mpx-scan 1.1.0 → 1.3.0

package/bin/cli.js

@@ -47,14 +47,14 @@ program
   .option('--full', 'Run all checks (Pro only)')
   .option('--json', 'Output as JSON (machine-readable)')
   .option('--brief', 'Brief output (one-line summary)')
-  .option('--quiet, -q', 'Minimal output (results only, no banners)')
+  .option('-q, --quiet', 'Minimal output (results only, no banners)')
   .option('--no-color', 'Disable colored output')
   .option('--batch', 'Batch mode: read URLs from stdin (one per line)')
   .option('--schema', 'Output JSON schema describing all commands and flags')
   .option('--fix <platform>', `Generate fix config for platform (${PLATFORMS.join(', ')})`)
   .option('--timeout <seconds>', 'Connection timeout', '10')
   .option('--ci', 'CI/CD mode: exit 1 if score below threshold')
-  .option('--min-score <score>', 'Minimum score for CI mode (default: 70)', '70')
+  .option('--min-score <score>', 'Minimum score for CI mode', '70')
   .action(async (url, options) => {
     // Handle --schema flag
     if (options.schema) {
@@ -89,6 +89,31 @@ async function runSingleScan(url, options) {
   }
 
   try {
+    // BUG-03: Validate --fix platform BEFORE scanning (exits 2 for invalid platforms)
+    if (options.fix) {
+      if (!PLATFORMS.includes(options.fix)) {
+        if (jsonMode) {
+          console.log(JSON.stringify({ error: `Invalid platform: "${options.fix}". Valid platforms: ${PLATFORMS.join(', ')}`, code: 'ERR_BAD_ARGS' }, null, 2));
+        } else {
+          console.error(chalk.red.bold(`\n❌ Invalid platform: "${options.fix}"`));
+          console.error(chalk.yellow(`Valid platforms: ${PLATFORMS.join(', ')}`));
+          console.error('');
+        }
+        return EXIT.BAD_ARGS;
+      }
+    }
+
+    // Validate timeout
+    const timeoutVal = parseInt(options.timeout);
+    if (isNaN(timeoutVal) || timeoutVal < 0) {
+      if (jsonMode) {
+        console.log(JSON.stringify({ error: 'Invalid --timeout value. Must be a non-negative number.', code: 'ERR_BAD_ARGS' }, null, 2));
+      } else {
+        console.error(chalk.red.bold('\n❌ Invalid --timeout value. Must be a non-negative number.'));
+      }
+      return EXIT.BAD_ARGS;
+    }
+    
     // Check license and rate limits
     const license = getLicense();
     const rateLimit = checkRateLimit();
@@ -159,9 +184,29 @@ async function runSingleScan(url, options) {
       console.log(formatReport(results, { ...options, quiet: quietMode }));
     }
     
+    // Check if core scanners errored with network issues (DNS failure, connection refused, etc.)
+    const coreScanners = ['headers', 'ssl'];
+    const coreErrored = coreScanners.every(name => {
+      const section = results.sections[name];
+      if (!section) return false;
+      return section.checks.some(c => c.status === 'error' && 
+        /ENOTFOUND|ECONNREFUSED|ETIMEDOUT|ECONNRESET|network/i.test(c.message || ''));
+    });
+    if (coreErrored) {
+      return EXIT.NETWORK_ERROR;
+    }
+    
     // Determine exit code based on findings
     if (options.ci) {
       const minScore = parseInt(options.minScore);
+      if (isNaN(minScore)) {
+        if (jsonMode) {
+          console.log(JSON.stringify({ error: 'Invalid --min-score value', code: 'ERR_BAD_ARGS' }, null, 2));
+        } else {
+          console.error(chalk.red.bold('\n❌ Invalid --min-score value. Must be a number.'));
+        }
+        return EXIT.BAD_ARGS;
+      }
       const percentage = Math.round((results.score / results.maxScore) * 100);
       if (percentage < minScore) {
         if (!jsonMode && !options.brief && !quietMode) {
@@ -169,6 +214,7 @@ async function runSingleScan(url, options) {
         }
         return EXIT.ISSUES_FOUND;
       }
+      return EXIT.SUCCESS;
     }
     
     // Exit 1 if there are failures, 0 if clean
@@ -362,6 +408,79 @@ program
     console.log('');
   });
 
