Is Protego's vulnerability scanner free?

Yes, the Protego vulnerability scanner is completely free with no hidden costs. There are no subscription tiers, paywalls, or rate limits for basic scans. You can scan as many websites as you own or have permission to test.

What does the Protego scanner check for?

The scanner checks 9 HTTP security headers (Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, X-XSS-Protection, Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy), SSL/TLS certificate validity and expiry, HTTP-to-HTTPS redirect enforcement, cookie security flags (Secure, HttpOnly, SameSite), WAF/CDN detection, CORS misconfiguration, security.txt presence, and subdomain takeover risk. Results include a letter grade (A–F) and actionable fix code for Nginx, Apache, Next.js, and Cloudflare.

Do I need to create an account to scan my website?

No account or login is required. Enter any URL and get your full security report instantly — no sign-up, no email, no credit card.

How long does a scan take?

Most scans complete in 5–15 seconds. The scanner connects to the target server, analyzes security headers, verifies the SSL certificate, checks cookie flags, detects WAF/CDN presence, and generates a scored report — all in one pass. Complex or slow-responding servers may take slightly longer.

Website Vulnerability Scanner

Instantly check security headers, SSL/TLS, cookie security, and server misconfigurations. Get a security grade with actionable fix instructions — free, no signup.

⚠️

Authorized scanning only. Only scan websites you own or have explicit permission to test. Unauthorized scanning may violate laws and terms of service.

🔒

SSL/TLS Certificate

Validity, expiry, protocol version

📋

Security Headers

9 headers including COOP & CORP

🍪

Cookie Security

Secure, HttpOnly, SameSite flags

🛡️

WAF / CDN Detection

Cloudflare, AWS, Fastly, Akamai…

↪️

HTTP→HTTPS Redirect

Detects missing forced HTTPS

🖥️

Server & security.txt

Disclosure & vulnerability contact

How to scan your website in 3 steps

Enter your domain or URL — paste any public-facing URL (e.g. https://example.com) into the Target URL field below.
Click "Scan Now" — the tool checks SSL/TLS, security headers, cookie flags, WAF presence, HTTPS redirect, and server disclosure in seconds.
Review your security score — each finding is rated Critical / High / Medium / Low with a plain-English explanation and a recommended fix.

Target URL

Try:

I confirm I have permission to scan this website and understand this tool should only be used for authorized security testing.

Deep Scan+12 checks~45s

SRI integrity · Sensitive path exposure · Mixed content · TLS 1.0/1.1 probe · Vulnerable JS libraries · Supply chain · HTTP methods · robots.txt audit · Info disclosure

What is a Vulnerability Scanner?

A vulnerability scanner is an automated tool that checks a system, network, or application for known security weaknesses. It compares the target's configuration, open services, and software versions against a database of known vulnerabilities (CVEs) and security best practices. Running regular scans helps identify risks before attackers do.

Common Vulnerabilities This Scanner Detects

Missing HTTP Security Headers — Headers like Content-Security-Policy and X-Frame-Options prevent XSS, clickjacking, and data injection attacks.
SSL/TLS Misconfigurations — Expired certificates, weak cipher suites, or missing HSTS leave traffic exposed to interception.
Exposed Admin Panels — Publicly accessible /admin, /wp-admin, or /phpmyadmin paths are prime attack targets.
Directory Listing Enabled — Servers that expose file directories leak sensitive information to anyone who visits.
Outdated Software Fingerprints — Revealing CMS or server version information helps attackers find known exploits.
CORS Misconfiguration — Overly permissive cross-origin policies (e.g., Access-Control-Allow-Origin: *) let malicious sites read your API responses.
Insecure Cookie Attributes — Session cookies missing Secure, HttpOnly, or SameSite flags can be stolen via XSS or sent in cross-site requests.
Mixed Content (HTTP over HTTPS) — Loading HTTP resources on an HTTPS page breaks the security boundary and exposes users to man-in-the-middle injection.
Subdomain Takeover — Dangling DNS CNAME records pointing to deprovisioned services allow attackers to claim the subdomain and serve malicious content.
Vulnerable JavaScript Libraries — Outdated frontend libraries with known CVEs (e.g., old versions of jQuery or lodash) can be exploited directly in the browser.

