Redmine Security Test Results



  • It looks like you are running a fully-patched and hardened Redmine 3.3.5 without any known security issues.
  • Your Redmine is protected by properly configured TLS/SSL.
  • All security relevant headers are configured properly.

What now?

  • Excellent! Your Redmine server seems to be up-to-date and configured properly.

Get Free Redmine Security Monitoring:

You will receive an email when the rating for changes or when a new Redmine version is released. This service is free. No spam, guaranteed.
Not enough time to keep Redmine secure?
Move to Professionally Hosted Redmine by Planio.

General Server Test

TLS/SSL enabled
TLS/SSL encrypts your server's HTTP traffic and prevents attackers from eavesdropping on connections to and from your Redmine server.
TLS/SSL certificate is valid and trusted
Using a valid and trusted certificate prevents error messages in your user's browsers and makes sure that the connection has not been intercepted by attackers.
Redirecting to TLS/SSL
Your Redmine is redirecting unencrypted access to a secure TLS/SSL connection. This way your users are protected against attackers in the same (wireless) network, who may otherwise intercept all traffic and steal your user's passwords.
HTTP Strict Transport Security header set
A properly configured Strict Transport Security header, instructs your user's browser to automatically access your Redmine using an encrypted connection. This further reduces the risk of man-in-the-middle and phishing attacks in shared (wireless) networks.
X-Frame-Options header set
Using the X-Frame-Options header, your Redmine server is protected against Clickjacking attacks.
X-XSS-Protection header set
Your Redmine server properly activates additional automated cross-site scripting protection in many modern browsers.
X-Content-Type-Options header set
Content sniffing may enable cross-site scripting attacks. Since your Redmine server is properly sending the X-Content-Type-Options header, your users are protected against this attack vector.

How this works

Redmine Security Scanner tries to determine the version of your Redmine installation and it will list all known security vulnerabilities for that version. In addition, it will check your server configuration and make sure everything is set up securely.

Based on the results of these checks, Redmine Security Scanner will assign one of the following grades:

Your Redmine installation is up to date, protected by properly configured TLS/SSL, not accessible via an unencrypted connection and all security relevant server headers are configured properly. Well done!
Your Redmine installation is up to date, protected by properly configured TLS/SSL and not accessible via an unencrypted connection. However you are missing some security relevant server headers which we recommend to further harden your server.
Your Redmine installation is up to date, protected by SSL but you are using a self-signed or untrusted certificate. This may lead to security warnings in your browser. Attackers may use this for phishing attacks and steal your user's passwords.
Your Redmine installation is up to date, but it's accessible via an unencrypted plain text HTTP connection. Attackers in the same (wireless) network as your users can easily intercept all traffic and steal your user's passwords. Servers with enabled TLS/SSL will get the same rating if unencrypted access is possible as well.
Your Redmine installation is too old and is vulnerable to at least one security issue of low severity.
Your Redmine installation is too old and is vulnerable to at least one security issue of moderate severity.
Your Redmine installation is too old and is vulnerable to at least one security issue of critical or high severity.
Disclaimer and terms of use

Redmine Security Scanner is a free community service provided by the Redmine professionals at Planio. You are only allowed to use this service to scan your own Redmine installation.

All checks are performed using black box testing, that means Redmine Security Scanner will only collect information about your Redmine server that is publicly accessible. It will not attempt to login or access any privileged information.

If your Redmine code has been modified or deviates from the standard releases available on the Redmine website, Redmine Security Scanner may occasionally detect a wrong version or display vulnerabilities which are not present or exploitable on your Redmine server. It might also claim that your Redmine server isn't vulnerable to any known vulnerabilities when it actually is. In some cases, Redmine Security Scanner will not be able to detect a Redmine version with 100% certainty. A version range and the associated vulnerabilities will be shown in this case.

Redmine Security Scanner was built and tested with meticulous care and to the best of our knowledge, but Planio GmbH does not give any guarantees as to the correctness of the information displayed. Planio GmbH cannot be held liable for the correctness of the results of Redmine Security Scanner. The security of your Redmine server is your own responsibility. We also provide professional Redmine hosting should you wish to focus on your core business instead of your Redmine server.

If you believe that Redmine Security Scanner shows wrong results for your server, please get in touch and we will be happy to see if we can improve it.

Target Started Duration December 06, 2017 13:13 1.50s