38 Security Checks
What SecurityStatus Scans
SecurityStatus runs 38 automated security checks across your domain every time you scan — covering encryption, email security, HTTP headers, infrastructure exposure, and threat intelligence. No agents, no installation, no DNS changes required.
Start Free ScanFree vs Paid
Full security scan on every plan. Paid plans unlock alerts, reports, and more domains.
Free
$0
Forever · 1 domain
Full security scan
Security score & grade
Remediation guidance
Manual rescans
Last 3 scans history
Most Popular
Yearly
$29/year
$49/year Save $20
Everything in Free
Full scan history
Email alerts on findings
Embeddable security widget
PDF security reports
Priority support
Best Value
Lifetime
$59 one-time
$99 one-time Save $40
Everything in Yearly
5 domains monitored
All future features included
Early access to new checks
Dedicated support
Never pay again
All 38 Security Checks
Every check we run, grouped by category. All included in the free scan.
Encryption
| Check | Severity | Plan | Description |
|---|---|---|---|
| SSL/TLS Certificate | critical | Free | Your SSL/TLS certificate is the foundation of trust between your website and every visitor. |
| HTTPS Redirect | high | Free | Even if your site has a valid SSL certificate, visitors who type your domain without 'https://' may land on the insecure HTTP version. |
| Certificate Transparency | high | Free | Certificate Transparency (CT) is a public audit system that logs every SSL/TLS certificate issued by Certificate Authorities. |
| Subdomain SSL Coverage | high | Free | Your main domain may have a perfect SSL certificate while subdomains like api. |
DNS
| Check | Severity | Plan | Description |
|---|---|---|---|
| SPF Record | high | Free | SPF (Sender Policy Framework) is a DNS record that lists which mail servers are authorised to send email on behalf of your domain. |
| DMARC Record | high | Free | DMARC (Domain-based Message Authentication, Reporting and Conformance) ties together SPF and DKIM to tell receiving mail servers what to do when an email fails authentication. |
| DKIM Record | medium | Free | DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails. |
| DNSSEC | low | Free | DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify that DNS responses have not been tampered with in transit. |
| CAA Records | low | Free | Certification Authority Authorization (CAA) records are DNS entries that specify which Certificate Authorities are permitted to issue SSL certificates for your domain. |
| MTA-STS | medium | Free | MTA-STS (Mail Transfer Agent Strict Transport Security) forces email sent to your domain to use encrypted, authenticated TLS connections. |
| TLS-RPT | low | Free | TLS-RPT (TLS Reporting) is a DNS record that tells sending mail servers where to send reports when they encounter TLS issues while delivering email to your domain. |
| BIMI Record | info | Free | BIMI (Brand Indicators for Message Identification) is a DNS standard that lets you display your brand logo next to your emails in supporting inboxes like Gmail and Apple Mail. |
| Email Spoofing Risk | critical | Free | Email spoofing is when an attacker sends emails that appear to come from your domain. |
Headers
| Check | Severity | Plan | Description |
|---|---|---|---|
| Security Headers | critical | Free | HTTP security headers are instructions your web server sends to browsers telling them how to handle your content. |
| Cookie Security | medium | Free | Cookies store session tokens, authentication credentials, and user preferences. |
| CORS Configuration | critical | Free | CORS (Cross-Origin Resource Sharing) is a browser security mechanism that controls which external websites can make API requests to your server. |
| Clickjacking Protection | medium | Free | Clickjacking is an attack where a malicious website embeds your site in a hidden or transparent iframe and tricks users into clicking on your site's buttons — like confirming a purchase, changing account settings, or clicking Like on social media — without realising it. |
| Third-Party Script Risk | high | Free | Every third-party script you load on your website — analytics, chat widgets, advertising, A/B testing tools — runs with full access to your page. |
Infrastructure
| Check | Severity | Plan | Description |
|---|---|---|---|
| Open Port Scanner | critical | Free | Open ports on your server represent services accessible from the internet. |
| Admin Panel Exposure | critical | Free | Admin panels give full control over your website and application. |
| Sensitive File Exposure | critical | Free | Sensitive files accidentally left accessible on web servers are a goldmine for attackers. |
| API Endpoint Exposure | high | Free | APIs power modern web applications, but improperly secured API endpoints can expose sensitive data or allow unauthorised actions. |
| Cloud Storage Exposure | critical | Free | Cloud storage buckets — AWS S3, Azure Blob Storage, Google Cloud Storage — are frequently misconfigured to allow public read or write access. |
| CVE Detection | critical | Free | CVE (Common Vulnerabilities and Exposures) detection identifies known vulnerabilities in the software your server is running. |
| Subdomain Takeover | high | Free | A subdomain takeover occurs when a DNS record points to an external service (like a GitHub Pages, Heroku app, or S3 bucket) that no longer exists. |
| Technology Fingerprint | high | Free | Technology fingerprinting is the process of identifying what software powers a website — web server, CMS, frameworks, libraries, and their versions. |
| WAF Detection | medium | Free | A Web Application Firewall (WAF) sits in front of your web application and filters malicious traffic — blocking SQL injection, XSS, path traversal, and other attacks before they reach your application code. |
| Directory Listing | high | Free | Directory listing is a web server feature that, when enabled, shows the contents of directories that do not have an index file. |
| Blacklist Check | high | Free | Blacklists are databases of IP addresses and domains known for sending spam, hosting malware, or serving phishing pages. |
| Admin Panel Discovery | high | Free | Admin panel discovery goes beyond checking common paths — it actively probes for less obvious admin URLs, non-standard ports, and framework-specific admin interfaces that may have been left accessible. |
| API Endpoint Discovery | medium | Free | API endpoint discovery probes your domain for API endpoints that may not be intentionally documented or public. |
Intelligence
| Check | Severity | Plan | Description |
|---|---|---|---|
| Subdomain Discovery | info | Free | Subdomain discovery maps your complete external attack surface by finding all subdomains associated with your domain. |
| Dark Web Exposure | high | Free | Dark web exposure monitoring checks whether credentials, email addresses, or data from your domain have appeared in breach databases traded and sold on dark web forums. |
| Security.txt | info | Free | Security. |
| Typosquatting Monitor | info | Free | Typosquatting is the registration of domains that closely resemble yours — with a character swapped, a hyphen added, or a different TLD — to trick users into visiting a fake version of your site. |
| WHOIS & Domain Age | info | Free | WHOIS records contain domain registration information: who registered the domain, when, with which registrar, and when it expires. |
| GitHub Secret Scan | high | Free | Developers accidentally commit secrets — API keys, database passwords, private keys, and access tokens — to Git repositories far more often than you might think. |
| Google Safe Browsing | critical | Free | Google Safe Browsing is a blacklist service used by Chrome, Firefox, Safari, and many other browsers. |
Start your free scan today
No credit card required. No installation. Just your domain name.