After Your Scan — What To Do Next

After scanning, prioritize fixing critical and high-severity findings first. For missing security headers, most can be added in minutes via your web server or CDN configuration. For SSL issues, tools like SSL Labs (ssllabs.com/ssltest) provide a detailed certificate analysis. For deeper penetration testing beyond automated scanning, consider hiring a certified security professional (OSCP, CEH).

Security Headers Explained

Each missing security header is a potential attack vector. Here is what each header does and why it matters.

Content-Security-Policy

HIGH

Prevents XSS attacks by controlling which resources the browser can load. The single most impactful security header for modern web apps.

Strict-Transport-Security (HSTS)

HIGH

Forces browsers to use HTTPS for all connections, preventing SSL stripping and protocol downgrade attacks.

X-Frame-Options

MEDIUM

Prevents clickjacking by controlling whether your page can be embedded in iframes on other sites.

X-Content-Type-Options

MEDIUM

Stops browsers from MIME-sniffing responses, preventing drive-by download attacks from malicious file types.

Referrer-Policy

LOW

Controls how much referrer information is sent with requests, protecting user privacy and sensitive URL parameters.

Permissions-Policy

LOW

Restricts access to browser APIs like camera, microphone, and geolocation — limiting what malicious scripts can do.

How to Add Security Headers

Platform-specific instructions for adding all recommended security headers to your website.

Nginx

# Add to your server {} block in nginx.conf
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "default-src 'self'" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;

Apache

# Add to .htaccess or httpd.conf
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set Content-Security-Policy "default-src 'self'"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"

Next.js

// next.config.js or next.config.ts
const nextConfig = {
  async headers() {
    return [{
      source: '/(.*)',
      headers: [
        { key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains' },
        { key: 'Content-Security-Policy', value: "default-src 'self'" },
        { key: 'X-Frame-Options', value: 'SAMEORIGIN' },
        { key: 'X-Content-Type-Options', value: 'nosniff' },
        { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
        { key: 'Permissions-Policy', value: 'geolocation=(), microphone=(), camera=()' },
      ],
    }]
  },
}

Cloudflare

// Cloudflare Workers (cloudflare-headers.js)
addEventListener('fetch', event => {
  event.respondWith(addSecurityHeaders(event.request))
})

async function addSecurityHeaders(request) {
  const response = await fetch(request)
  const newHeaders = new Headers(response.headers)
  newHeaders.set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains')
  newHeaders.set('X-Frame-Options', 'SAMEORIGIN')
  newHeaders.set('X-Content-Type-Options', 'nosniff')
  newHeaders.set('Referrer-Policy', 'strict-origin-when-cross-origin')
  return new Response(response.body, { ...response, headers: newHeaders })
}
// Or use Cloudflare Transform Rules → Modify Response Headers (no coding needed)

Best Website Security Tools & WAF Providers (2026)

Our free scanner identifies issues. These tools provide ongoing protection with firewalls, malware scanning, and real-time monitoring.

Tool	Type	Price	Key Features	Link
Cloudflare Recommended	CDN + WAF	Free / $20/mo	WAF, DDoS protection, CDN, SSL, bot management	Visit
Sucuri All-in-one security	WAF + Monitoring	$199/yr	WAF, malware removal, monitoring, DDoS protection	Visit
Wordfence WordPress Security	Plugin + WAF	Free / $119/yr	Firewall, malware scan, login security, 2FA	Visit
SiteLock Automated scanning	Scanner + WAF	$15/mo	Daily scanning, auto-fix, PCI compliance, WAF	Visit
Qualys Enterprise-grade	VMDR Platform	Custom pricing	Continuous scanning, compliance, asset inventory	Visit

Website Security Audit Checklist

SSL/TLS

Valid SSL certificate installed
TLS 1.2 or 1.3 only (disable 1.0/1.1)
HSTS header with long max-age
No mixed content warnings

HTTP Headers

Content-Security-Policy configured
X-Frame-Options: DENY or SAMEORIGIN
X-Content-Type-Options: nosniff
Referrer-Policy set appropriately
Permissions-Policy restricting APIs

Authentication

Strong password policy enforced
Multi-factor authentication (MFA) enabled
Rate limiting on login endpoints
Secure session management

Infrastructure

Web Application Firewall (WAF) active
DDoS protection enabled
Server version headers hidden
Regular security patches applied

How the Vulnerability Scanner Works

A passive, non-intrusive security assessment that returns results in seconds — no installation required.

