// free security scanner

See what your site reveals.

An instant, read-only report on your HTTPS, security headers, TLS certificate and accidentally-public files. We only read what your site already returns — nothing is attacked, and nothing is stored on your device.

passive & safe · 12 signals checked · results in seconds

// what we look at

A quick, honest health check

HTTPS & redirects
Confirms encrypted traffic and that HTTP upgrades to HTTPS.
Security headers
HSTS, CSP, X-Frame-Options, Referrer-Policy and more.
TLS certificate
Whether the certificate is valid and how soon it expires.
Cookie hardening
Checks the Secure and HttpOnly flags on cookies.
Version disclosure
Flags server software that reveals its exact version.
Exposed files
Looks for public /.git/ and /.env — a common, serious leak.
Is this safe and legal to run?

Yes. It only reads publicly returned information — the same response your browser gets — and sends no attack traffic. Private and internal addresses are refused.

Does a good grade mean my site can't be hacked?

No. This covers front-line hygiene: headers, TLS and exposures. It's a strong first indicator, not a full penetration test.

Do you store the result?

We keep a private record of scans to improve the tool. Nothing is stored on your device and there are no cookies.

Whirl DesignsTypically replies within a day
Hi! 👋 Tell us a little about you and we'll get right back to you.