Is the security scan really free?

Yes. The core scan with 180+ checks across SSL, headers, OWASP paths, CVEs, and threat intelligence is free forever. You only need to verify your email to receive the report. A $29 premium report with AI-generated fix instructions and PDF export is optional.

How long does a security scan take?

Most scans finish in 30 to 60 seconds. The scanner runs 180+ checks in parallel against your URL, then generates the report. You'll get an email with a link to view results as soon as the scan completes.

Will the scan hurt my production site?

No. All checks are passive. We read what's publicly exposed the same way Googlebot does. We don't exploit vulnerabilities, don't brute-force logins, and don't generate high traffic. Safe to run on your own production site.

What does the scanner actually check?

SSL/TLS deep analysis (SSLyze cipher suites, Heartbleed, CRIME), 7 security headers (CSP, HSTS, X-Frame-Options, etc.), open ports (MySQL, Redis, MongoDB, FTP), 30+ sensitive file paths (.env, .git, admin panels), DNS records (SPF, DMARC, DKIM), CVE lookup (NVD + OSV), threat intelligence (VirusTotal, AlienVault, URLhaus, PhishTank), and JS library vulnerabilities (retire.js).

Do you share my email or scan results with third parties?

No. Scan results are only emailed to you. Your email is used exclusively for scan delivery and optional follow-ups you can unsubscribe from. We do not sell data or share it with advertisers. See our privacy policy for details.

Is this a replacement for a professional penetration test?

No. ismycodesafe.com catches the most common misconfigurations and known vulnerabilities. The 80% that automated tools can detect. A professional pentester finds business-logic flaws, authentication bypass chains, and target-specific issues that no scanner can. Use us as a first layer; use a pentester for compliance or high-risk systems.

ismycodesafe.com: Free Website Security Scanner

Find out in 60 seconds. Free. We run 180+ security checks across SSL, headers, ports, OWASP paths, CVE databases, and more.

180+ security checks in 60 seconds

Click any category to see exactly what we scan for.

SSL/TLS & Encryption

Certificate validation, protocol security, and HTTPS enforcement.

5▼

+Certificate validity, issuer, expiration date, and subject
+TLS protocol version (flags outdated TLS 1.0/1.1)
+HSTS header presence and configuration
+HTTP to HTTPS redirect chain analysis
+Redirect hop count and temporary vs permanent redirects

Security Headers

7 critical HTTP headers that protect against common attacks.

8▼

+Content-Security-Policy (XSS protection)
+Strict-Transport-Security (HTTPS enforcement)
+X-Frame-Options (clickjacking protection)
+X-Content-Type-Options (MIME sniffing protection)
+Referrer-Policy (privacy control)
+Permissions-Policy (browser feature restrictions)
+Cross-Origin-Opener-Policy (cross-origin isolation)
+Information leakage via Server, X-Powered-By headers

Open Ports & Services

10 common ports scanned for exposed databases and services.

6▼

+MySQL (3306), PostgreSQL (5432), Redis (6379), MongoDB (27017)
+FTP (21) with anonymous login detection
+SSH (22), Telnet (23), SMTP (25/587/465)
+HTTP-alt (8080), HTTPS-alt (8443)
+SMTP STARTTLS and implicit TLS verification
+FTP banner grabbing and access level testing

Sensitive Files & Paths

53 paths checked for exposed configuration, secrets, and backups.

10▼

+Environment files: .env, .env.bak, .env.local, .env.production
+Version control: .git/config, .git/HEAD, .svn, .hg, .bzr, CVS
+Admin panels: /admin/, /wp-admin/, /phpMyAdmin/, /adminer.php
+API docs: /api-docs, /swagger-ui.html, /graphql
+Framework endpoints: /actuator/env, /elmah.axd, /trace.axd, /_profiler/, /_debugbar/
+Backup files: database.sql, dump.sql, backup.zip, wp-config.php.bak
+CI/CD config: Dockerfile, docker-compose.yml, .github/workflows/, Jenkinsfile
+Cloud credentials: .aws/credentials, .docker/config.json, .npmrc
+Server info: /server-status, /server-info, /nginx.conf, /phpinfo.php
+Standard files: robots.txt, sitemap.xml, security.txt, crossdomain.xml

