Website Security
Scanner
Enter a URL to scan for HTTPS, security headers, SSL certificates, email security and cookie flags — get an instant security grade.
Frequently Asked Questions
What does the website security scanner check?
It performs six categories of checks: HTTPS availability, security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy), SSL certificate validity, SPF and DMARC email security records, and cookie security flags (Secure, HttpOnly, SameSite).
How is the security grade calculated?
Each check is weighted by importance. HTTPS and a valid SSL certificate are critical. Security headers like HSTS and CSP carry significant weight. Email security (SPF/DMARC) and cookie flags contribute to the final score. The grade ranges from A+ (all checks pass) to F (critical failures).
What are security headers and why do they matter?
Security headers are HTTP response headers that instruct browsers to enforce security policies. For example, HSTS forces HTTPS connections, CSP prevents cross-site scripting, and X-Frame-Options blocks clickjacking. Missing headers leave your site exposed to common web attacks.
Why should I check cookie security flags?
Cookies without the Secure flag can be sent over unencrypted connections. Without HttpOnly, cookies are accessible to JavaScript (enabling XSS theft). Without SameSite, cookies may be sent in cross-site requests (enabling CSRF attacks). All three flags are essential for session security.
Does this scanner test for all vulnerabilities?
No — this tool checks common security configurations that are publicly visible (headers, certificates, DNS records). It does not perform penetration testing, code analysis, or check for application-level vulnerabilities like SQL injection or XSS in your code.
Complete Guide: How to Use the Website Security Scanner
Scan any website for security headers, HTTPS configuration, cookie security flags, and common vulnerabilities. Our scanner checks for Content-Security-Policy, HSTS, X-Frame-Options, and more — giving you an actionable security report with severity ratings and fix recommendations.
Step-by-Step Instructions
- 1
Enter a website URL
Type the full URL of the website to scan (e.g., https://example.com). The tool makes an HTTP request and analyzes the response.
- 2
Wait for the scan
The scanner checks multiple security aspects: HTTP headers, HTTPS configuration, cookie flags, and content security policies.
- 3
Review the security grade
See an overall security grade (A to F) based on the presence and configuration of key security headers.
- 4
Fix identified issues
Each finding includes the severity (critical, warning, info), what's wrong, and exactly how to fix it with example header values.
Common Use Cases
- ✓Security audit — check your website's security posture against industry best practices
- ✓Compliance — verify security headers for PCI DSS, SOC 2, or OWASP requirements
- ✓Development — verify security headers are correctly configured before deploying to production
- ✓Vendor assessment — evaluate the security of third-party websites and services
- ✓Monitoring — regularly scan your sites to catch security regressions
- ✓Learning — understand what security headers exist and how they protect against attacks
Pro Tips
Related Tools
DNS Health Report
Comprehensive DNS audit for any domain. Checks NS delegation, SOA, MX, SPF, DMARC, DNSSEC and more.
SSL Certificate Checker
Verify SSL/TLS certificates for any domain. Check expiry date, issuer, certificate chain and configuration.
DMARC Record Checker
Validate your domain's DMARC policy. Check alignment, policy mode, reporting URIs and configuration issues.
SPF Record Checker
Validate SPF records and detect issues — too many lookups, syntax errors, and missing includes.