Is your website safe?
Run a free passive security scan of your HTTPS setup, security headers, mixed content, and information exposure. Get a 0-100 score and a prioritized list of fixes.
Passive & read-only. We check transport, headers, and visible HTML. Nothing is exploited or stored.
What this website security scanner checks
This free scanner runs a passive, read-only sweep of your website's public surface - the same response a browser receives - and grades how well it's hardened against common web attacks. It runs across four categories, returns a 0-100 score and an A-F grade, and gives you a prioritized list of fixes. Nothing is exploited, no login is attempted, and no data is stored. It's broader than a headers-only check: it also looks at transport security, mixed content, cookie flags, and version disclosure.
Encryption & transport
HTTPS, an enforced HTTP-to-HTTPS redirect, and HSTS - the foundation of a trustworthy site.
Security headers
Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy.
Content safety
Mixed content - insecure HTTP resources loading on an otherwise secure HTTPS page.
Information exposure
Cookie Secure/HttpOnly flags and software version disclosure that helps attackers target known exploits.
How to check if a website is safe (step by step)
- Scan your URL. Get your 0-100 score and the category breakdown.
- Lock down HTTPS. Ensure the whole site is HTTPS, plain HTTP redirects to HTTPS, and HSTS is enabled.
- Add security headers. Start with a Content-Security-Policy in report-only mode, then add X-Frame-Options, X-Content-Type-Options, and Referrer-Policy.
- Fix mixed content. Switch any HTTP resources on HTTPS pages to https:// so browsers stop blocking them.
- Reduce exposure. Set Secure and HttpOnly flags on cookies and strip version numbers from your Server, X-Powered-By, and generator tags.
Why website security matters for SEO and trust
Security isn't just an IT concern - it directly affects revenue and rankings. Browsers label non-HTTPS pages as "Not Secure," which scares away visitors at the worst possible moment. HTTPS is a confirmed Google ranking signal, and a hacked or blacklisted site can be dropped from search results entirely until it's cleaned up.
Most damaging breaches don't require sophisticated attacks - they exploit basic misconfigurations: a missing Content-Security-Policy that lets injected scripts run, cookies without the HttpOnly flag that get stolen via XSS, or an exposed software version that points attackers straight at a known vulnerability. The fixes are usually a few lines of server or CDN configuration, which is why a quick scan delivers an outsized return. For authoritative guidance, see the OWASP Secure Headers Project and MDN's web security docs.
The security signals this tool checks
| Check | Protects against | Priority |
|---|---|---|
| HTTPS encryption | Eavesdropping, data tampering, "Not Secure" warnings | Critical |
| HTTP → HTTPS redirect | Visitors landing on the insecure version | High |
| HSTS | Protocol downgrade / man-in-the-middle | High |
| Content-Security-Policy | Cross-site scripting (XSS) and injection | High |
| X-Frame-Options | Clickjacking | Medium |
| Mixed content | Broken pages and undermined HTTPS | Medium |
| Cookie flags | Session/cookie theft | Medium |
| Version disclosure | Attackers targeting known CVEs | Medium |
How to read your security score
90-100 (A): Strong posture. Keep dependencies patched and monitor for regressions.
80-89 (B): Good - close the one or two remaining gaps (often CSP or HSTS).
65-79 (C): Several gaps leave you exposed to common attacks. Work the priority fixes.
Below 65 (D/F): Significant or critical gaps. Start with HTTPS and the high-impact headers immediately.
What this scan does and doesn't cover
This is a passive configuration scan. It assesses how your site is set up to resist attacks by reading public responses. It deliberately does not perform malware analysis, deep TLS certificate-chain inspection, port scanning, authenticated testing, or any kind of penetration test. For those, pair this with a dedicated malware/blacklist scanner and, for sensitive applications, a professional security assessment. Think of this tool as the fast first pass that catches the most common, highest-impact misconfigurations.
Frequently asked questions
- How do I check if my website is safe?
- Enter your URL above. The scanner passively checks HTTPS, redirects, HSTS, security headers, mixed content, cookie flags, and version disclosure, then returns a score and prioritized fixes.
- Is this scanner free?
- Yes - free, no signup, no limits. The scan is passive and read-only; nothing is exploited or stored.
- What does it check?
- Encryption and transport, security headers, content safety (mixed content), and information exposure (cookie flags and software version disclosure).
- Does HTTPS alone make my site secure?
- No. HTTPS encrypts traffic but doesn't stop clickjacking, XSS, MIME sniffing, or cookie theft. Headers and secure cookies harden the site on top of HTTPS.
- What is mixed content?
- When an HTTPS page loads resources over insecure HTTP. Browsers block or warn on these, which can break the page and weaken security.
- Will this find malware?
- No - it's a configuration and hardening scan, not a malware scanner. Use a dedicated malware/blacklist scanner alongside it.
- Why is exposing my software version a risk?
- Version numbers let attackers look up and target known vulnerabilities. Suppressing them is a quick way to shrink your attack surface.
- How often should I scan?
- After any deployment, platform update, or hosting change, and at least quarterly - headers and redirects can silently regress.
Harden every layer of your site
- DNS lookup - check CAA records and email authentication (SPF/DMARC) that affect your security posture.
- SSL & security headers checker - a focused deep-dive on every HTTP security header.
- Tracker & cookie scanner - see what trackers run and your consent-banner risk.
- Tech stack checker - find out what software powers the site (and whether it's exposing versions).
- Website modernization checker - a full scan including security, mobile, and design.
For deeper reference, see the OWASP Top 10.
Related free tools
Keep going with these tools
SSL & Security Headers Checker
See if your site is properly hardened
Tracker & Cookie Scanner
What trackers does your site run?
Website Tech Stack Checker
What is this site built with?
Website Down Checker
Is it down for everyone, or just you?
Free Website Grader
Score your whole site in seconds
Responsive Design Checker
Preview any site at every screen size
Want a team to handle it for you? We design and build fast, SEO-ready websites that convert. Explore AI web development.
Related guides
Go deeper with our guides
Practical, up-to-date guides on the strategy, costs, and execution behind this tool.
Website Maintenance Checklist 2026: Keep Your Site Secure and Fast
Monthly, quarterly, and annual tasks to keep your small business site secure, fast, and converting.
Technical SEO Checklist for Small Business Websites in 2026
Fix the technical SEO issues holding your site back: crawlability, indexation, site speed, and schema markup.
Ready to ship your next product?
Tell us what you're building. Senior engineers will scope, plan, and start delivering your product with production-ready architecture - fast.
