Seoxpert.io
Get started
Website security scanner

Free Website Security Scanner — Headers, HTTPS, TLS

Paste any URL. Get an A-F grade plus per-issue fix guidance for Content-Security-Policy (with strict-dynamic detection most checkers get wrong), HSTS, X-Frame-Options, Referrer-Policy, mixed content, insecure cookies, and exposed sensitive paths (.env / .git / staging URLs).

Free first scan · No credit card required

What is a website security scanner?

A website security scanner checks your site for missing defences. It looks for HTTPS that is not enforced. It checks for missing security headers. It flags expired TLS certificates. It finds mixed content. It also catches admin or staging URLs that were exposed by mistake. The scan is read-only. It is safe to run against a live site. And it catches the class of issues that browsers and search engines use as trust signals.

Who is it for?

Small business owners and marketing teams. Agencies that do not have a dedicated security engineer. Developers who want a fast second opinion on headers and TLS before a launch.

What problem does it solve?

Missing security headers are invisible to visitors. They are very visible to search engines, browsers, and attackers. A site without HSTS is one downgrade attack away from intercepted traffic. A site without Content Security Policy is one XSS bug away from a credential harvest. Seoxpert flags these before someone else finds them. Each finding includes a plain-English fix.

What features are included?

  • HTTPS enforcement: catches HTTP-only URLs, mixed content, redirect loops, and HTTP-to-HTTPS redirect gaps.
  • Strict-Transport-Security (HSTS): presence, max-age, includeSubDomains, preload readiness.
  • Content Security Policy: presence, unsafe-inline, unsafe-eval, wildcard sources.
  • Other headers: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.
  • TLS and certificates: expiry warnings, weak protocol versions, hostname mismatches.
  • Exposed surfaces: accessible .env, .git, admin, staging, and backup URLs.
  • Supply-chain hygiene: Subresource Integrity on cross-origin scripts.
  • Cookies: Secure, HttpOnly, SameSite flags on set cookies.

Full list on the coverage page. See also the most common security issues and the website compliance checker for GDPR + cookie-consent audits.

How much does it cost?

Three tiers, no surprises:

  • Free — $0: 4 scans/month, 1 domain, weekly+ scheduled scans + regression alerts. No card required.
  • Pro — €19.99/month: 100 scans, 10 domains, API access, deploy hooks.
  • Agency — €89/month: 500 scans, 50 domains, daily + weekday schedules, white-label reports.

Full pricing on the pricing page.

What makes it different?

Most free security scanners check one thing in isolation (headers, or TLS, or exposed files) and leave you to stitch the picture together. Seoxpert runs all the HTTP-layer security checks alongside SEO and performance in a single scan, so the team can see the whole posture without running three tools. For teams that already use Mozilla Observatory or securityheaders.com, Seoxpert replaces those as a one-stop audit and adds scheduled monitoring so a silently-broken deploy does not stay broken.

When should someone not use it?

Seoxpert is an HTTP-layer scanner. It does not perform application-level vulnerability scanning (SQL injection, XSS probing, CSRF testing), network-layer penetration testing, or source-code review. If you need PCI DSS or HIPAA compliance attestation, treat Seoxpert as one input among several — not a substitute for a specialist pentest or a code audit.

Frequently asked questions

Is the security scanner safe to run against a live production site?

Yes. Seoxpert only makes read-only HTTP requests that a normal search-engine crawler would make. No exploit attempts, brute-force probes, or destructive calls.

Will the scan show up as suspicious traffic in my logs?

The crawler identifies itself with a Seoxpert user-agent and honours robots.txt. Rate limiting is conservative. Some WAFs may still rate-limit or challenge the scan; if that happens the scan will report partial results rather than crash.

Does Seoxpert check the SSL certificate expiry?

Yes. Certificate expiry warnings, weak TLS protocol versions, and hostname mismatches are flagged with severity labels.

Can I set up alerts when a security header is removed?

Yes. Every plan including free supports scheduled scans with regression alerts (weekly+ on free; daily and weekdays on Agency), so if HSTS disappears from a deploy you see it the next morning, not when a customer complains.

Ready to scan your site?

Free first scan · No credit card required