xfo });
+      score += 1;
+    } else {
+      checks.push({ name: 'X-Frame-Options', status: 'warn', message: `Unusual value: ${xfo}`, value: xfo });
+      score += 0.5;
+    }
+  } else {
+    // Check if CSP has frame-ancestors
+    if (csp && /frame-ancestors/i.test(csp)) {
+      checks.push({ name: 'X-Frame-Options', status: 'pass', message: 'Not set, but CSP frame-ancestors provides equivalent protection', value: 'via CSP' });
+      score += 1;
+    } else {
+      checks.push({ name: 'X-Frame-Options', status: 'fail', message: 'Missing. Page can be embedded in iframes (clickjacking risk).', recommendation: 'Add: X-Frame-Options: DENY (or SAMEORIGIN)' });
+    }
+  }
+
+  // --- Referrer-Policy ---
+  maxScore += 1;
+  const rp = headers['referrer-policy'];
+  const goodPolicies = ['no-referrer', 'strict-origin-when-cross-origin', 'strict-origin', 'same-origin', 'no-referrer-when-downgrade'];
+  if (rp && goodPolicies.some(p => rp.toLowerCase().includes(p))) {
+    checks.push({ name: 'Referrer-Policy', status: 'pass', message: `${rp}`, value: rp });
+    score += 1;
+  } else if (rp) {
+    checks.push({ name: 'Referrer-Policy', status: 'warn', message: `Set to "${rp}" — may leak referrer data`, value: rp });
+    score += 0.5;
+  } else {
+    checks.push({ name: 'Referrer-Policy', status: 'warn', message: 'Missing. Browser defaults may leak URL paths in referrer.', recommendation: 'Add: Referrer-Policy: strict-origin-when-cross-origin' });
+  }
+
+  // --- Permissions-Policy ---
+  maxScore += 1;
+  const pp = headers['permissions-policy'] || headers['feature-policy'];
+  if (pp) {
+    checks.push({ name: 'Permissions-Policy', status: 'pass', message: 'Controls browser feature access', value: pp.substring(0, 200) });
+    score += 1;
+  } else {
+    checks.push({ name: 'Permissions-Policy', status: 'warn', message: 'Missing. Browser features (camera, mic, geolocation) unrestricted.', recommendation: 'Add: Permissions-Policy: camera=(), microphone=(), geolocation=()' });
+  }
+
+  // --- Cross-Origin-Opener-Policy ---
+  maxScore += 0.5;
+  const coop = headers['cross-origin-opener-policy'];
+  if (coop) {
+    checks.push({ name: 'Cross-Origin-Opener-Policy', status: 'pass', message: coop, value: coop });
+    score += 0.5;
+  } else {
+    checks.push({ name: 'Cross-Origin-Opener-Policy', status: 'info', message: 'Not set. Consider adding for cross-origin isolation.' });
+  }
+
+  // --- Cross-Origin-Resource-Policy ---
+  maxScore += 0.5;
+  const corp = headers['cross-origin-resource-policy'];
+  if (corp) {
+    checks.push({ name: 'Cross-Origin-Resource-Policy', status: 'pass', message: corp, value: corp });
+    score += 0.5;
+  } else {
+    checks.push({ name: 'Cross-Origin-Resource-Policy', status: 'info', message: 'Not set. Consider adding to control resource sharing.' });
+  }
+
+  // --- Deprecated but notable ---
+  const xxss = headers['x-xss-protection'];
+  if (xxss && xxss !== '0') {
+    checks.push({ name: 'X-XSS-Protection', status: 'info', message: `Set to "${xxss}". This header is deprecated; CSP is the modern replacement.`, value: xxss });
+  }
+
+  // --- Server header leak ---
+  const server = headers['server'];
+  if (server && /\d/.test(server)) {
+    checks.push({ name: 'Server Header', status: 'warn', message: `Leaks version info: "${server}". Remove version numbers.`, value: server });
+  }
+
+  // --- X-Powered-By leak ---
+  const powered = headers['x-powered-by'];
+  if (powered) {
+    checks.push({ name: 'X-Powered-By', status: 'warn', message: `Leaks technology: "${powered}". Remove this header.`, value: powered });
+  }
+
+  return { score, maxScore, checks };
+}
+
+function fetchHeaders(parsedUrl, options = {}) {
+  return new Promise((resolve, reject) => {
+    const timeout = options.timeout || 10000;
+    const protocol = parsedUrl.protocol === 'https:' ? https : http;
+    
+    const req = protocol.request(parsedUrl.href, {
+      method: 'HEAD',
+      timeout,
+      headers: {
+        'User-Agent': 'SiteGuard/0.1 Security Scanner (https://github.com/persio10/siteguard)'
+      },
+      rejectUnauthorized: false // We check SSL separately
+    }, (res) => {
+      // Follow redirects (up to 5)
+      if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
+        const redirectUrl = new URL(res.headers.location, parsedUrl.href);
+        if ((options._redirectCount || 0) >= 5) {
+          reject(new Error('Too many redirects'));
+          return;
+        }
+        fetchHeaders(redirectUrl, { ...options, _redirectCount: (options._redirectCount || 0) + 1 })
+          .then(resolve).catch(reject);
+        return;
+      }
+      resolve(res.headers);
+    });
+
+    req.on('error', reject);
+    req.on('timeout', () => { req.destroy(); reject(new Error('Connection timeout')); });
+    req.end();
+  });
+}
+
+module.exports = { scanHeaders };

package/src/scanners/mixed-content.js

@@ -0,0 +1,109 @@
+/**
+ * Mixed Content Scanner
+ * 
+ * Detects HTTP resources loaded on HTTPS pages.