DNS & Email Security

7 DNS checks for email spoofing protection and domain security.

7▼

+SPF record (Sender Policy Framework)
+DMARC record and policy (reject/quarantine/none)
+DKIM verification across 12 common selectors
+MX records and mail server infrastructure
+CAA records (Certificate Authority Authorization)
+MTA-STS (Mail Transfer Agent Strict Transport Security)
+TLS-RPT (SMTP TLS Reporting)

CORS & Access Control

Cross-origin policy testing and dangerous HTTP method detection.

5▼

+Origin reflection (mirrors arbitrary origins)
+Wildcard + credentials misconfiguration
+Null origin acceptance
+Dangerous HTTP methods: TRACE, DELETE, PUT
+Cookie security flags: Secure, HttpOnly, SameSite

Technology & CVE Detection

Stack fingerprinting with known vulnerability matching via NVD + OSV.

8▼

+Server software: nginx, Apache, IIS, Cloudflare, Caddy
+Languages/Frameworks: PHP, ASP.NET, Express, Next.js, Django
+Frontend: React, Vue, Angular, Svelte, Nuxt detection
+CMS: WordPress version and plugin detection
+JavaScript CDN libraries with version extraction
+CVE lookup via NIST NVD API (server tech)
+CVE lookup via OSV API (npm packages)
+CVSS v3.1 severity scoring per vulnerability

Content & Code Analysis

Page source analysis for information leaks and integrity issues.

8▼

+Mixed content (HTTP resources on HTTPS pages)
+Missing Subresource Integrity (SRI) on external scripts
+Forms submitting over HTTP (unencrypted)
+Missing CSRF tokens in forms
+Stack traces and exceptions in responses
+Debug mode indicators (Django, Rails, Laravel, etc.)
+Sensitive HTML comments (passwords, API keys, TODOs)
+Error page information leaks (404 and 500 responses)

WAF & Authentication

Firewall detection, login security, and brute force protection.

6▼

+WAF detection: Cloudflare, Sucuri, Akamai, AWS, F5, Imperva
+Behavioral WAF probe (SQL injection pattern test)
+Login page discovery across 6 common paths
+CSRF token presence on login forms
+Password autocomplete settings
+Rate limiting detection (429 response + headers)

Threat Intelligence

6 threat databases checked for malware, phishing, and reputation.

6▼

+VirusTotal: URL reputation from 70+ antivirus engines
+PhishTank: Known phishing site database check
+AlienVault OTX: Community threat intelligence reports
+abuse.ch URLhaus: Malware distribution URL database
+Spamhaus DBL: DNS-based domain blocklist (spam, phishing, malware, botnet)
+Overall threat level aggregation across all sources

Deep SSL/TLS Analysis

Protocol-level TLS audit with vulnerability detection via SSLyze.

6▼

+Protocol support: SSL 2.0/3.0, TLS 1.0/1.1/1.2/1.3
+Cipher suite enumeration per protocol version
+Heartbleed vulnerability detection (CVE-2014-0160)
+CRIME attack: TLS compression check
+Certificate chain validation and hostname matching
+OCSP stapling verification

Shodan Intelligence

Exposed services, known CVEs, and infrastructure fingerprinting.

5▼

+Open port discovery via Shodan InternetDB
+Known CVEs associated with server IP
+Risky port detection (databases, RDP, FTP, Redis)
+Reverse DNS hostnames and infrastructure tags
+Cross-reference with port scan results

Certificate Transparency

Subdomain discovery and attack surface mapping via CT logs.

4▼

+crt.sh Certificate Transparency log search
+Unique subdomain extraction from issued certificates
+Risky subdomain detection (admin, staging, dev, vpn, internal)
+Total certificate count for the domain

Website Analysis (urlscan.io)

Deep website inspection. DOM, technologies, geolocation, threats.

