Skip to content
00Free tool · Security

We run a passive security scan — SSL/TLS, security headers, cookies, CORS, known-vulnerable components, technology and DNS/email protection — and give you a clear grade with what to fix. No attacks, no sign-up hassle.

Passive surface scan (not a penetration test). We only inspect what your site reveals through a normal request, a TLS handshake and DNS — no exploitation.

01What we check

Everything below is detected from a normal page load, a TLS handshake and public DNS records.

01

SSL/TLS & certificate

Expiry, trust chain, hostname match, protocol version and HTTP→HTTPS enforcement.

02

Security headers

CSP quality, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-/Permissions-Policy.

03

Known vulnerabilities

Outdated JS libraries (jQuery, Bootstrap…) matched against known CVEs, plus cookies & CORS.

04

DNS & email spoofing

SPF, DMARC policy, DNSSEC and CAA — and a check for exposed .git / .env files.

Why security matters
40+
Checks performed
0
Cost to scan
100%
Passive & safe
30 sec.
Average scan time
SSL/TLS.HSTS.CSP.Cookies.CORS.CVE.SPF.DMARC.DNSSEC..git/.env.
02How it works

01

Enter your address

Paste any website URL. We scan only what is publicly reachable.

02

We inspect passively

One page load, a TLS handshake and DNS lookups — never an attack.

03

Fix what matters

A 0–100 score, an A–F grade and findings sorted by severity, each with a fix.

03FAQ

A security audit checks how well your website is protected against the most common web threats: whether the SSL/TLS certificate is configured correctly, whether protective HTTP headers are present, whether cookies are secure, whether outdated libraries with known vulnerabilities (CVEs) are in use, and whether sensitive server information is being exposed. You get an overall score (0–100 and an A–F grade) and a clear list of what to fix.
No. This is a passive, surface-level analysis — we only inspect what the website reveals through a normal request, a TLS handshake and DNS records. We do not run any attacks, crack passwords, scan ports or attempt to exploit anything. A real penetration test is a separate, scoped engagement we agree with you in advance.
Yes. The analysis is harmless — it is equivalent to a single ordinary visit to your website. That said, we recommend only scanning sites you own or are authorised to test.
An SSL/TLS certificate provides an encrypted connection (https). HSTS forces the browser to always connect securely. CSP (Content-Security-Policy) protects against malicious code injection (XSS). These protective HTTP headers are a simple but very important security layer — the audit shows which are missing and how to enable them.
Most websites use public JavaScript libraries (e.g. jQuery, Bootstrap). Older versions of them have publicly known security flaws, tracked with CVE identifiers. The audit detects the libraries and versions you use and compares them against a database of known vulnerabilities, so you can see what needs updating.
An automated audit quickly catches the most common misconfigurations and outdated components, so it is an excellent first step. However, it does not replace a thorough manual review or a penetration test, which also examine application logic, access control and other things that cannot be detected automatically. If serious issues are found, we can help you fix them.

Want the full performance picture too?

Our website audit measures speed, SEO and Core Web Vitals — a complete health check alongside this security scan.

Open the website audit