Free website security scanner
A fast, passive review of your configuration: HTTPS, security headers, cookies and server exposure. You get the result in seconds — and we store nothing.
The scanner only makes passive, non-invasive requests. It does not test exploits or interfere with the target.
What the scanner checks
Passive, public signals that make up a first assessment of your security hygiene.
Encryption & headers
HTTPS, HSTS, CSP (with quality grading), X-Frame-Options, nosniff, Referrer- and Permissions-Policy.
TLS certificate
Expiry date and issuer from Certificate Transparency logs.
CORS & mixed content
Permissive Access-Control-Allow-Origin and resources loaded over HTTP on an HTTPS page.
Email security
SPF (with strength grading), DMARC, DKIM, MTA-STS, TLS-RPT and MX records.
DNS
DNSSEC and CAA records.
File exposure
Detecting public .git, .env, server-status (with false-positive protection).
Subdomains
Mapping the attack surface from Certificate Transparency logs (crt.sh).
Technologies & vulnerabilities
Fingerprinting the server and CMS, plus known vulnerabilities in JS library versions.
Cookies & server
Secure, HttpOnly, SameSite flags and version leaks in Server and X-Powered-By headers.
HTTP methods
Detecting risky methods (TRACE, PUT, DELETE).
Email exposure
Email addresses in the page code exposed to scraping.
Score & recommendations
A 0–100 score, an A–F grade and concrete fixes.
Learn more about scanning
Guides that help you understand the result and get the most out of it.
What the scanner checks and how it works
Every scanner test explained step by step — from HTTPS to Certificate Transparency.
How to read your scan result
What the grade, risk level and individual gaps mean — and how to fix them.
OSINT: what attackers see
What information about your company is publicly available and how it gets used.
Frequently asked questions
Do you store scan results?
No. The scanner is fully stateless — we keep no addresses, results or logs. Every scan is independent and gone once you leave the page.
Is this a penetration test?
No. It is a passive configuration review (HTTP headers, cookies, public paths) — no exploits, no interference with the target. Only a manual penetration test gives the full picture.
Can I scan any website?
The scanner only requests publicly available, non-invasive information. Local and private addresses (localhost, internal networks, metadata IPs) are blocked.
What do the score and grade mean?
The score starts at 100 and drops for missing protections. The letter (A–F) and risk level (low/medium/high) are a shorthand to help prioritise — not a substitute for an audit.
A scan is only the start
A passive scanner shows the tip of the iceberg. A manual penetration test and application audit give the full risk picture.