Security scanning
you can actually read

Tests for 6 critical headers: Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy. Missing headers leave your site open to XSS, clickjacking, and man-in-the-middle attacks. Also checks for browser fingerprinting scripts and HTTP-to-HTTPS redirect quality.

Checks SPF and DMARC records that prevent email spoofing, CAA records that control who can issue SSL certificates for your domain, nameserver redundancy, and MX record configuration. Missing SPF/DMARC means anyone can send emails pretending to be your company.

Inspects every cookie your site sets for Secure, HttpOnly, and SameSite flags. Missing flags let attackers steal session cookies via XSS (no HttpOnly), intercept them over HTTP (no Secure), or forge cross-site requests (no SameSite).

Tests your Cross-Origin Resource Sharing policy by sending requests from fake origins. Detects wildcard Access-Control-Allow-Origin, reflected origins, and null origin acceptance — misconfigurations that let attacker websites read your API responses and steal user data.

Checks 60+ paths attackers try first: .env files, .git repositories, database dumps, phpinfo pages, backup archives, exposed admin panels, error pages that reveal stack traces, source maps, API keys in HTML, and exposed emails, phone numbers, and executive contact details that enable phishing attacks.

Detects your web server (Apache, Nginx, IIS), programming language (PHP, Node.js, Python), CMS (WordPress, Drupal, Joomla), JavaScript frameworks (React, Vue, Angular, jQuery), and their versions. Exposed versions tell attackers exactly which CVEs to exploit.

Queries Google Safe Browsing to check if your domain is flagged for malware, phishing, or unwanted software. A flagged domain means Chrome shows a full-page warning to your visitors — destroying trust instantly.

Full SSL Labs assessment: certificate chain validation, expiration monitoring, protocol support (TLS 1.2+), cipher suite strength, and known vulnerabilities like Heartbleed, POODLE, FREAK, and Logjam. Grade A+ to F.

Checks 12 ports that should never be exposed: MySQL (3306), PostgreSQL (5432), Redis (6379), MongoDB (27017), Elasticsearch (9200), FTP (21), SSH (22), and more. An exposed database port is a direct path to your data.

Cross-references detected technologies and versions against the National Vulnerability Database (NVD) and OSV.dev. Finds specific CVEs with severity ratings — for example, 'jQuery 3.4.1 has CVE-2020-11023 (XSS via HTML injection)'.

Finds HTML forms on your site and checks for missing CSRF tokens, password fields without proper autocomplete attributes, forms submitting over HTTP instead of HTTPS, and suspicious hidden fields that could enable path traversal attacks.

Tests login pages for user enumeration (different error messages for 'wrong email' vs 'wrong password'), missing rate limiting on login attempts, and absence of bot protection. Also checks if your site serves full content to known scrapers like python-requests and Scrapy.

Resolves your IP, identifies your hosting provider via reverse DNS, checks WHOIS privacy status, discovers subdomains (admin, staging, dev, database), tests for DNS zone transfer vulnerabilities, and scans for publicly accessible document directories with indexed PDFs, spreadsheets, and database exports.

Discovers subdomains via Certificate Transparency logs and DNS brute-forcing with 80+ common prefixes. Then probes each discovered subdomain for missing security headers, HTTP-only access, server version leaks, and exposed admin panels. Finds the forgotten staging.yourdomain.com that has no security.

Deep analysis of your email authentication chain. Parses SPF mechanism strength and DNS lookup count, discovers DKIM selectors across 20+ providers and checks key size, scores DMARC policy (none/quarantine/reject), alignment mode, and reporting configuration. Flags the gaps that let attackers send phishing emails from your domain.