Free website security scanner — check in seconds
We launched a free, stateless website security scanner. It checks HTTPS, headers, cookies, SPF/DMARC and more — with no data stored. See what it can do.
Most site owners don’t know what their website looks like from an attacker’s perspective — until it’s too late. That’s why we’ve released a free website security scanner: you enter a domain and within seconds get a clear report with a score, a list of issues and concrete recommendations. No registration, no payment and — crucially for us — no storing of any data. This post explains what the scanner checks, how it works and how to get the most out of it.
What the Breachroad scanner is
It’s a tool for a passive review of the security configuration of any public website. “Passive” means the scanner only queries publicly available, non-invasive information — it doesn’t perform attacks, doesn’t test exploits and doesn’t interfere with the target in any way. It’s the equivalent of a quick screening: in seconds it shows the most common gaps and gives a starting point for fixing them.
You’ll find it at breachroad.com/en/scan. Enter a domain (e.g. yourcompany.com), click “Run scan” and a moment later you see the report.
What exactly it checks
The scanner combines a dozen or so checks into one report:
- Encryption and transport — whether the site enforces HTTPS and redirects HTTP traffic, and whether HSTS is set.
- Security headers — Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy. This layer protects users against XSS attacks and clickjacking.
- Cookies — whether the Secure, HttpOnly and SameSite flags are set.
- Email security — SPF, DKIM and DMARC and MX records, i.e. protection against your domain being spoofed in email.
- DNS hygiene — DNSSEC and CAA records.
- Server and file exposure — whether headers don’t leak software versions and whether sensitive files (e.g.
.git,.env) aren’t publicly accessible, with false-positive protection. - Library vulnerabilities — detecting outdated versions of popular JS libraries with known CVEs.
- Technologies and subdomains — fingerprinting the technology stack and mapping subdomains from public Certificate Transparency logs.
- Email address exposure and public paths (robots.txt, sitemap.xml, security.txt).
At the end the scanner produces a 0–100 score, an A–F grade and a risk level, plus a list of top issues and recommendations.
Privacy first
We built the scanner to be completely stateless. In practice that means:
- we don’t store addresses, results or scan logs,
- we don’t build scan history or a user profile,
- every scan is independent and ephemeral — when you close the page, the data is gone.
It’s a deliberate choice: a security tool shouldn’t itself become a database of other people’s websites. You scan, you get a report, done.
How to use it
- Go to breachroad.com/en/scan and enter your domain.
- Wait a few seconds for the report.
- Review the score and risk level, then the findings section — each has a description, a recommendation and a classification (CWE, OWASP).
- Download the report as PDF or JSON if you want to share it with your team or keep it for comparison.
- Fix the gaps found and rescan. How to read the result and what exactly to fix is covered in a separate post: how to read your scan results and fix the issues.
What the scanner does NOT replace
We want to be fully honest here: a passive scanner shows the tip of the iceberg. It checks configuration visible from outside, but it won’t find application logic flaws, access control gaps (IDOR), or vulnerabilities like SQL injection or XSS that require active testing. Those are only found by a manual penetration test. The scanner is an excellent first step and a free hygiene tool — but not an audit.
Frequently asked questions (FAQ)
Is the scanner really free? Yes, entirely — no registration, account limits or fees. We built it as a tool that genuinely helps raise the security level of the web, and we treat it as a showcase of our approach to security.
Can I scan any website? The scanner only queries publicly available, non-invasive information, so it’s safe to use. Local and private addresses (localhost, internal networks, metadata IPs) are blocked. It’s best to scan your own domains — you’ll get a report you can act on immediately.
Will scanning harm my site? No. The scanner makes only passive, non-invasive requests — the same ones any browser or search engine bot makes. It doesn’t test exploits, send malicious requests or load the server.
What do the score and grade mean? The score starts at 100 and drops for missing protections; the A–F letter and risk level (low/medium/high) are a shorthand to help prioritise. It’s a hint on where to start — not a substitute for a full audit. How to read the result exactly is explained in a separate guide.
I found issues on my site — what next? Start with the report’s recommendations; most gaps (headers, cookies, SPF/DMARC) you fix in server or DNS configuration. If you want the full risk picture, or your site processes data and payments, book a free consultation — we’ll help plan a penetration test and audit.
Summary
The free Breachroad scanner is a quick way to see your site through an attacker’s eyes: HTTPS, headers, cookies, email security, file exposure and more — in seconds, with no data stored. It’s a great first step to closing the most common gaps. Try it at breachroad.com/en/scan, and if you want to go deeper than a passive scan allows — let’s talk about a full test.
The scanner runs passively and statelessly. It’s not a substitute for a manual penetration test. Questions or suggestions? Get in touch.