Free tool · Scan
A quiet look at your site’s
security posture.
A server-side scanner that reads transport, headers, cookies, and common exposures the way a browser would — with platform fingerprinting and platform-specific checks when WordPress, Next.js, or other stacks are detected. We do not log URLs or store reports.
The scan runs from our server. We do not log URLs or store reports.
About this scanner
Honest about what a browser can and cannot see.
What we test
Transport (HTTPS, redirects, HSTS, mixed content), full header set (CSP, frame-ancestors, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, CORP, CORS), Set-Cookie flags (Secure, HttpOnly, SameSite), version disclosure, security.txt, robots.txt hygiene, open redirects, and exposure probes (.git, .env, .DS_Store, phpinfo, config backups). Platform-specific checks for WordPress and Next.js when detected.
What we cannot test
Anything requiring authenticated access — SQL injection, XSS payloads on protected endpoints, business-logic flaws, file integrity, or behaviour behind login. Detection is fingerprint-based; very obscure stacks may register as ‘Not identified’.
How we score
Severity-weighted across ~28 checks, mapped to an A+ through F grade. Critical and High findings drag harder than Low and Info. A high grade is a starting point for the surface a browser can see — not a clean bill of health.
Need more
For a real audit, we’ll do it by hand.
Browser checks are a useful surface signal. A proper engagement looks at code, infrastructure, authentication, business logic, dependency hygiene, and how the team operates. We do that work as a service.