Products
Website Security
Website Security is a deterministic posture scan of your public surface. It runs real TLS, DNS, header, and cookie probes, 21 checks across five pillars, and finishes in about a second. It is not a penetration test.
What it probes
Five pillars, 21 evidence-backed checks:
- Transport: HTTP-to-HTTPS redirect and the TLS certificate (issuer, expiry, validity), read live over the wire.
- Browser defenses: HSTS, Content-Security-Policy, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, frame protection, and mixed-content references.
- Cookies and sessions: Secure, HttpOnly, and SameSite flags on cookies, and insecure form actions.
- DNS and email trust: MX, SPF, DMARC (enforcement vs
p=none), and CAA records. - Exposure:
security.txt,robots.txt,sitemap.xml, and exposed source maps.
Fast and deterministic
There is no language model in this scan. It runs about twenty network probes in parallel, reads the responses, and reports what it found. A run in roughly a second at no model cost is normal and correct, not a sign the scan was skipped. Every result is backed by the evidence it observed; when there is nothing to assess (for example, a site that sets no cookies), the check reports an honest informational state rather than a fabricated pass or fail.
Scope
The header, cookie, CSP, and mixed-content checks reflect the audited page; the DNS, TLS, and security.txt checks remain domain-wide. The scope is labeled on every result so the reader knows exactly what was covered.
Website Security is a public-surface posture scan. It is not a penetration test, a vulnerability scanner, malware cleanup, or a compliance audit. It will not log into private systems or test authenticated flows. Deeper authenticated testing happens only under a scoped Track 2 services contract.
Running it
Website Security is included on paid plans. Run it from the dashboard, or start it from the API and CLI like any other audit. See Pricing for the plans that include it.