+// Update subcommand
+program
+  .command('update')
+  .description('Check for updates and optionally install the latest version')
+  .option('--check', 'Only check for updates (do not install)')
+  .option('--json', 'Machine-readable JSON output')
+  .action(async (options, cmd) => {
+    const { checkForUpdate, performUpdate } = require('../src/update');
+    const jsonMode = options.json || cmd.parent?.opts()?.json;
+
+    try {
+      const info = checkForUpdate();
+
+      if (jsonMode) {
+        const output = {
+          current: info.current,
+          latest: info.latest,
+          updateAvailable: info.updateAvailable,
+          isGlobal: info.isGlobal
+        };
+
+        if (!options.check && info.updateAvailable) {
+          try {
+            const result = performUpdate(info.isGlobal);
+            output.updated = true;
+            output.newVersion = result.version;
+          } catch (err) {
+            output.updated = false;
+            output.error = err.message;
+          }
+        }
+
+        console.log(JSON.stringify(output, null, 2));
+        process.exit(EXIT.SUCCESS);
+        return;
+      }
+
+      // Human-readable output
+      if (!info.updateAvailable) {
+        console.log('');
+        console.log(chalk.green.bold(`✓ mpx-scan v${info.current} is up to date`));
+        console.log('');
+        process.exit(EXIT.SUCCESS);
+        return;
+      }
+
+      console.log('');
+      console.log(chalk.yellow.bold(`⬆ Update available: v${info.current} → v${info.latest}`));
+
+      if (options.check) {
+        console.log(chalk.gray(`Run ${chalk.cyan('mpx-scan update')} to install`));
+        console.log('');
+        process.exit(EXIT.SUCCESS);
+        return;
+      }
+
+      console.log(chalk.gray(`Installing v${info.latest}${info.isGlobal ? ' (global)' : ''}...`));
+
+      const result = performUpdate(info.isGlobal);
+      console.log(chalk.green.bold(`✓ Updated to v${result.version}`));
+      console.log('');
+      process.exit(EXIT.SUCCESS);
+    } catch (err) {
+      if (jsonMode) {
+        console.log(JSON.stringify({ error: err.message, code: 'ERR_UPDATE' }, null, 2));
+      } else {
+        console.error(chalk.red.bold('\n❌ Update check failed:'), err.message);
+        console.error('');
+      }
+      process.exit(EXIT.NETWORK_ERROR);
+    }
+  });
+
 // MCP subcommand
 program
   .command('mcp')

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mpx-scan",
-  "version": "1.1.0",
+  "version": "1.3.0",
   "description": "Professional website security scanner CLI. Check headers, SSL, cookies, DNS, and get actionable fix suggestions. Part of the Mesaplex developer toolchain.",
   "main": "src/index.js",
   "bin": {

package/src/index.js

@@ -7,6 +7,8 @@
  * Zero external dependencies for scanning (only chalk/commander for CLI)
  */
 
+const https = require('https');
+const http = require('http');
 const { scanHeaders } = require('./scanners/headers');
 const { scanSSL } = require('./scanners/ssl');
 const { scanCookies } = require('./scanners/cookies');
@@ -30,8 +32,58 @@ const SCANNER_TIERS = {
  * @param {object} options - Scan options
  * @returns {object} Structured scan report
  */
+/**
+ * Quick connectivity check — throws a network error if the host is unreachable.
+ * Used to provide exit code 4 (NETWORK_ERROR) early instead of silently returning error checks.
+ */
+function checkConnectivity(parsedUrl, timeoutMs) {
+  return new Promise((resolve, reject) => {
+    const protocol = parsedUrl.protocol === 'https:' ? https : http;
+    const timer = setTimeout(() => {
+      req && req.destroy();
+      const err = new Error(`ETIMEDOUT: Connection to ${parsedUrl.hostname} timed out`);
+      err.code = 'ETIMEDOUT';
+      reject(err);
+    }, timeoutMs);
+
+    const req = protocol.request({
+      hostname: parsedUrl.hostname,
+      port: parsedUrl.port || (parsedUrl.protocol === 'https:' ? 443 : 80),
+      path: parsedUrl.pathname || '/',
+      method: 'HEAD',
+      timeout: timeoutMs,
+      headers: { 'User-Agent': 'mpx-scan/1.2.1 Security Scanner' },
+      rejectUnauthorized: false,
+    }, (res) => {
+      clearTimeout(timer);
+      res.resume();
+      resolve();
+    });
+
+    req.on('error', (err) => {
+      clearTimeout(timer);
+      if (err.code === 'ENOTFOUND' || err.code === 'ECONNREFUSED' || err.code === 'ETIMEDOUT' || err.code === 'ECONNRESET') {
+        reject(err);
+      } else {
+        resolve(); // Other errors (like SSL) are fine — host is reachable
+      }
+    });
+
+    req.on('timeout', () => {
+      req.destroy();
+      clearTimeout(timer);
+      const err = new Error(`ETIMEDOUT: Connection to ${parsedUrl.hostname} timed out`);
+      err.code = 'ETIMEDOUT';
+      reject(err);
+    });
+
+    req.end();
+  });
+}
+
 async function scan(url, options = {}) {
   const startTime = Date.now();
+  const timeoutMs = options.timeout || 10000;
   
   // Normalize URL
   if (!url.startsWith('http://') && !url.startsWith('https://')) {
@@ -39,6 +91,9 @@ async function scan(url, options = {}) {
   }
   
   const parsedUrl = new URL(url);
+  
+  // BUG-02: Pre-scan connectivity check — throws network error → CLI maps to exit 4
+  await checkConnectivity(parsedUrl, Math.min(timeoutMs, 10000));
   const results = {
     url: parsedUrl.href,
     hostname: parsedUrl.hostname,
@@ -58,7 +113,7 @@ async function scan(url, options = {}) {
   };
 
   const allScanners = [
-    { name: 'headers', fn: scanHeaders, weight: 25 },
+    { name: 'headers', fn: scanHeaders, weight: 15 },
     { name: 'ssl', fn: scanSSL, weight: 20 },
     { name: 'cookies', fn: scanCookies, weight: 10 },
     { name: 'server', fn: scanServer, weight: 8 },
@@ -75,10 +130,21 @@ async function scan(url, options = {}) {
   
   const enabledScanners = allScanners.filter(s => allowedScanners.includes(s.name));
 
