What does WebAudit check in a free website security scan?

WebAudit checks HTTP security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy), TLS/SSL certificate validity and expiry, DNS email security records (SPF, DMARC, DKIM, CAA, DNSSEC), and cookie security attributes — all in a single free scan with no login required.

Is WebAudit really free to use?

Yes. The core scan — covering HTTP headers, TLS certificate, and DNS records — is completely free with no account required. Pro features like PDF report export, cookie analysis, cross-origin isolation checks, and API access are available from ₹499/month (India) or $7/month (international).

How does WebAudit calculate the security score?

WebAudit starts at 100 and deducts points for missing or misconfigured security controls. Critical issues like a missing Content Security Policy or HSTS deduct 20 points each. Important headers like X-Frame-Options deduct 10 points. TLS certificate expiry, weak DNS records, insecure cookies, and server fingerprinting each carry their own deductions. The final score maps to grades A+ (90–100) through F (below 50).

Can I use WebAudit to scan any website?

You can scan any publicly accessible website — just paste the URL and hit Scan. WebAudit fetches the site's HTTP response headers, resolves its DNS records, and validates its TLS certificate without installing anything. Scanning sites you do not own is permitted for security research and educational purposes.

Web Security Scanner

Know Your Attack Surface.

Instant security audit — headers, TLS, DNS, cookies. Free scan, no login.

Scan a website →

Trusted by security professionals worldwide.

HTTP Security Headers TLS / SSL Certificate DNS Security (SPF & DMARC) Cookie Flags

Free Tools

Everything free, no login required

⚔️ Versus Compare two sites side by side — headers, TLS, DNS, score. See who wins instantly. Compare sites → 🛠 Header Generators Build CSP, HSTS, Permissions-Policy and CORS headers visually. Validate your CSP. Open generators → 📄 Security.txt Generate an RFC 9116 compliant security.txt file or validate an existing one. Generate / validate → 🏅 Security Badge Embed a live security grade badge in your GitHub README, docs, or portfolio. Get badge → 📚 Learning Center Guides on CSP, HSTS, TLS, SPF/DMARC, X-Frame-Options and security.txt. Read guides →

How it works

Three steps to a full audit

🔗

Paste a URL

Enter any website — no account, no setup, no API key needed for the free scan. Works on any publicly accessible URL including staging and production environments.

→

⚡

We scan 20+ checks

Headers, TLS certificate, DNS records, cookie security — all in parallel, in seconds. We use a real HTTP request with browser-like headers to get the same response your visitors see, not a cached snapshot.

→

📄

Get instant results

Letter grade, per-finding fixes, and an exportable PDF report (Pro) ready to hand to a client. Each finding includes the exact header value to add, so fixes take minutes rather than hours of research.

The case for checking

Why HTTP security headers matter

HTTP security headers are the first line of defence browsers enforce before any code runs on your page. A properly configured Content Security Policy (CSP) blocks cross-site scripting (XSS) at the browser level. HSTS forces every connection to use HTTPS, eliminating protocol-downgrade attacks. X-Frame-Options stops your pages being embedded in phishing iframes. Despite being a few lines of server configuration, most websites are missing two or more of these controls. A free website security scan with WebAudit tells you exactly which headers are absent and what to add.

What we check

Full coverage. Zero noise.

🔒

8 CHECKS

HTTP Security Headers

CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, CORS policy, server fingerprinting. Each missing or misconfigured header is a potential attack vector. A missing Content Security Policy leaves your site open to cross-site scripting; missing HSTS lets attackers downgrade connections to plain HTTP and intercept sensitive data.

🛡

5 CHECKS

TLS / SSL Certificate

Certificate expiry, days remaining, cipher strength, protocol version (TLSv1.0 is deprecated), and self-signed detection. An expired certificate triggers browser warnings that drive visitors away instantly. Weak cipher suites or old protocol versions can expose encrypted traffic to well-known downgrade attacks.

📡

7 CHECKS

DNS Security

SPF, DMARC, DKIM detection, CAA records, DNSSEC, and security.txt — plus policy strength analysis. Without SPF and DMARC, anyone can send convincing phishing emails that appear to come from your domain. WebAudit checks record values, not just presence — a DMARC "p=none" policy is flagged as weak.

🍪

3 FLAGS/COOKIE

Cookie Security

Secure flag, HttpOnly flag, SameSite attribute — checked on every cookie set by the page. A cookie without the Secure flag can be intercepted over plain HTTP; without HttpOnly, any XSS flaw gives attackers direct access to session tokens. WebAudit reports each cookie by name so you know exactly which ones to fix.

🔗

3 CHECKS

Cross-Origin Isolation

COOP, COEP, CORP — modern headers that isolate your browsing context and prevent cross-origin data leaks and Spectre-style attacks. These headers are required to safely use high-resolution timers and SharedArrayBuffers. Many developers overlook them entirely; WebAudit checks all three and explains the impact of each.

🔍

4 CHECKS

Page Analysis

Mixed content detection, Subresource Integrity (SRI) checks, base tag hijacking risk, external dependency audit. Mixed content means your HTTPS page loads resources over plain HTTP, silently breaking security guarantees. Missing SRI attributes allow CDN-served scripts to be replaced with malicious versions without detection.

Why WebAudit

Built for the way you actually work.

⚡

100% free scan

No account required. Paste a URL, get results instantly. SecurityHeaders.com shut down its API in April 2026 — WebAudit stepped in with more checks, no login wall, and INR pricing for Indian developers.

📄

PDF report (Pro)

Client-ready PDF export with executive summary, per-finding severity, and fix recommendations grouped by effort — something your client can actually read and act on. Pro plan includes 50 PDF exports per month.

💳

API access from ₹499/month

INR pricing for India via Razorpay. International payments via LemonSqueezy at $7/month. Automate security checks in your CI pipeline or build your own reporting dashboard on top of the WebAudit API.

Who uses WebAudit

Built for anyone responsible for a site's security

Freelance pentesters use the PDF export to deliver professional client reports without building their own tooling. Developers run scans in CI to catch regressions before they ship. Digital agencies run scheduled scans across all their client domains. Site owners who are not security experts get plain-English explanations of every finding and exactly what needs to change — no background in security required to act on the results.

Compliance

Know your compliance posture.

OWASP Top 10 · PCI-DSS v4.0 · GDPR Article 32 · ISO 27001:2022 — all mapped automatically in one PDF report.

Get report for ₹249 / $3 →