Skip to content
Breachroad
Private · no data stored

Free website security scanner

A fast, passive review of your configuration: HTTPS, security headers, cookies and server exposure. You get the result in seconds — and we store nothing.

The scanner only makes passive, non-invasive requests. It does not test exploits or interfere with the target.

What the scanner checks

Passive, public signals that make up a first assessment of your security hygiene.

Encryption & headers

HTTPS, HSTS, CSP (with quality grading), X-Frame-Options, nosniff, Referrer- and Permissions-Policy.

TLS certificate

Expiry date and issuer from Certificate Transparency logs.

CORS & mixed content

Permissive Access-Control-Allow-Origin and resources loaded over HTTP on an HTTPS page.

Email security

SPF (with strength grading), DMARC, DKIM, MTA-STS, TLS-RPT and MX records.

DNS

DNSSEC and CAA records.

File exposure

Detecting public .git, .env, server-status (with false-positive protection).

Subdomains

Mapping the attack surface from Certificate Transparency logs (crt.sh).

Technologies & vulnerabilities

Fingerprinting the server and CMS, plus known vulnerabilities in JS library versions.

Cookies & server

Secure, HttpOnly, SameSite flags and version leaks in Server and X-Powered-By headers.

HTTP methods

Detecting risky methods (TRACE, PUT, DELETE).

Email exposure

Email addresses in the page code exposed to scraping.

Score & recommendations

A 0–100 score, an A–F grade and concrete fixes.

Frequently asked questions

Do you store scan results?

No. The scanner is fully stateless — we keep no addresses, results or logs. Every scan is independent and gone once you leave the page.

Is this a penetration test?

No. It is a passive configuration review (HTTP headers, cookies, public paths) — no exploits, no interference with the target. Only a manual penetration test gives the full picture.

Can I scan any website?

The scanner only requests publicly available, non-invasive information. Local and private addresses (localhost, internal networks, metadata IPs) are blocked.

What do the score and grade mean?

The score starts at 100 and drops for missing protections. The letter (A–F) and risk level (low/medium/high) are a shorthand to help prioritise — not a substitute for an audit.

A scan is only the start

A passive scanner shows the tip of the iceberg. A manual penetration test and application audit give the full risk picture.

Services Book a consultation