+  // BUG-05: Wrap each scanner in a timeout race to prevent hanging on closed ports
+  const scannerTimeout = timeoutMs + 5000; // Give scanners a bit extra beyond the connect timeout
+
   // Run scanners concurrently
   const scanPromises = enabledScanners.map(async (scanner) => {
     try {
-      const result = await scanner.fn(parsedUrl, options);
+      // BUG-05: Race scanner against timeout to prevent indefinite hang on closed ports
+      const timeoutPromise = new Promise((_, reject) => {
+        const t = setTimeout(() => {
+          reject(new Error(`Scanner timed out after ${scannerTimeout}ms`));
+        }, scannerTimeout);
+        // Allow process to exit even if timer is pending
+        if (t.unref) t.unref();
+      });
+      const result = await Promise.race([scanner.fn(parsedUrl, options), timeoutPromise]);
       return { name: scanner.name, weight: scanner.weight, result };
     } catch (err) {
       return { 

package/src/reporters/json.js

@@ -4,10 +4,12 @@
  * Machine-readable output for CI/CD pipelines
  */
 
+const pkg = require('../../package.json');
+
 function formatJSON(results, pretty = false) {
   const output = {
     mpxScan: {
-      version: '1.0.0',
+      version: pkg.version,
       scannedAt: results.scannedAt,
       scanDuration: results.scanDuration
     },

package/src/reporters/terminal.js

@@ -34,6 +34,11 @@ const GRADE_COLORS = {
 function formatReport(results, options = {}) {
   const lines = [];
   
+  // Quiet mode: results only, no banners or decoration
+  if (options.quiet) {
+    return formatQuiet(results);
+  }
+  
   // Header
   lines.push('');
   lines.push(chalk.bold.cyan('┌─────────────────────────────────────────────────────────────┐'));
@@ -137,4 +142,25 @@ function capitalize(str) {
     .trim();
 }
 
+function formatQuiet(results) {
+  const lines = [];
+  const gradeColor = GRADE_COLORS[results.grade] || 'gray';
+  const percentage = Math.round((results.score / results.maxScore) * 100);
+  
+  lines.push(chalk.bold[gradeColor](results.grade) + chalk.gray(` (${percentage}/100)`) + 
+             ` — ${chalk.green(results.summary.passed + ' passed')} ${chalk.yellow(results.summary.warnings + ' warnings')} ${chalk.red(results.summary.failed + ' failed')}`);
+  
+  for (const [name, section] of Object.entries(results.sections)) {
+    for (const check of section.checks) {
+      if (check.status === 'fail' || check.status === 'warn') {
+        const icon = STATUS_ICONS[check.status];
+        const color = STATUS_COLORS[check.status];
+        lines.push(chalk[color](`  ${icon} ${check.name}: ${check.message || ''}`));
+      }
+    }
+  }
+  
+  return lines.join('\n');
+}
+
 module.exports = { formatReport, formatBrief };

package/src/scanners/cookies.js

@@ -78,13 +78,25 @@ function fetchCookies(parsedUrl, options = {}) {
     const req = protocol.request(parsedUrl.href, {
       method: 'GET',
       timeout,
-      headers: { 'User-Agent': 'SiteGuard/0.1 Security Scanner' },
+      headers: { 'User-Agent': 'mpx-scan/1.2.1 Security Scanner (https://github.com/mesaplexdev/mpx-scan)' },
       rejectUnauthorized: false,
     }, (res) => {
       // Consume body
       res.on('data', () => {});
       res.on('end', () => {});
 
+      // Follow redirects to get cookies from final destination
+      if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
+        if ((options._redirectCount || 0) >= 5) {
+          resolve([]);
+          return;
+        }
+        const redirectUrl = new URL(res.headers.location, parsedUrl.href);
+        fetchCookies(redirectUrl, { ...options, _redirectCount: (options._redirectCount || 0) + 1 })
+          .then(resolve).catch(() => resolve([]));
+        return;
+      }
+
       const setCookies = res.headers['set-cookie'] || [];
       const parsed = setCookies.map(parseCookie);
       resolve(parsed);

package/src/scanners/dns.js

@@ -13,6 +13,19 @@
 const dns = require('dns');
 const { Resolver } = dns.promises;
 
