Skip to main content

Is madrid.es a Scam? Security Check Results - Ayuntamiento de Madrid Reviews

A

Is madrid.es Safe? Security Analysis for Ayuntamiento de Madrid

https://madrid.es

Check if madrid.es is a scam or legitimate. Free security scan and reviews.

GovernmentSpainlarge
JavaScriptjQueryBootstrapReadSpeakerSiteimprove Analytics+3 more
Analyzed 8/1/2025Completed 1:02:08 AM
66
Security Score
MEDIUM RISK

AI Summary

The Ayuntamiento de Madrid website serves as the official digital portal for the Madrid City Council, providing a comprehensive range of municipal services, news, and citizen engagement tools. It targets residents, businesses, and visitors, offering e-government services and up-to-date information on local governance and community activities. The site maintains a strong market position as the authoritative source for Madrid municipal information. Technically, the website employs a modern tech stack including Bootstrap for responsive design, JavaScript libraries such as jQuery, and integrates third-party services like ReadSpeaker for accessibility and Siteimprove Analytics for performance monitoring. Hosting appears to leverage Akamai's infrastructure, ensuring reliable delivery and performance. The site demonstrates good mobile optimization, accessibility, and SEO practices. From a security perspective, the site enforces HTTPS and implements cookie consent mechanisms, reflecting compliance with GDPR and privacy regulations. While explicit security headers are not evident in the HTML content, the site uses monitoring tools and avoids exposing sensitive data. No vulnerabilities or suspicious patterns were detected. The WHOIS data is restricted due to Red.es policies for .es domains, which is standard and does not detract from the domain's legitimacy. Overall, the website presents a low-risk profile with strong business credibility, excellent content quality, and a solid technical foundation. Strategic recommendations include enhancing security headers, publishing a formal security policy, and adding a vulnerability disclosure program to further strengthen trust and security posture.

Detected Technologies

JavaScriptjQueryBootstrapReadSpeakerSiteimprove AnalyticsPingdomGoogle Tag ManagerBOOMR (Akamai Boomerang)

🧠AI Business Intelligence

Technology stack, business insights, and market analysis powered by AI.

Business Intelligence

Market & Strategic Analysis

The Ayuntamiento de Madrid operates as a large government entity providing essential public services through its digital platform. Its business model focuses on delivering municipal information, facilitating citizen interactions, and enabling e-government transactions. The site supports a broad audience including residents, businesses, and visitors, reflecting a comprehensive service ecosystem. The presence of official social media channels and integration with related government portals indicates a well-established partnership ecosystem. Growth indicators include continuous content updates, event calendars, and active citizen engagement features. The platform's authoritative status in the municipal sector positions it strongly against competitors in the public administration domain.

Security Posture Analysis

Comprehensive Security Assessment

The website exhibits a mature security posture with mandatory HTTPS encryption and cookie consent mechanisms aligned with GDPR requirements. The absence of exposed sensitive data and use of reputable third-party monitoring tools contribute positively to its security profile. However, the lack of visible security headers such as Content-Security-Policy and X-Frame-Options suggests room for improvement. No incident response or vulnerability disclosure information is publicly available, which could be enhanced to improve transparency and readiness. Overall, the site maintains a secure environment appropriate for a government portal, with recommendations to formalize security policies and disclosure practices.

Strategic Recommendations

Priority Actions for Security Improvement

1

Implement comprehensive HTTP security headers including Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options.

Observations

AI-powered comprehensive website and business analysis.

AI-Enhanced Website Analysis

Business Insights

Company:

Ayuntamiento de Madrid

Description:

Official website portal of the Madrid City Council providing information, news, services, and citizen engagement for Madrid residents and visitors.