5▼

+Malicious site verdict and threat score (0-100)
+Technology detection (server software, frameworks, libraries)
+Server IP geolocation and hosting provider (ASN)
+HTTP request analysis and third-party domain count
+Cross-validation with other threat intelligence sources

JS Library Vulnerabilities

Frontend JavaScript libraries checked against retire.js CVE database.

4▼

+CDN library version extraction (unpkg, cdnjs, jsdelivr)
+CVE lookup against retire.js vulnerability database
+CVSS severity rating per vulnerability
+Upgrade recommendations with fix versions

Subdomains & Reputation

Attack surface mapping and blacklist status verification.

4▼

+Subdomain enumeration via Certificate Transparency logs
+Risky subdomain flagging (staging, dev, test, admin, vpn)
+IP blacklist check across 5 major spam/malware lists
+Spamhaus, Spamcop, SORBS, Barracuda reputation check

OWASP Top 10 & Grading

All findings mapped to OWASP 2021 categories with A-F grade.

8▼

+A01: Broken Access Control (CORS, methods, admin exposure)
+A02: Cryptographic Failures (SSL, HSTS, redirects)
+A03: Injection (exposed files, open database ports)
+A05: Security Misconfiguration (headers, error pages, Shodan)
+A06: Vulnerable Components (CVEs in tech stack + JS libraries)
+A07: Auth Failures (CSRF, cookies, rate limiting)
+A08: Integrity Failures (SRI, mixed content)
+Security grade A-F based on finding severity distribution

SEO Analysis. 21 checks

Technical and on-page SEO audit: meta tags, Open Graph, structured data, sitemap, page speed, compression, render-blocking scripts, and more. A-F grading included.

▼

+Title tag presence, length (30-60 chars optimal)
+Meta description presence, length (120-160 chars optimal)
+Canonical URL validation and conflict detection
+Viewport meta tag (mobile-first indexing requirement)
+Heading hierarchy: H1 count and level skip detection
+Image alt text coverage analysis
+Language declaration (<html lang>)
+Open Graph tags (og:title, og:description, og:image, og:url)
+Twitter Card meta tags for social sharing
+JSON-LD structured data validation (schema.org)
+Robots.txt analysis and crawl blocking detection
+XML sitemap presence check
+Meta robots / noindex directive detection
+Response time (TTFB) measurement against Google threshold
+Page size analysis (HTML document weight)
+Compression detection (gzip/Brotli)
+Render-blocking script detection in <head>
+Favicon presence check
+Thin content detection (word count analysis)
+JavaScript rendering dependency detection (SPA markers)
+Charset declaration validation

AI Content Detection. 17 checks

86% of AI-generated code has security vulnerabilities. We detect patterns from Cursor, Copilot, ChatGPT. Placeholder content, boilerplate, missing trust signals, and AI-generated image fingerprints.

▼

+AI-generated text pattern detection (14 phrase patterns)
+Buzzword density analysis (marketing jargon overuse)
+Placeholder content detection (Lorem Ipsum, TODO, example.com)
+Default meta tags from code generators
+Default page titles from scaffolding tools
+Framework boilerplate content detection (Next.js, React, etc.)
+Author attribution and E-E-A-T signal analysis
+Trust page detection (About, Contact links)
+Privacy policy and legal page presence
+Paragraph uniformity analysis (AI content fingerprint)
+AI-generated image detection (Midjourney, DALL-E, Stable Diffusion)
+Stock photo indicator detection
+Development URL detection in production (localhost references)
+Debug statement detection (console.log in production)
+Inline style overuse detection (AI code pattern)
+Generic error message detection
+Content authenticity grade A-F

How it works

Enter your URL

Type in the website you want to scan.

Wait 60 seconds

We run 180+ checks across SSL, headers, ports, CVEs, SEO, and more.

See your results

View vulnerabilities grouped by severity with OWASP mapping and A-F grade.

Security guides for developers

Learn how to fix the vulnerabilities we detect.

Have questions? We've got answers.

Book a free consultation or send us a message. And get The State of Web Security 2026 (PDF) on us.

Talk to us

Leave your name, email and a short message, and we'll get back to you within 24 hours.