+/**
+ * BUG-12: Wrap a DNS promise in a race against a timeout to prevent indefinite hangs.
+ */
+function withTimeout(promise, ms, label) {
+  return Promise.race([
+    promise,
+    new Promise((_, reject) => {
+      const t = setTimeout(() => reject(new Error(`DNS timeout for ${label}`)), ms);
+      if (t.unref) t.unref();
+    })
+  ]);
+}
+
 async function scanDNS(parsedUrl, options = {}) {
   const checks = [];
   let score = 0;
@@ -25,11 +38,13 @@ async function scanDNS(parsedUrl, options = {}) {
   
   const resolver = new Resolver();
   resolver.setServers(['8.8.8.8', '1.1.1.1']); // Use public DNS
+  
+  const dnsTimeout = options.timeout ? Math.min(options.timeout, 10000) : 10000;
 
   // --- SPF Record ---
   maxScore += 1;
   try {
-    const txtRecords = await resolver.resolveTxt(rootDomain);
+    const txtRecords = await withTimeout(resolver.resolveTxt(rootDomain), dnsTimeout, `TXT ${rootDomain}`);
     const spf = txtRecords.flat().find(r => r.startsWith('v=spf1'));
     if (spf) {
       const hasAll = /[-~?+]all/.test(spf);
@@ -54,7 +69,7 @@ async function scanDNS(parsedUrl, options = {}) {
   // --- DMARC Record ---
   maxScore += 1;
   try {
-    const dmarcRecords = await resolver.resolveTxt(`_dmarc.${rootDomain}`);
+    const dmarcRecords = await withTimeout(resolver.resolveTxt(`_dmarc.${rootDomain}`), dnsTimeout, `DMARC ${rootDomain}`);
     const dmarc = dmarcRecords.flat().find(r => r.startsWith('v=DMARC1'));
     if (dmarc) {
       const policy = (dmarc.match(/p=(\w+)/) || [])[1] || 'none';
@@ -82,7 +97,7 @@ async function scanDNS(parsedUrl, options = {}) {
   // --- CAA Records ---
   maxScore += 0.5;
   try {
-    const caaRecords = await resolver.resolveCaa(rootDomain);
+    const caaRecords = await withTimeout(resolver.resolveCaa(rootDomain), dnsTimeout, `CAA ${rootDomain}`);
     if (caaRecords && caaRecords.length > 0) {
       const issuers = caaRecords.filter(r => r.tag === 'issue').map(r => r.value);
       checks.push({ name: 'CAA Records', status: 'pass', message: `Restricts certificate issuance to: ${issuers.join(', ')}`, value: issuers.join(', ') });
@@ -100,7 +115,7 @@ async function scanDNS(parsedUrl, options = {}) {
 
   // --- MX Records (informational) ---
   try {
-    const mxRecords = await resolver.resolveMx(rootDomain);
+    const mxRecords = await withTimeout(resolver.resolveMx(rootDomain), dnsTimeout, `MX ${rootDomain}`);
     if (mxRecords && mxRecords.length > 0) {
       const mxList = mxRecords.sort((a, b) => a.priority - b.priority).map(r => `${r.exchange} (${r.priority})`);
       checks.push({ name: 'MX Records', status: 'info', message: `Mail servers: ${mxList.join(', ')}`, value: mxList.join(', ') });

package/src/scanners/exposed-files.js

@@ -151,7 +151,7 @@ function checkPath(parsedUrl, pathStr, options = {}) {
     const req = protocol.request(url.href, {
       method: 'GET',
       timeout,
-      headers: { 'User-Agent': 'SiteGuard/0.1 Security Scanner' },
+      headers: { 'User-Agent': 'mpx-scan/1.2.1 Security Scanner (https://github.com/mesaplexdev/mpx-scan)' },
       rejectUnauthorized: false,
     }, (res) => {
       let body = '';

package/src/scanners/fingerprint.js

@@ -297,16 +297,18 @@ async function scanFingerprint(parsedUrl, options = {}) {
 function fetchHeaders(parsedUrl, options = {}) {
   return new Promise((resolve) => {
     const timeout = options.timeout || 10000;
+    const method = options._useGet ? 'GET' : 'HEAD';
     const protocol = parsedUrl.protocol === 'https:' ? https : http;
     let resolved = false;
     const done = (val) => { if (!resolved) { resolved = true; resolve(val); } };
     const timer = setTimeout(() => done(null), timeout + 2000);
 
     const req = protocol.request(parsedUrl.href, {
-      method: 'HEAD', timeout,
-      headers: { 'User-Agent': 'SiteGuard/0.1 Security Scanner' },
+      method, timeout,
+      headers: { 'User-Agent': 'mpx-scan/1.2.1 Security Scanner (https://github.com/mesaplexdev/mpx-scan)' },
       rejectUnauthorized: false,
     }, (res) => {
+      if (method === 'GET') { res.resume(); }
       clearTimeout(timer);
       // Follow redirects
       if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
@@ -314,6 +316,11 @@ function fetchHeaders(parsedUrl, options = {}) {
         fetchHeaders(redirectUrl, options).then(done);
         return;
       }
+      // HEAD returned error — retry with GET
+      if (!options._useGet && res.statusCode >= 400) {
+        fetchHeaders(parsedUrl, { ...options, _useGet: true }).then(done);
+        return;
+      }
       done(res.headers);
     });
     req.on('error', () => { clearTimeout(timer); done(null); });

package/src/scanners/headers.js

@@ -23,8 +23,12 @@ async function scanHeaders(parsedUrl, options = {}) {
   let score = 0;
   let maxScore = 0;
 
