Crawlsonar

Website Security Scanner

Check your site’s security surface — exposed files, mixed content, CORS, version leakage, security.txt and third-party trackers — with fixes.

What it checks

  • Exposed .git / .env — the two mistakes that leak source code and secrets.
  • Mixed content — http:// resources loaded on an https:// page.
  • CORS — an unsafe wildcard combined with credentials.
  • Version leakage — Server / X-Powered-By exposing software versions.
  • security.txt — a standard contact for vulnerability reports.
  • Trackers — Google Analytics, GTM, Meta Pixel and similar.

Scope: these are passive checks and a few light probes of well-known paths. Only scan sites you own or are explicitly authorised to test.

Related tools

Frequently asked questions

What does the security scanner check?

Exposed files (.git/.env), mixed content, permissive CORS, server version leakage, the presence of security.txt and third-party trackers — all from public responses.

Is scanning my own site safe and legal?

Yes — it only reads publicly available responses and never attacks or brute-forces the target. Only scan domains you own or are authorised to test.