Passive scans only 40+ CHECKS
Website Security & Quality Scanner

Ship fast.
Stay secure.

Scan any URL for exposed secrets, security headers, DNS issues, dangerous code patterns, SEO, accessibility, and more. No signup required.

Please enter a valid URL starting with https:// or http://

Passive checks only · No data stored on our servers · Only publicly visible information

Checking... Safe Browsing HIBP PageSpeed SSL Labs Google DNS Cloudflare DNS Shodan SecurityHeaders Mozilla Observatory URLScan.io
Running deep scan
/100

What we check
🔒
SSL / TLS
Certificate validity, TLS version, HSTS
  • HTTPS enforced
  • Certificate expiry date
  • HSTS header & max-age
🛡️
Security Headers
CSP, X-Frame, Referrer-Policy, Permissions
  • Content-Security-Policy
  • X-Frame-Options
  • Referrer-Policy
  • Permissions-Policy
  • X-Content-Type-Options
🔍
DNS & Email
SPF, DMARC, DNSSEC, MX records
  • SPF record present & valid
  • DMARC policy (none/quarantine/reject)
  • DNSSEC signing
  • MX records configured
🕵️
Exposed Secrets
API keys and tokens in public JS
  • AWS, Google, Stripe API keys
  • GitHub tokens (ghp_)
  • Generic bearer tokens
  • Private key patterns
📂
Exposed Files
.env, .git, configs, backups
  • /.env publicly accessible
  • /.git directory exposed
  • robots.txt path disclosure
  • Sitemap structure
⚠️
Code Issues
Dangerous JS patterns in source
  • eval() usage
  • document.write()
  • innerHTML assignments
  • Inline event handlers
📝
Form Protection
CSRF tokens in forms
  • Hidden CSRF token fields
  • Forms over HTTPS
  • autocomplete on sensitive fields
🔑
API Endpoints
Swagger, GraphQL, debug routes
  • /swagger-ui exposed
  • /graphql introspection
  • /debug, /admin, /actuator
🍪
Cookies
HttpOnly, Secure, SameSite flags
  • HttpOnly prevents JS access
  • Secure flag enforces HTTPS
  • SameSite prevents CSRF
Performance
Load time, compression, redirects
  • Time to first byte (TTFB)
  • Gzip/Brotli compression
  • Redirect chain length
  • Page asset count & size
🔎
SEO Basics
Title, meta description, headings
  • Title tag present & length
  • Meta description quality
  • H1 tag structure
  • Canonical URL
Accessibility
Alt text, labels, ARIA
  • Images with missing alt text
  • Form inputs without labels
  • Buttons without text/aria-label
  • Language attribute on html tag
🦠
Reputation
VirusTotal malware & blacklists
  • 90+ AV engine scan results
  • Community reputation votes
  • Domain category classification
  • Requires free API key
📦
Technologies
CMS, framework & version disclosure
  • WordPress detection
  • Server header version leak
  • X-Powered-By disclosure
Frequently asked questions
Is this a full security audit?
No — it's a quick passive scan, not a formal penetration test or audit. We check what's publicly visible from your URL: exposed secrets, headers, sensitive paths, cookies, SSL certificates, CORS policy, debug endpoints, and dangerous JavaScript patterns. Think of it as a first line of defense, not a comprehensive assessment.
Do I need to give you access to my repository?
No. The scan works with just your URL. We only check what's publicly accessible — the same things any browser or attacker would see. No credentials, no repo access, no server login required.
Is it safe to run on a production site?
Yes. All checks are passive. We don't attempt exploits, brute-force anything, or try to authenticate. We fetch public resources exactly the way a browser would. Running a scan generates a small number of HTTP requests — equivalent to a single page visit.
Do you store my results?
Scan results are processed entirely in your browser. Nothing is sent to our servers. Your URL and findings stay on your device. The VirusTotal API key you save is stored only in your browser's local storage.
Does this work for AI-generated or vibe-coded apps?
Yes, and human-written code too. If you shipped fast and want to ship safer, this is for you. AI-generated code often skips security defaults — missing CSRF tokens, no CSP headers, eval() usage — this scanner catches exactly those patterns.
Will you fix the issues too?
Every finding includes a specific fix recommendation with code snippets you can apply immediately. For complex issues, we link to the relevant documentation so you know exactly what to do next.
What is the VirusTotal API key for?
VirusTotal scans your domain against 90+ antivirus and security engines. It tells you if your domain has been flagged for malware, phishing, or is on any blacklist. The free API key allows 4 requests per minute. You can get one at virustotal.com — it takes under a minute to sign up.
Some results say "estimated" — what does that mean?
Checks marked "live" use real data fetched directly from your site (DNS records, HTTP headers, response timing). Checks marked "estimated" are based on patterns and heuristics because the browser's security model prevents direct inspection — for example, cookie flags can only be read server-side. A backend proxy would enable full live checks for all findings.