Key Services:
Municipal news and updatesElectronic government services (Sede Electrónica)Citizen engagement and participationInformation on districts and local administrationEvent calendars and cultural activities
Content Quality:

excellent

Branding:

consistent

Technical Stack

Technologies:
JavaScriptjQueryBootstrapReadSpeakerSiteimprove AnalyticsPingdomGoogle Tag ManagerBOOMR (Akamai Boomerang)
Frameworks:
Bootstrap
Performance:

moderate

Mobile:

good

Accessibility:

good

SEO:

good

Security Assessment

Security Score:
85/100
Best Practices:
  • HTTPS enforced
  • Cookie consent mechanism implemented
  • No exposed sensitive data in HTML
  • Use of security and performance monitoring scripts

Analytics & Tracking

Services:
Siteimprove AnalyticsPingdomGoogle Tag ManagerAkamai Boomerang
Tracking Level:moderate
Privacy Compliance:good

Advertising & Marketing

Tracking Pixels:
Siteimprove AnalyticsPingdomAkamai Boomerang
Transparency Level:basic

Website Quality Assessment

Design Quality:excellent
User Experience:excellent
Content Relevance:excellent
Navigation Clarity:excellent
Professionalism:excellent
Trustworthiness:high

Key Observations

1

Official municipal government website for Madrid

🛡️Security Headers

HTTP security headers analysis and recommendations.

Security Headers

HTTP security headers analysis

60/100
Score

Weak Strict-Transport-Security configuration

LOW

Current value: "max-age=15768000"

Missing X-Frame-Options header

HIGH

Prevents clickjacking attacks

Missing Referrer-Policy header

LOW

Controls referrer information sent with requests

Missing Permissions-Policy header

MEDIUM

Controls browser features and APIs

Sensitive data may be cached

LOW

Cache-Control header should include "no-store" for sensitive pages

👤GDPR Compliance

Privacy and data protection assessment under GDPR regulations.

GDPR Compliance

Privacy and data protection assessment

25/100
Score

No Privacy Policy found

HIGH

GDPR requires a clear and accessible privacy policy

No Cookie Consent Banner found

HIGH

GDPR requires explicit consent for non-essential cookies

EU business without adequate privacy measures

CRITICAL

EU businesses are subject to strict GDPR requirements

Third-party services without privacy policy

HIGH

Detected services: Facebook, Twitter, YouTube, Google APIs

GDPR Compliance Analysis

Privacy Policy0% confidence
Cookie Policy85% confidence
Contact Information Found90% confidence
phone

🛡️NIS2 Compliance

Network & Information Security Directive compliance assessment.

NIS2 Compliance

Network & Information Security Directive

17/100
Score

No information security framework found

HIGH

NIS2 requires documented cybersecurity and information security measures

No vulnerability disclosure policy

MEDIUM

NIS2 encourages coordinated vulnerability disclosure

No security policy documentation found

HIGH

NIS2 requires documented cybersecurity governance and risk management

No incident response procedures found

HIGH

NIS2 requires documented incident response and business continuity plans

No business continuity planning found

MEDIUM

NIS2 emphasizes operational resilience and business continuity

No security contact information

HIGH

NIS2 requires clear incident reporting channels

No vulnerability reporting mechanism

MEDIUM

Clear vulnerability reporting supports coordinated disclosure

No NIS2 reference found

LOW

Consider explicitly mentioning NIS2 compliance efforts

📧Email Security

SPF, DKIM, and DMARC validation and email security assessment.

Email Security

SPF, DKIM, and DMARC validation

88/100
Score

Weak DKIM Key

HIGH

DKIM selector 'google' uses 920-bit key

No BIMI Record

LOW

BIMI displays brand logos in email clients

SPF
Sender Policy Framework
DKIM
DomainKeys Identified Mail
DMARC
Domain-based Message Authentication
MX Records
Mail Exchange Records
BIMI
Brand Indicators
MTA-STS
Mail Transfer Agent Security
TLS-RPT
TLS Reporting
DNSSEC
DNS Security
SPF Details
Record:
v=spf1 ip4:195.55.79.41 ip4:195.55.79.42 ip4:195.55.79.43 ip4:195.55.79.44 ip4:195.55.79.49 ip4:195.55.79.20 ip4:195.55.79.21 ip4:195.55.79.22 ip4:195.55.79.23 ip4:195.55.79.24 ip4:195.55.79.25 include:spf.protection.outlook.com include:spf.mailjet.com a:origen2.iam.akamai.c.mad.interhost.com a:origen.iam.akamai.c.mad.interhost.com a:origen3.iam.akamai.c.mad.interhost.com a:origen4.iam.akamai.c.mad.interhost.com include:servers.mcsv.net ip4:54.229.2.165 ip4:52.30.130.201 include:amazonses.com ~all
DNS Lookups:8/10
Policy:~all
DKIM Selectors Found
Selector:google(920-bit rsa)
Selector:k2(1416-bit rsa)
Selector:selector1(1416-bit rsa)
Selector:selector2(1416-bit rsa)
DMARC Details
Policy:reject
Aggregate Reports:7091677fcff6.a@dmarcinput.com
Forensic Reports:7091677fcff6.f@dmarcinput.com
MTA-STS Details
Mode:enforce
Max Age:1 days