+ * Mixed content can be blocked by browsers and indicates security gaps.
+ * 
+ * Active mixed content (scripts, iframes) = high risk
+ * Passive mixed content (images, video) = medium risk
+ */
+
+const { fetchBody } = require('./sri');
+
+async function scanMixedContent(parsedUrl, options = {}) {
+  const checks = [];
+  let score = 0;
+  let maxScore = 2;
+
+  if (parsedUrl.protocol !== 'https:') {
+    checks.push({ name: 'Mixed Content', status: 'info', message: 'Site served over HTTP — mixed content check not applicable' });
+    return { score: 0, maxScore: 0, checks };
+  }
+
+  const html = await fetchBody(parsedUrl, options);
+  
+  if (!html) {
+    checks.push({ name: 'Mixed Content', status: 'error', message: 'Could not fetch page HTML' });
+    return { score: 0, maxScore: 2, checks };
+  }
+
+  // Active mixed content (high risk — blocked by most browsers)
+  const activePatterns = [
+    { regex: /<script[^>]+src\s*=\s*["'](http:\/\/[^"']+)["']/gi, type: 'script' },
+    { regex: /<iframe[^>]+src\s*=\s*["'](http:\/\/[^"']+)["']/gi, type: 'iframe' },
+    { regex: /<link[^>]+href\s*=\s*["'](http:\/\/[^"']+)["'][^>]*rel\s*=\s*["']stylesheet["']/gi, type: 'stylesheet' },
+    { regex: /<object[^>]+data\s*=\s*["'](http:\/\/[^"']+)["']/gi, type: 'object' },
+  ];
+
+  // Passive mixed content (medium risk — may show warnings)
+  const passivePatterns = [
+    { regex: /<img[^>]+src\s*=\s*["'](http:\/\/[^"']+)["']/gi, type: 'image' },
+    { regex: /<video[^>]+src\s*=\s*["'](http:\/\/[^"']+)["']/gi, type: 'video' },
+    { regex: /<audio[^>]+src\s*=\s*["'](http:\/\/[^"']+)["']/gi, type: 'audio' },
+    { regex: /<source[^>]+src\s*=\s*["'](http:\/\/[^"']+)["']/gi, type: 'media source' },
+  ];
+
+  // Also check CSS url() references
+  const cssUrlPattern = /url\(\s*["']?(http:\/\/[^"')]+)["']?\s*\)/gi;
+
+  const activeIssues = [];
+  const passiveIssues = [];
+
+  for (const { regex, type } of activePatterns) {
+    let match;
+    while ((match = regex.exec(html)) !== null) {
+      activeIssues.push({ url: match[1], type });
+    }
+  }
+
+  for (const { regex, type } of passivePatterns) {
+    let match;
+    while ((match = regex.exec(html)) !== null) {
+      passiveIssues.push({ url: match[1], type });
+    }
+  }
+
+  let cssMatch;
+  while ((cssMatch = cssUrlPattern.exec(html)) !== null) {
+    passiveIssues.push({ url: cssMatch[1], type: 'css-url' });
+  }
+
+  // Score
+  if (activeIssues.length === 0 && passiveIssues.length === 0) {
+    checks.push({ name: 'Mixed Content', status: 'pass', message: 'No HTTP resources detected on HTTPS page' });
+    score = 2;
+  } else {
+    if (activeIssues.length > 0) {
+      checks.push({ name: 'Active Mixed Content', status: 'fail', 
+        message: `${activeIssues.length} active HTTP resource(s) — scripts/styles loaded over HTTP on HTTPS page. Blocked by modern browsers.`,
+        recommendation: 'Change all resource URLs from http:// to https:// or use protocol-relative URLs (//)' 
+      });
+      // List first 5
+      activeIssues.slice(0, 5).forEach(issue => {
+        checks.push({ name: `HTTP ${issue.type}`, status: 'fail', message: issue.url.substring(0, 100), value: issue.url });
+      });
+      if (activeIssues.length > 5) {
+        checks.push({ name: 'Active Mixed Content', status: 'info', message: `...and ${activeIssues.length - 5} more` });
+      }
+    } else {
+      score += 1;
+    }
+
+    if (passiveIssues.length > 0) {
+      checks.push({ name: 'Passive Mixed Content', status: 'warn',
+        message: `${passiveIssues.length} passive HTTP resource(s) — images/media loaded over HTTP. May show browser warnings.`,
+        recommendation: 'Update resource URLs to HTTPS'
+      });
+      passiveIssues.slice(0, 3).forEach(issue => {
+        checks.push({ name: `HTTP ${issue.type}`, status: 'warn', message: issue.url.substring(0, 100), value: issue.url });
+      });
+      score += 0.5;
+    } else {
+      score += 1;
+    }
+  }
+
+  return { score, maxScore, checks };
+}
+
+module.exports = { scanMixedContent };