Website Vulnerability Scanner
Instantly check security headers, SSL/TLS, cookie security, and server misconfigurations. Get a security grade with actionable fix instructions — free, no signup.
⚠️
Authorized scanning only. Only scan websites you own or have explicit permission to test. Unauthorized scanning may violate laws and terms of service.
🔒
SSL/TLS Certificate
Validity, expiry, protocol version
📋
Security Headers
9 headers including COOP & CORP
🍪
Cookie Security
Secure, HttpOnly, SameSite flags
🛡️
WAF / CDN Detection
Cloudflare, AWS, Fastly, Akamai…
↪️
HTTP→HTTPS Redirect
Detects missing forced HTTPS
🖥️
Server & security.txt
Disclosure & vulnerability contact
Try:
Security Headers Explained
Each missing security header is a potential attack vector. Here is what each header does and why it matters.
Content-Security-Policy
HIGHPrevents XSS attacks by controlling which resources the browser can load. The single most impactful security header for modern web apps.
Strict-Transport-Security (HSTS)
HIGHForces browsers to use HTTPS for all connections, preventing SSL stripping and protocol downgrade attacks.
X-Frame-Options
MEDIUMPrevents clickjacking by controlling whether your page can be embedded in iframes on other sites.
X-Content-Type-Options
MEDIUMStops browsers from MIME-sniffing responses, preventing drive-by download attacks from malicious file types.
Referrer-Policy
LOWControls how much referrer information is sent with requests, protecting user privacy and sensitive URL parameters.
Permissions-Policy
LOWRestricts access to browser APIs like camera, microphone, and geolocation — limiting what malicious scripts can do.
How to Add Security Headers
Platform-specific instructions for adding all recommended security headers to your website.
Nginx
# Add to your server {} block in nginx.conf
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "default-src 'self'" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;Apache
# Add to .htaccess or httpd.conf Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" Header always set Content-Security-Policy "default-src 'self'" Header always set X-Frame-Options "SAMEORIGIN" Header always set X-Content-Type-Options "nosniff" Header always set Referrer-Policy "strict-origin-when-cross-origin" Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
Next.js
// next.config.js or next.config.ts
const nextConfig = {
async headers() {
return [{
source: '/(.*)',
headers: [
{ key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains' },
{ key: 'Content-Security-Policy', value: "default-src 'self'" },
{ key: 'X-Frame-Options', value: 'SAMEORIGIN' },
{ key: 'X-Content-Type-Options', value: 'nosniff' },
{ key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
{ key: 'Permissions-Policy', value: 'geolocation=(), microphone=(), camera=()' },
],
}]
},
}Cloudflare
// Cloudflare Workers (cloudflare-headers.js)
addEventListener('fetch', event => {
event.respondWith(addSecurityHeaders(event.request))
})
async function addSecurityHeaders(request) {
const response = await fetch(request)
const newHeaders = new Headers(response.headers)
newHeaders.set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains')
newHeaders.set('X-Frame-Options', 'SAMEORIGIN')
newHeaders.set('X-Content-Type-Options', 'nosniff')
newHeaders.set('Referrer-Policy', 'strict-origin-when-cross-origin')
return new Response(response.body, { ...response, headers: newHeaders })
}
// Or use Cloudflare Transform Rules → Modify Response Headers (no coding needed)Best Website Security Tools & WAF Providers (2026)
Our free scanner identifies issues. These tools provide ongoing protection with firewalls, malware scanning, and real-time monitoring.
| Tool | Type | Price | Key Features | Link |
|---|---|---|---|---|
Cloudflare Recommended | CDN + WAF | Free / $20/mo | WAF, DDoS protection, CDN, SSL, bot management | Visit |
Sucuri All-in-one security | WAF + Monitoring | $199/yr | WAF, malware removal, monitoring, DDoS protection | Visit |
Wordfence WordPress Security | Plugin + WAF | Free / $119/yr | Firewall, malware scan, login security, 2FA | Visit |
SiteLock Automated scanning | Scanner + WAF | $15/mo | Daily scanning, auto-fix, PCI compliance, WAF | Visit |
Qualys Enterprise-grade | VMDR Platform | Custom pricing | Continuous scanning, compliance, asset inventory | Visit |
Website Security Audit Checklist
SSL/TLS
- Valid SSL certificate installed
- TLS 1.2 or 1.3 only (disable 1.0/1.1)
- HSTS header with long max-age
- No mixed content warnings
HTTP Headers
- Content-Security-Policy configured
- X-Frame-Options: DENY or SAMEORIGIN
- X-Content-Type-Options: nosniff
- Referrer-Policy set appropriately
- Permissions-Policy restricting APIs
Authentication
- Strong password policy enforced
- Multi-factor authentication (MFA) enabled
- Rate limiting on login endpoints
- Secure session management
Infrastructure
- Web Application Firewall (WAF) active
- DDoS protection enabled
- Server version headers hidden
- Regular security patches applied
Frequently Asked Questions
What does this vulnerability scanner check?
This scanner analyzes HTTP security headers (Content-Security-Policy, HSTS, X-Frame-Options, etc.), SSL/TLS certificate configuration, cookie security attributes (Secure, HttpOnly, SameSite), and common server misconfigurations like server version disclosure.
Is this scanner safe to use?
Yes. This scanner only performs passive checks by analyzing HTTP responses. It does not attempt to exploit vulnerabilities, inject payloads, or perform any destructive actions. However, always ensure you have authorization to scan the target website.
How do I fix the Content-Security-Policy header?
For Nginx: add_header Content-Security-Policy "default-src 'self'" always; For Apache: Header always set Content-Security-Policy "default-src 'self'"; For Next.js, add it to the headers() function in next.config.js. Start with a permissive policy and tighten it over time using report-only mode.
What is HSTS and how do I enable it?
HTTP Strict Transport Security (HSTS) tells browsers to always use HTTPS. For Nginx: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; For Cloudflare, enable HSTS under SSL/TLS → Edge Certificates. Start with a short max-age (86400) and increase after testing.
How do I fix missing security headers?
The fix depends on your platform. For Nginx/Apache, add headers to your server config. For Next.js, use the headers() function in next.config.js. For Cloudflare, use Transform Rules → Modify Response Headers. See the "How to Add Security Headers" section above for platform-specific code.
What is a Web Application Firewall (WAF)?
A WAF sits between your website and the internet, filtering malicious HTTP traffic. It protects against SQL injection, XSS, DDoS, and other OWASP Top 10 attacks. Cloudflare offers a free WAF tier, while Sucuri and AWS WAF provide enterprise-grade protection.
How often should I scan my website for vulnerabilities?
Run security scans at least weekly for production sites. Scan after every deployment or code change. For compliance requirements (PCI-DSS, SOC 2), quarterly vulnerability assessments with documented remediation are typically required.
What is the difference between a vulnerability scanner and a penetration test?
A vulnerability scanner (like this tool) automatically checks for known issues and misconfigurations. A penetration test is a manual, expert-led assessment that attempts to exploit vulnerabilities and chain attacks. Both are important: scanners for continuous monitoring, pentests for deep assessment.