-  // --- Strict-Transport-Security ---
-  maxScore += 3;
+  // ==============================================
+  // CRITICAL HEADERS (fail if missing, full points)
+  // ==============================================
+
+  // --- Strict-Transport-Security (4 pts) ---
+  maxScore += 4;
   const hsts = headers['strict-transport-security'];
   if (hsts) {
     const maxAge = parseInt((hsts.match(/max-age=(\d+)/) || [])[1] || '0');
@@ -33,10 +37,10 @@ async function scanHeaders(parsedUrl, options = {}) {
     
     if (maxAge >= 31536000 && includesSubs && preload) {
       checks.push({ name: 'Strict-Transport-Security', status: 'pass', message: `Excellent. max-age=${maxAge}, includeSubDomains, preload`, value: hsts });
-      score += 3;
+      score += 4;
     } else if (maxAge >= 31536000) {
       checks.push({ name: 'Strict-Transport-Security', status: 'pass', message: `Good. max-age=${maxAge}${includesSubs ? ', includeSubDomains' : ''}${preload ? ', preload' : ''}`, value: hsts });
-      score += 2;
+      score += 3;
     } else if (maxAge > 0) {
       checks.push({ name: 'Strict-Transport-Security', status: 'warn', message: `max-age=${maxAge} is low. Recommend >= 31536000 (1 year)`, value: hsts });
       score += 1;
@@ -45,78 +49,88 @@ async function scanHeaders(parsedUrl, options = {}) {
     checks.push({ name: 'Strict-Transport-Security', status: 'fail', message: 'Missing. Allows downgrade attacks to HTTP.', recommendation: 'Add: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload' });
   }
 
-  // --- Content-Security-Policy ---
+  // --- X-Content-Type-Options (3 pts) ---
   maxScore += 3;
-  const csp = headers['content-security-policy'];
-  if (csp) {
-    const hasDefaultSrc = /default-src/i.test(csp);
-    const hasUnsafeInline = /unsafe-inline/i.test(csp);
-    const hasUnsafeEval = /unsafe-eval/i.test(csp);
-    
-    if (hasDefaultSrc && !hasUnsafeInline && !hasUnsafeEval) {
-      checks.push({ name: 'Content-Security-Policy', status: 'pass', message: 'Strong policy without unsafe directives', value: csp.substring(0, 200) + (csp.length > 200 ? '...' : '') });
-      score += 3;
-    } else if (hasDefaultSrc) {
-      const issues = [];
-      if (hasUnsafeInline) issues.push('unsafe-inline');
-      if (hasUnsafeEval) issues.push('unsafe-eval');
-      checks.push({ name: 'Content-Security-Policy', status: 'warn', message: `Present but uses ${issues.join(', ')}`, value: csp.substring(0, 200) });
-      score += 1.5;
-    } else {
-      checks.push({ name: 'Content-Security-Policy', status: 'warn', message: 'Present but missing default-src directive', value: csp.substring(0, 200) });
-      score += 1;
-    }
-  } else {
-    checks.push({ name: 'Content-Security-Policy', status: 'fail', message: 'Missing. Vulnerable to XSS and data injection attacks.', recommendation: "Add: Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'" });
-  }
-
-  // --- X-Content-Type-Options ---
-  maxScore += 1;
   const xcto = headers['x-content-type-options'];
   if (xcto && xcto.toLowerCase() === 'nosniff') {
     checks.push({ name: 'X-Content-Type-Options', status: 'pass', message: 'nosniff — prevents MIME-type sniffing', value: xcto });
-    score += 1;
+    score += 3;
   } else {
     checks.push({ name: 'X-Content-Type-Options', status: 'fail', message: 'Missing or incorrect. Browsers may MIME-sniff responses.', recommendation: 'Add: X-Content-Type-Options: nosniff' });
   }
 
-  // --- X-Frame-Options ---
-  maxScore += 1;
+  // ==============================================
+  // IMPORTANT HEADERS (fail if missing, fewer pts)
+  // ==============================================
+
+  // --- X-Frame-Options (2 pts) ---
+  maxScore += 2;
+  const csp = headers['content-security-policy'];
   const xfo = headers['x-frame-options'];
   if (xfo) {
     const val = xfo.toUpperCase();
     if (val === 'DENY' || val === 'SAMEORIGIN') {
       checks.push({ name: 'X-Frame-Options', status: 'pass', message: `${val} — prevents clickjacking`, value: xfo });
-      score += 1;
+      score += 2;
     } else {
       checks.push({ name: 'X-Frame-Options', status: 'warn', message: `Unusual value: ${xfo}`, value: xfo });
-      score += 0.5;
+      score += 1;
     }
   } else {
     // Check if CSP has frame-ancestors
     if (csp && /frame-ancestors/i.test(csp)) {
       checks.push({ name: 'X-Frame-Options', status: 'pass', message: 'Not set, but CSP frame-ancestors provides equivalent protection', value: 'via CSP' });
-      score += 1;
+      score += 2;
     } else {
       checks.push({ name: 'X-Frame-Options', status: 'fail', message: 'Missing. Page can be embedded in iframes (clickjacking risk).', recommendation: 'Add: X-Frame-Options: DENY (or SAMEORIGIN)' });
     }
   }
 