What the scanner checks

The scanner performs a multi-layer passive assessment of your website. It inspects all major HTTP security headers — including Content-Security-Policy, Strict-Transport-Security (HSTS), X-Frame-Options, and Referrer-Policy — and scores each against industry best practices. SSL/TLS certificates are validated for expiry, issuer trust, and protocol version. Cookie attributes (Secure, HttpOnly, SameSite) are analyzed for session-hijacking risks. The scanner also checks for WAF presence, CORS policy misconfigurations, server version disclosure, and the existence of a security.txt file.

Deep Scan mode

Deep Scan goes beyond response headers and performs active path discovery. It probes for exposed sensitive paths (e.g., /admin, /.env, /backup.zip), checks for legacy TLS 1.0/1.1 support, detects vulnerable JavaScript libraries with known CVEs, audits robots.txt for sensitive path disclosure, flags mixed content, verifies Subresource Integrity (SRI) on external scripts, and detects dangerous HTTP methods like PUT and DELETE. Deep Scan takes slightly longer but surfaces the findings most commonly exploited in real attacks.

Shareable scan reports

Once a scan completes, you can copy a unique shareable URL directly from the results panel. The link encodes the full scan output — score, grade, all findings, and remediation advice — so you can share it with a developer, client, or security team without requiring them to re-run the scan. Report links work for anyone with the URL and do not require a Protego account to view.

Data privacy

Scans are not permanently stored on Protego servers. The tool makes outbound HTTP requests to the target URL you provide and returns the analysis directly to your browser. No login is required to use the scanner, and we do not build profiles of scanned domains. For sensitive internal environments, always ensure you have explicit authorization before scanning.

Frequently Asked Questions

What does the Protego vulnerability scanner check for?

The scanner checks HTTP security headers (Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy), SSL/TLS certificate validity and configuration, cookie security attributes (Secure, HttpOnly, SameSite), CORS policy, WAF detection, server version disclosure, and security.txt presence. With Deep Scan enabled, it also probes for exposed sensitive paths, legacy TLS versions, vulnerable JavaScript libraries, mixed content, and dangerous HTTP methods.

Is the vulnerability scanner free to use?

Yes, fully free with no account required. Both Standard and Deep Scan modes are available to anyone. There are no scan limits enforced for normal use. Protego is a cybersecurity resource built to make security tooling accessible — the scanner will remain free.

How accurate is the scan?

The scanner is highly accurate for what it tests: HTTP response headers, SSL certificates, and server-side configuration are deterministic — a missing header is a missing header. It does not attempt to exploit vulnerabilities (no payload injection, no brute force), so it will not surface logic flaws or application-layer bugs that require authentication. Think of it as a thorough configuration audit, not a full penetration test.

What is Deep Scan mode?

Deep Scan extends the standard check with active path probing and client-side analysis. It attempts to access ~30 commonly exposed paths (admin panels, backup files, environment files), checks for TLS 1.0/1.1 support, detects frontend JavaScript libraries with known CVEs, audits robots.txt for sensitive disclosures, checks for mixed content, and tests for dangerous HTTP methods (PUT, DELETE, TRACE). It takes a few extra seconds but surfaces the findings most relevant to real-world attackers.

Can I share my scan results?

Yes. After a scan completes, use the "Copy Shareable Link" button to get a URL that encodes the full report. Anyone with the link can view the results — score, grade, all findings, and fix recommendations — without running a new scan or creating an account. This is useful for sharing results with developers, clients, or a security team.

How often should I scan my website?

For production websites, scan at minimum once a week and after every significant deployment or configuration change. Headers and certificates can be inadvertently removed or misconfigured during routine updates. For organizations with compliance requirements (PCI-DSS, SOC 2, ISO 27001), documented regular scans are typically a requirement — monthly at minimum, with remediation tracked.

Related Tools & Reading

Tool