Website Security Scanner
Check your site’s security surface — exposed files, mixed content, CORS, version leakage, security.txt and third-party trackers — with fixes.
What it checks
- Exposed .git / .env — the two mistakes that leak source code and secrets.
- Mixed content — http:// resources loaded on an https:// page.
- CORS — an unsafe wildcard combined with credentials.
- Version leakage — Server / X-Powered-By exposing software versions.
- security.txt — a standard contact for vulnerability reports.
- Trackers — Google Analytics, GTM, Meta Pixel and similar.
Scope: these are passive checks and a few light probes of well-known paths. Only scan sites you own or are explicitly authorised to test.
Related tools
Frequently asked questions
▸ ▾ What does the security scanner check?
Exposed files (.git/.env), mixed content, permissive CORS, server version leakage, the presence of security.txt and third-party trackers — all from public responses.
▸ ▾ Is scanning my own site safe and legal?
Yes — it only reads publicly available responses and never attacks or brute-forces the target. Only scan domains you own or are authorised to test.