-  // --- Referrer-Policy ---
-  maxScore += 1;
+  // --- Referrer-Policy (2 pts) ---
+  maxScore += 2;
   const rp = headers['referrer-policy'];
   const goodPolicies = ['no-referrer', 'strict-origin-when-cross-origin', 'strict-origin', 'same-origin', 'no-referrer-when-downgrade'];
   if (rp && goodPolicies.some(p => rp.toLowerCase().includes(p))) {
     checks.push({ name: 'Referrer-Policy', status: 'pass', message: `${rp}`, value: rp });
-    score += 1;
+    score += 2;
   } else if (rp) {
     checks.push({ name: 'Referrer-Policy', status: 'warn', message: `Set to "${rp}" — may leak referrer data`, value: rp });
-    score += 0.5;
+    score += 1;
+  } else {
+    checks.push({ name: 'Referrer-Policy', status: 'fail', message: 'Missing. Browser defaults may leak URL paths in referrer.', recommendation: 'Add: Referrer-Policy: strict-origin-when-cross-origin' });
+  }
+
+  // ==============================================
+  // NICE-TO-HAVE HEADERS (warn if missing, no pts)
+  // ==============================================
+
+  // --- Content-Security-Policy (bonus: 2 pts if present, warn if missing, no deduction) ---
+  maxScore += 2;
+  if (csp) {
+    const hasDefaultSrc = /default-src/i.test(csp);
+    const hasUnsafeInline = /unsafe-inline/i.test(csp);
+    const hasUnsafeEval = /unsafe-eval/i.test(csp);
+    
+    if (hasDefaultSrc && !hasUnsafeInline && !hasUnsafeEval) {
+      checks.push({ name: 'Content-Security-Policy', status: 'pass', message: 'Strong policy without unsafe directives', value: csp.substring(0, 200) + (csp.length > 200 ? '...' : '') });
+      score += 2;
+    } else if (hasDefaultSrc) {
+      const issues = [];
+      if (hasUnsafeInline) issues.push('unsafe-inline');
+      if (hasUnsafeEval) issues.push('unsafe-eval');
+      checks.push({ name: 'Content-Security-Policy', status: 'warn', message: `Present but uses ${issues.join(', ')}`, value: csp.substring(0, 200) });
+      score += 1;
+    } else {
+      checks.push({ name: 'Content-Security-Policy', status: 'warn', message: 'Present but missing default-src directive', value: csp.substring(0, 200) });
+      score += 1;
+    }
   } else {
-    checks.push({ name: 'Referrer-Policy', status: 'warn', message: 'Missing. Browser defaults may leak URL paths in referrer.', recommendation: 'Add: Referrer-Policy: strict-origin-when-cross-origin' });
+    // Warn instead of fail — CSP is hard to implement correctly
+    checks.push({ name: 'Content-Security-Policy', status: 'warn', message: 'Missing. Consider adding to protect against XSS and data injection.', recommendation: "Add: Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'" });
+    score += 0; // No deduction for missing CSP
   }
 
-  // --- Permissions-Policy ---
+  // --- Permissions-Policy (bonus: 1 pt if present) ---
   maxScore += 1;
   const pp = headers['permissions-policy'] || headers['feature-policy'];
   if (pp) {
@@ -126,7 +140,7 @@ async function scanHeaders(parsedUrl, options = {}) {
     checks.push({ name: 'Permissions-Policy', status: 'warn', message: 'Missing. Browser features (camera, mic, geolocation) unrestricted.', recommendation: 'Add: Permissions-Policy: camera=(), microphone=(), geolocation=()' });
   }
 
-  // --- Cross-Origin-Opener-Policy ---
+  // --- Cross-Origin-Opener-Policy (bonus: 0.5 pts if present) ---
   maxScore += 0.5;
   const coop = headers['cross-origin-opener-policy'];
   if (coop) {
@@ -136,7 +150,7 @@ async function scanHeaders(parsedUrl, options = {}) {
     checks.push({ name: 'Cross-Origin-Opener-Policy', status: 'info', message: 'Not set. Consider adding for cross-origin isolation.' });
   }
 
