About

ismycodesafe.com is built and operated by one person. Here is who that is, how the scanner actually works, and where its limits sit.

Who builds this

I’m Roy Morken, an indie security practitioner based in Norway. I started ismycodesafe.com after years of watching small teams ship production sites with the same handful of misconfigurations. No CSP, no HSTS, .env reachable by URL. And paying five-figure consulting fees to find out.

The scanner is the tool I wished existed for my own projects: a free, read-only baseline check you can run in thirty seconds, against any URL, and get back a structured report instead of a PDF generated by a marketing team.

Outside of ismycodesafe, I run Datafolka, a small code security consultancy. If the scanner finds something you want a human to look at, that’s where the deeper work happens.

How the scanner actually works

Every check is passive. The scanner makes the same requests a browser or a search engine bot would make. A GET for the homepage, a probe of well-known paths, a TLS handshake to read the certificate chain. It never attempts an exploit, never brute-forces credentials, never hammers your server.

A single scan touches roughly 180 check points spread across six areas: SSL/TLS deep analysis (SSLyze), seven HTTP security headers, open ports on common services, DNS and email authentication records, exposed file paths, and threat-intel lookups (VirusTotal, AlienVault OTX, URLhaus, PhishTank, Shodan InternetDB, Certificate Transparency). Each finding is mapped to OWASP Top 10 and, where relevant, a specific CVE.

What this scanner is not

It is not a replacement for a penetration test. An automated scan catches misconfiguration and known-bad patterns. The 70 to 80% of findings that show up in any competent audit. It will not find business-logic flaws, authentication chains specific to your app, stored XSS that requires a logged-in session, or race conditions in a checkout flow. For those, hire a pentester.

It is also not a compliance artifact. SOC 2, ISO 27001, and PCI auditors want signed attestations from accredited firms, not scanner output. Use this tool as a weekly sanity check, not as evidence.

Privacy and data handling

Your scan target URL and the resulting report are stored so you can retrieve the results via the email link. Nothing about your site is shared with third parties. Results are not indexed. If you want your scan deleted, email help@ismycodesafe.comand it’s gone within 24 hours. Full details live on the privacy page.

Research we publish

When the dataset from scans is interesting beyond a single report, I write it up. The methodology, raw CSV, and reproducer script are always public.

State of Web Security in YC Startups 2026 - 100 companies across W25, S24, W24. Published April 2026.

Contact

Email: help@ismycodesafe.com - fastest route, usually answered same day
X: @ismycodesafe
Consulting: datafolka.no - deeper security work beyond the scanner

Last updated: April 18, 2026