🏆SSL/TLS Security

Certificate validity and encryption analysis.

SSL/TLS Security

Certificate validity and encryption analysis

70/100
Score

Weak SSL Key Length

HIGH

SSL certificate uses 256-bit key, which is considered weak

Mixed Content Detected

MEDIUM

5 resources loaded over insecure HTTP

Partial SSL/TLS Assessment

LOW

Completed 2 of 4 security checks due to time constraints

Certificate Details

Subject:*.madrid.es
Issuer:DigiCert Global G3 TLS ECC SHA384 2020 CA1
Valid Until:4/22/2026 (264 days)
SANs:*.madrid.es, madrid.es

OCSP Status

OCSP Stapling Disabled

📊DNS Health

DNS configuration and security assessment.

DNS Health

DNS configuration and security assessment

85/100
Score

DNSSEC Not Enabled

MEDIUM

DNSSEC is not configured for this domain

CAA Records Not Configured

LOW

Certificate Authority Authorization (CAA) records not found

DNS Records

A Records:2.17.100.138, 2.17.100.184
AAAA Records:2a02:26f0:41::215:f0b4, 2a02:26f0:41::215:f0b5
Name Servers:
a1-25.akam.netDNS only
a11-65.akam.netDNS only
a12-67.akam.netDNS only
a26-67.akam.netDNS only
a4-64.akam.netDNS only
a7-65.akam.netDNS only
MX Records:
10: madrid-es.mail.protection.outlook.com
SOA:Serial: 2024013521, TTL: 300s

DNSSEC Status

DNSSEC Not Enabled

DNS Performance

Resolution Time:90ms

SPF Analysis

SPF Record:
v=spf1 ip4:195.55.79.41 ip4:195.55.79.42 ip4:195.55.79.43 ip4:195.55.79.44 ip4:195.55.79.49 ip4:195.55.79.20 ip4:195.55.79.21 ip4:195.55.79.22 ip4:195.55.79.23 ip4:195.55.79.24 ip4:195.55.79.25 include:spf.protection.outlook.com include:spf.mailjet.com a:origen2.iam.akamai.c.mad.interhost.com a:origen.iam.akamai.c.mad.interhost.com a:origen3.iam.akamai.c.mad.interhost.com a:origen4.iam.akamai.c.mad.interhost.com include:servers.mcsv.net ip4:54.229.2.165 ip4:52.30.130.201 include:amazonses.com ~all

Network Security

Port scanning and network exposure analysis.

Network Security

Port scanning and network exposure analysis

100/100
Score

Good Network Security Posture

LOW

No unnecessary services detected on common risky ports

🔧Technical Analysis

Detailed technical findings and analysis from AI assessment.

Technical Analysis

Comprehensive security assessment findings

Additional Findings

The website is built on a modern and robust technical infrastructure leveraging Bootstrap for responsive design and jQuery for dynamic content. It integrates accessibility tools like ReadSpeaker and performance monitoring via Siteimprove Analytics and Pingdom. Hosting appears to be supported by Akamai's CDN services, ensuring scalability and reliability. The site demonstrates good mobile optimization and accessibility compliance. SEO is well addressed through appropriate meta tags and structured navigation. Technical debt appears minimal, though improvements in security header implementation and formal documentation could further enhance the platform's resilience and maintainability.
Analyze Another Website