-  // --- Cross-Origin-Resource-Policy ---
+  // --- Cross-Origin-Resource-Policy (bonus: 0.5 pts if present) ---
   maxScore += 0.5;
   const corp = headers['cross-origin-resource-policy'];
   if (corp) {
@@ -170,16 +184,20 @@ async function scanHeaders(parsedUrl, options = {}) {
 function fetchHeaders(parsedUrl, options = {}) {
   return new Promise((resolve, reject) => {
     const timeout = options.timeout || 10000;
+    const method = options._useGet ? 'GET' : 'HEAD';
     const protocol = parsedUrl.protocol === 'https:' ? https : http;
     
     const req = protocol.request(parsedUrl.href, {
-      method: 'HEAD',
+      method,
       timeout,
       headers: {
-        'User-Agent': 'mpx-scan/1.0.1 Security Scanner (https://github.com/mesaplexdev/mpx-scan)'
+        'User-Agent': 'mpx-scan/1.2.1 Security Scanner (https://github.com/mesaplexdev/mpx-scan)'
       },
       rejectUnauthorized: false // We check SSL separately
     }, (res) => {
+      // Consume body for GET requests
+      if (method === 'GET') { res.resume(); }
+
       // Follow redirects (up to 5)
       if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
         const redirectUrl = new URL(res.headers.location, parsedUrl.href);
@@ -191,6 +209,14 @@ function fetchHeaders(parsedUrl, options = {}) {
           .then(resolve).catch(reject);
         return;
       }
+
+      // If HEAD returned 4xx/5xx, retry with GET (some servers reject HEAD)
+      if (!options._useGet && res.statusCode >= 400) {
+        fetchHeaders(parsedUrl, { ...options, _useGet: true })
+          .then(resolve).catch(reject);
+        return;
+      }
+
       resolve(res.headers);
     });
 

package/src/scanners/redirects.js

@@ -38,7 +38,7 @@ async function scanRedirects(parsedUrl, options = {}) {
       
       const result = await followRedirect(testUrl, options);
       
-      if (result.redirectsToExternal) {
+      if (result.redirectsToExternal && !result.isSameDomain) {
         vulnParams.push({ param, redirectedTo: result.location });
         return { param, vulnerable: true };
       } else {
@@ -81,12 +81,12 @@ function followRedirect(testUrl, options = {}) {
     const protocol = testUrl.protocol === 'https:' ? https : http;
     let resolved = false;
     const done = (val) => { if (!resolved) { resolved = true; resolve(val); } };
-    const timer = setTimeout(() => done({ redirectsToExternal: false }), timeout + 1000);
+    const timer = setTimeout(() => { req && req.destroy(); done({ redirectsToExternal: false }); }, timeout);
 
     const req = protocol.request(testUrl.href, {
       method: 'GET',
       timeout,
-      headers: { 'User-Agent': 'SiteGuard/0.1 Security Scanner' },
+      headers: { 'User-Agent': 'mpx-scan/1.2.1 Security Scanner (https://github.com/mesaplexdev/mpx-scan)' },
       rejectUnauthorized: false,
     }, (res) => {
       res.resume(); // Consume body
@@ -96,13 +96,13 @@ function followRedirect(testUrl, options = {}) {
         const location = res.headers.location;
         try {
           const redirectTarget = new URL(location, testUrl.href);
-          // Check if redirect goes to our test domain OR any external domain
-          // that wasn't the original host (indicates the param controls redirect target)
           const originalHost = testUrl.hostname;
-          const isExternal = redirectTarget.hostname !== originalHost && 
-                            (redirectTarget.hostname.includes('evil.example.com') ||
-                             redirectTarget.href.includes('evil.example.com'));
-          done({ redirectsToExternal: isExternal, location });
+          // Only flag if redirect target is exactly the evil test domain
+          const isExternal = redirectTarget.hostname === 'evil.example.com';
+          // Skip flagging apex→www redirects (same root domain)
+          const getRootDomain = h => h.split('.').slice(-2).join('.');
+          const isSameDomain = getRootDomain(redirectTarget.hostname) === getRootDomain(originalHost);
+          done({ redirectsToExternal: isExternal, isSameDomain, location });
         } catch {
           done({ redirectsToExternal: false });
         }

package/src/scanners/server.js

@@ -84,14 +84,18 @@ async function scanServer(parsedUrl, options = {}) {
 function checkRedirectToHttps(httpUrl, options = {}) {
   return new Promise((resolve, reject) => {
     const timeout = options.timeout || 5000;
+    const method = options._useGet ? 'GET' : 'HEAD';
     const req = http.request(httpUrl.href, {
-      method: 'HEAD',
+      method,
       timeout,
-      headers: { 'User-Agent': 'SiteGuard/0.1 Security Scanner' },
+      headers: { 'User-Agent': 'mpx-scan/1.2.1 Security Scanner (https://github.com/mesaplexdev/mpx-scan)' },
     }, (res) => {
+      if (method === 'GET') { res.resume(); }
       if (res.statusCode >= 300 && res.statusCode < 400) {
         const location = res.headers.location || '';
         resolve(location.startsWith('https://'));
+      } else if (!options._useGet && res.statusCode >= 400) {
+        checkRedirectToHttps(httpUrl, { ...options, _useGet: true }).then(resolve).catch(reject);
       } else {
         resolve(false);
       }
@@ -105,16 +109,23 @@ function checkRedirectToHttps(httpUrl, options = {}) {
 function fetchWithOrigin(parsedUrl, options = {}) {
   return new Promise((resolve, reject) => {
     const timeout = options.timeout || 5000;
+    const method = options._useGet ? 'GET' : 'HEAD';
     const protocol = parsedUrl.protocol === 'https:' ? https : http;
     const req = protocol.request(parsedUrl.href, {
-      method: 'HEAD',
+      method,
       timeout,
       headers: {
-        'User-Agent': 'SiteGuard/0.1 Security Scanner',
+        'User-Agent': 'mpx-scan/1.2.1 Security Scanner (https://github.com/mesaplexdev/mpx-scan)',
         'Origin': 'https://evil.example.com'
       },
       rejectUnauthorized: false,
     }, (res) => {
+      if (method === 'GET') { res.resume(); }
+      // HEAD returned error — retry with GET
+      if (!options._useGet && res.statusCode >= 400) {
+        fetchWithOrigin(parsedUrl, { ...options, _useGet: true }).then(resolve).catch(reject);
+        return;
+      }
       resolve(res.headers);
     });
     req.on('error', reject);
@@ -130,7 +141,7 @@ function checkMethods(parsedUrl, options = {}) {
     const req = protocol.request(parsedUrl.href, {
       method: 'OPTIONS',
       timeout,
-      headers: { 'User-Agent': 'SiteGuard/0.1 Security Scanner' },
+      headers: { 'User-Agent': 'mpx-scan/1.2.1 Security Scanner (https://github.com/mesaplexdev/mpx-scan)' },
       rejectUnauthorized: false,
     }, (res) => {
       const allow = res.headers.allow || '';

