ismycodesafe.com
Ecommerce Security Scanner

Free Ecommerce Security Scanner

Scan your online store for card skimmers, weak checkout TLS, missing CSP, and PCI DSS issues. Works with Shopify, WooCommerce, Magento, and custom builds.

Scan My Store — Free

No signup · No credit card · Results in 30 seconds

What the scanner checks

Card skimmer (Magecart) detection

Analyzes your JavaScript for signs of injected skimmers that steal customer payment data at checkout.

Checkout TLS strength

Verifies TLS 1.2+ on checkout pages as required by PCI DSS. Flags weak ciphers, expired certs, and TLS 1.0/1.1.

Subresource Integrity (SRI)

Checks if third-party scripts loaded on checkout pages have SRI hashes to prevent supply chain tampering.

Content-Security-Policy for checkout

Validates that CSP restricts script sources, blocking injected skimmers from loading external domains.

Customer data exposure

Detects exposed admin panels, /backup/ directories, customer data dumps, and .env files with API keys.

Session cookie security

Verifies cart and session cookies have Secure, HttpOnly, and SameSite flags to prevent hijacking.

Why Ecommerce Security Is Different

Ecommerce sites handle payment data, which puts them under PCI DSS and increases liability exposure. The biggest threat today is not traditional SQL injection — it's supply chain attacks (Magecart) that inject card skimmers via compromised third-party scripts on checkout pages.

The British Airways Magecart attack stole 380,000 card records from a single compromised script. Protection requires strict Content-Security-Policy, Subresource Integrity hashes on every external script, and continuous monitoring of checkout-page JavaScript. Our scanner validates all three.

Frequently Asked Questions

Is my ecommerce site PCI DSS compliant?

PCI DSS requires TLS 1.2+, a web application firewall, quarterly vulnerability scans, and strong access controls. Our scan checks the technical requirements that can be verified externally — TLS strength, security headers, exposed admin panels, and common misconfigurations.

How do I detect a Magecart card skimmer on my store?

Look for unauthorized JavaScript loaded on checkout pages, especially from unfamiliar domains. Check for SRI hashes on third-party scripts and enforce a strict Content-Security-Policy. Our scanner detects suspicious script loading patterns.

Does the scanner work on Shopify, WooCommerce, and Magento?

Yes. The scanner is platform-agnostic — it tests any publicly accessible website including Shopify stores, WooCommerce/WordPress shops, Magento, BigCommerce, and custom ecommerce builds.

What's the most critical security issue for ecommerce?

Checkout-page JavaScript integrity. A single compromised script on your checkout page can steal every customer's payment data. Enforce strict CSP, use SRI hashes on all third-party scripts, and monitor for unauthorized changes.

How often should I scan my ecommerce site?

PCI DSS requires quarterly vulnerability scans at minimum. For production stores, we recommend scanning after every deployment and at least weekly. Automated scanning catches configuration drift and newly disclosed CVEs.

Protect your customers and revenue

Free, instant, no signup. Detailed vulnerability report with fix instructions.

Run Free Ecommerce Scan