All free tools Website security scan
FREE TOOL Website security scan.
40+ checks, 80+ probes across the OWASP Top 10 — email authentication, domain security records, HTTP headers (incl. CORP, COOP, COEP), TLS certificate, exposed sensitive paths, WAF detection, AI bot protection, privacy policy check, and more. No exploitation. No login.
SPF · DKIM · DMARC
DNSSEC · CAA · MTA-STS
CSP · HSTS · XFO · CORP · COOP · COEP
TLS · paths · WAF · AI bots · privacy
Frequently asked questions
- What does the website security scan check?
- 40+ checks across five areas: email authentication (SPF, DKIM, DMARC), domain security records (DNSSEC, CAA, MTA-STS, TLS-RPT, BIMI), HTTP security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, CORP, COOP, COEP), TLS certificate health and redirect chain, and website exposure checks (sensitive paths, WAF detection, AI bot protection, privacy policy, security.txt). Results are scored with a letter grade.
- Is this a passive scan — does it exploit vulnerabilities?
- Fully passive. The scan reads publicly observable configuration — DNS records, HTTP headers, TLS certificates, and responses to standard requests. It does not attempt exploitation, authentication bypass, injection attacks, or any technique that touches your application logic. Everything the scan sees is what any browser or mail server would see making normal requests.
- What is the difference between this free scan and the Security Health Check?
- This free scan covers externally observable signals automatically. The Security Health Check (AUD $2,500) is a human-conducted audit that goes deeper: manual SPF analysis, plugin CVE matching against your installed versions, open port scanning, subdomain exposure review, and a written findings report with severity ratings and a prioritised fix list, plus a 30-minute walkthrough call and 90-day follow-up access.
- How often should I run this scan?
- Run it whenever you make infrastructure changes (DNS updates, new mail provider, SSL certificate renewal, website deployment) and as a periodic baseline every 3–6 months. Email authentication configuration drifts silently — DKIM keys rotate, DMARC reporting addresses go stale, and SPF includes accumulate past the 10-lookup limit without anyone noticing.
- Why does my domain score lower than expected?
- The most common reasons are: DMARC stuck at p=none (monitoring only, not enforcing); no HSTS header or short max-age; missing or weak Content-Security-Policy; no CAA record; DNSSEC not enabled; or missing MTA-STS. These are configuration gaps, not active compromises — most can be addressed in under an hour once you know they exist.