Is this a passive scan — does it exploit vulnerabilities?

Fully passive. The scan reads publicly observable configuration — DNS records, HTTP headers, TLS certificates, and responses to standard requests. It does not attempt exploitation, authentication bypass, injection attacks, or any technique that touches your application logic. Everything the scan sees is what any browser or mail server would see making normal requests.

What is the difference between this free scan and the Security Health Check?

This free scan covers externally observable signals automatically. The Security Health Check (AUD $2,500) is a human-conducted audit that goes deeper: manual SPF analysis, plugin CVE matching against your installed versions, open port scanning, subdomain exposure review, and a written findings report with severity ratings and a prioritised fix list, plus a 30-minute walkthrough call and 90-day follow-up access.

How often should I run this scan?

Run it whenever you make infrastructure changes (DNS updates, new mail provider, SSL certificate renewal, website deployment) and as a periodic baseline every 3–6 months. Email authentication configuration drifts silently — DKIM keys rotate, DMARC reporting addresses go stale, and SPF includes accumulate past the 10-lookup limit without anyone noticing.

Why does my domain score lower than expected?

The most common reasons are: DMARC stuck at p=none (monitoring only, not enforcing); no HSTS header or short max-age; missing or weak Content-Security-Policy; no CAA record; DNSSEC not enabled; or missing MTA-STS. These are configuration gaps, not active compromises — most can be addressed in under an hour once you know they exist.

How do I scan my website for security issues?

Enter your domain (e.g. example.com.au) in the box above and click Scan domain. The free website security scan runs entirely in your browser and against our passive probe — no agent, no signup, no exploitation. Within seconds it tests TLS certificate health, HTTP security headers, exposed admin and config paths, email authentication and domain records, then returns a letter grade with a per-check findings list you can print. Re-run it after any infrastructure change to confirm the fix landed.

All free tools Website security scan

FREE TOOL

Website security scan.

A free website security scan that runs a website security check in seconds. This free website security test scans your website for vulnerabilities across 40+ checks and 80+ probes — email authentication, domain security records, HTTP headers (incl. CORP, COOP, COEP), TLS certificate, exposed sensitive paths, WAF detection, AI bot protection, privacy policy check, and more. No exploitation. No login.

No signup · runs in your browser · also try our security headers check, domain security check and blacklist checker.

SPF · DKIM · DMARC DNSSEC · CAA · MTA-STS CSP · HSTS · XFO · CORP · COOP · COEP TLS · paths · WAF · AI bots · privacy

EMAIL SECURITY

SPF · DKIM · DMARC · MX

DOMAIN PROTECTION

DNSSEC · CAA · MTA-STS · TLS-RPT · BIMI

WEB SECURITY HEADERS

CSP · HSTS · X-Frame-Options · X-Content-Type-Options · Referrer-Policy · Permissions-Policy · CORP · COOP · COEP · cookies · server info

WEBSITE SECURITY

TLS cert · cert strength · TLS protocols · redirect · tech disclosure · sensitive paths · HTTP methods · CORS · SRI · mixed content · robots.txt · AI bots · WAF · privacy policy · security.txt · error disclosure

How to scan your website's security in 3 steps

1
Enter your domain in the box above (e.g. example.com.au) and click Scan domain.
2
Read the grade and findings. Start with the overall letter grade, then work down the per-check list — TLS, security headers, exposed paths, email and domain records — fixing the FAIL items first.
3
Fix and re-scan. Apply each recommendation (or print the report for your team), then run the scan again to confirm every issue is resolved.

What this scan checks

Every scan is passive — it reads only what any browser or mail server can already see. Here's what each group of checks looks for and why it matters.