package/src/scanners/sri.js

@@ -125,7 +125,7 @@ function fetchBody(parsedUrl, options = {}) {
       method: 'GET',
       timeout,
       headers: { 
-        'User-Agent': 'SiteGuard/0.1 Security Scanner',
+        'User-Agent': 'mpx-scan/1.2.1 Security Scanner (https://github.com/mesaplexdev/mpx-scan)',
         'Accept': 'text/html'
       },
       rejectUnauthorized: false,

package/src/schema.js

@@ -175,6 +175,19 @@ function getSchema() {
       deactivate: {
         description: 'Deactivate Pro license and return to free tier',
         usage: 'mpx-scan deactivate'
+      },
+      update: {
+        description: 'Check for updates and optionally install the latest version',
+        usage: 'mpx-scan update [--check] [--json]',
+        flags: {
+          '--check': { description: 'Only check for updates (do not install)', default: false },
+          '--json': { description: 'Machine-readable JSON output', default: false }
+        },
+        examples: [
+          { command: 'mpx-scan update', description: 'Check and install updates' },
+          { command: 'mpx-scan update --check', description: 'Just check for updates' },
+          { command: 'mpx-scan update --check --json', description: 'Check for updates (JSON output)' }
+        ]
       }
     },
     scanners: {

package/src/update.js

@@ -0,0 +1,68 @@
+/**
+ * Update Command
+ * 
+ * Checks npm for the latest version of mpx-scan and offers to update.
+ */
+
+const { execSync } = require('child_process');
+const pkg = require('../package.json');
+
+/**
+ * Check npm registry for latest version
+ * @returns {object} { current, latest, updateAvailable, isGlobal }
+ */
+function checkForUpdate() {
+  const current = pkg.version;
+  
+  let latest;
+  try {
+    latest = execSync('npm view mpx-scan version', { encoding: 'utf8', timeout: 10000 }).trim();
+  } catch (err) {
+    throw new Error('Failed to check npm registry: ' + (err.message || 'unknown error'));
+  }
+  
+  const updateAvailable = latest !== current && compareVersions(latest, current) > 0;
+  
+  // Detect if installed globally
+  let isGlobal = false;
+  try {
+    const globalDir = execSync('npm root -g', { encoding: 'utf8', timeout: 5000 }).trim();
+    isGlobal = __dirname.startsWith(globalDir) || process.argv[1]?.includes('node_modules/.bin');
+  } catch {
+    // Can't determine, assume local
+  }
+  
+  return { current, latest, updateAvailable, isGlobal };
+}
+
+/**
+ * Perform the update
+ * @param {boolean} isGlobal - Install globally
+ * @returns {object} { success, version }
+ */
+function performUpdate(isGlobal) {
+  const cmd = isGlobal ? 'npm install -g mpx-scan@latest' : 'npm install mpx-scan@latest';
+  try {
+    execSync(cmd, { encoding: 'utf8', timeout: 60000, stdio: 'pipe' });
+    // Verify
+    const newVersion = execSync('npm view mpx-scan version', { encoding: 'utf8', timeout: 10000 }).trim();
+    return { success: true, version: newVersion };
+  } catch (err) {
+    throw new Error('Update failed: ' + (err.message || 'unknown error'));
+  }
+}
+
+/**
+ * Compare semver strings. Returns >0 if a > b, <0 if a < b, 0 if equal.
+ */
+function compareVersions(a, b) {
+  const pa = a.split('.').map(Number);
+  const pb = b.split('.').map(Number);
+  for (let i = 0; i < 3; i++) {
+    if ((pa[i] || 0) > (pb[i] || 0)) return 1;
+    if ((pa[i] || 0) < (pb[i] || 0)) return -1;
+  }
+  return 0;
+}
+
+module.exports = { checkForUpdate, performUpdate, compareVersions };