Check	What it looks for	Why it matters
TLS / HTTPS certificate	Valid, in-date certificate, key strength, HTTP→HTTPS redirect, supported TLS protocols	An expired, weak or mis-redirected certificate breaks trust and exposes traffic to interception.
HTTP security headers	CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, CORP, COOP, COEP	Missing headers leave the site open to clickjacking, MIME sniffing, XSS and cross-origin data leaks.
Exposed sensitive paths	Admin panels, /wp-config.php, /.git, backups, database dumps, phpinfo, Swagger / GraphQL and other config endpoints	Publicly reachable admin or config files hand attackers credentials, source code or a direct way in.
Cookie & server hardening	Secure / HttpOnly / SameSite cookie flags and Server / X-Powered-By version disclosure	Insecure cookies enable session theft; leaked software versions let attackers target known CVEs.
Technology & exposure fingerprint	Detected stack, WAF / CDN presence, AI-bot blocking, robots.txt, mixed content, SRI, CORS, privacy policy, security.txt	Shows your real public attack surface and whether basic protections and disclosures are in place.
Email & domain records	SPF, DKIM, DMARC, MX, DNSSEC, CAA, MTA-STS, TLS-RPT, BIMI	Weak email authentication invites spoofing of your domain; missing DNS controls weaken the whole perimeter.

Common website-security issues we fix

A security scan usually surfaces the same recurring gaps. The ones we see and fix most often:

Expired or weak TLS

Lapsed certificates, weak keys or a missing HTTP→HTTPS redirect throw browser warnings and leave traffic open to interception.

Missing security headers

No CSP, HSTS or X-Frame-Options leaves the site exposed to clickjacking, XSS and MIME sniffing. Check your headers →

Exposed admin or config paths

Publicly reachable admin panels, wp-config.php, .git folders or backups hand attackers a way straight in.

Insecure cookies

Session cookies missing Secure, HttpOnly or SameSite flags can be stolen over the network or via cross-site scripting.

Want a deeper, expert security review?

This scan covers what's externally visible. Edos Solutions hardens Australian websites end to end — TLS, security headers, exposed paths, cookies and email authentication — and re-scans to confirm every fix landed.

Website security services Talk to us

References

OWASP Top 10, the most critical web application risks.
OWASP Secure Headers Project, for HTTP header hardening.

Frequently asked questions

What does the website security scan check?: 40+ checks across five areas: email authentication (SPF, DKIM, DMARC), domain security records (DNSSEC, CAA, MTA-STS, TLS-RPT, BIMI), HTTP security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, CORP, COOP, COEP), TLS certificate health and redirect chain, and website exposure checks (sensitive paths, WAF detection, AI bot protection, privacy policy, security.txt). Results are scored with a letter grade.
Is this a passive scan — does it exploit vulnerabilities?: Fully passive. The scan reads publicly observable configuration — DNS records, HTTP headers, TLS certificates, and responses to standard requests. It does not attempt exploitation, authentication bypass, injection attacks, or any technique that touches your application logic. Everything the scan sees is what any browser or mail server would see making normal requests.
What is the difference between this free scan and the Security Health Check?: This free scan covers externally observable signals automatically. The Security Health Check (AUD $2,500) is a human-conducted audit that goes deeper: manual SPF analysis, plugin CVE matching against your installed versions, open port scanning, subdomain exposure review, and a written findings report with severity ratings and a prioritised fix list, plus a 30-minute walkthrough call and 90-day follow-up access.
How often should I run this scan?: Run it whenever you make infrastructure changes (DNS updates, new mail provider, SSL certificate renewal, website deployment) and as a periodic baseline every 3–6 months. Email authentication configuration drifts silently — DKIM keys rotate, DMARC reporting addresses go stale, and SPF includes accumulate past the 10-lookup limit without anyone noticing.
Why does my domain score lower than expected?: The most common reasons are: DMARC stuck at p=none (monitoring only, not enforcing); no HSTS header or short max-age; missing or weak Content-Security-Policy; no CAA record; DNSSEC not enabled; or missing MTA-STS. These are configuration gaps, not active compromises — most can be addressed in under an hour once you know they exist.
How do I scan my website for security issues?: Enter your domain (e.g. example.com.au) in the box above and click Scan domain. The free website security scan runs entirely in your browser and against our passive probe — no agent, no signup, no exploitation. Within seconds it tests TLS certificate health, HTTP security headers, exposed admin and config paths, email authentication and domain records, then returns a letter grade with a per-check findings list you can print. Re-run it after any infrastructure change to confirm the fix landed.

All free tools SPF/DKIM/DMARC DNSSEC / CAA HTTP headers Full security audit