Web Security Scanner

// Select Platform

✔ 🔷 WordPress

✔ 🔺 Laravel

✔ ⚛️ React

✔ 🟢 Node.js

✔ 🐘 PHP

✔ 🐍 Python

// WordPress selected — enter full URL — no signup required

► Initializing scan...

-- SCORE

Critical Issues

Warnings

Passed Checks

Information

ℹ Note: This scanner performs passive, non-intrusive checks via HTTP header inspection and public path probing. No data is stored — processing happens in your browser. Your URL is sent only to api.allorigins.win (open-source CORS proxy). For a full penetration test, consult a security professional.

Universal Checks — All Platforms

Check	What is tested	Severity
HTTPS Enforced	URL uses https:// — encrypted transport active	Critical
HSTS Header	Strict-Transport-Security prevents SSL stripping	Warning
X-Frame-Options	Prevents clickjacking via iframe embedding	Warning
X-Content-Type-Options	nosniff prevents MIME-type XSS attacks	Warning
Content-Security-Policy	Script source whitelist; prevents XSS	Warning
Referrer-Policy	Controls URL leakage via Referer header	Info
Server Header Leak	Server/X-Powered-By exposing software version	Warning

Platform-Specific Checks

WordPress: xmlrpc.php, readme.html, license.txt, install.php, debug.log, REST API user enum, version disclosure.

Laravel: .env file, storage/logs/laravel.log, Telescope (/telescope), Debug Bar (/_debugbar), phpinfo.php, .git/HEAD, composer.json.

React / Next.js: .env file, JS source maps (.js.map), .git/HEAD, robots.txt review, /api/auth endpoint check.

Node.js: .env file, package.json, node_modules directory, .git/HEAD, .npmrc, /api-docs Swagger exposure.

PHP: phpinfo.php, .env file, /phpmyadmin/, .git/HEAD, config.php, error_log file.

Python (Django/Flask): .env file, requirements.txt, /admin/ panel, /__debug__/ toolbar, .git/HEAD, /api/schema/ exposure.

Score Calculation

Score starts at 100. Each Critical deducts 20 pts. Each Warning deducts 8 pts. Minimum 0. Score ≥75 = green, ≥50 = amber, <50 = red.

Standards Applied

OWASP Top 10

Checks map to A02 (sensitive data exposure), A03 (injection/XSS), A05 (security misconfiguration), A07 (auth failures).

OWASP Secure Headers

All 5 HTTP headers align with OWASP Secure Headers Project used by Mozilla Observatory and security professionals worldwide.

CWE / MITRE

CWE-16 (Configuration), CWE-200 (Information Exposure), CWE-693 (Missing Security Header), CWE-732 (Incorrect Permissions).

RFC 6797 (HSTS)

HSTS check follows IETF RFC 6797 defining Strict-Transport-Security header enforcement and browser behaviour.

Laravel Security

Laravel checks align with the Laravel Security Checklist and OWASP PHP framework recommendations.

Django / OWASP Python

Python checks follow Django Security documentation and the OWASP Python Security Project guidelines.

Node.js Best Practices

Node.js checks align with the OWASP Node.js Security Cheat Sheet and Express.js security best practices.

WPScan Methodology

WordPress checks align with WPScan (Kali Linux standard) — same exposed paths, version disclosure, and REST API enumeration.

Technical Method — Step by Step

#	Step	Detail
01	Platform Selection	User selects stack. Platform-specific check set is loaded alongside universal header/HTTPS checks.
02	URL Validation	Input parsed with native URL() API. https:// auto-added if missing. Origin extracted to avoid path leakage.
03	Header Fetch	Homepage fetched via api.allorigins.win CORS proxy. Response headers and body returned as JSON. Headers normalized to lowercase.
04	Platform Detection	Response body and headers scanned with regex patterns to confirm the selected platform is present.
05	Header Audit	6 universal security headers checked by exact key lookup. Presence = pass, absence = warning/info per severity classification.
06	Path Probing	Platform-specific sensitive paths probed via allorigins proxy. HTTP 200–399 = accessible (bad). 404/403 = blocked (good). 8s timeout.
07	Scoring	100 − (criticals×20) − (warnings×8), clamped to [0,100]. Animated SVG ring with colour thresholds at 75 and 50.

Passive / Non-Intrusive

All checks are read-only. No login attempts, no payloads, no exploits, no data stored. URL sent only to api.allorigins.win.

Cross-Verify Results

securityheaders.com

Best for: All HTTP header checks. Industry gold standard — A–F grade should match our header findings. Discrepancies may be caused by CDN conditional headers.

observatory.mozilla.org

Best for: Headers + HTTPS + cookies. Mozilla uses same OWASP standards. Passing our header checks should yield B+ here.

curl -I (terminal)

Best for: Raw header verification. curl -I https://yoursite.com shows exact server-level response — most reliable.

Browser DevTools

Best for: Quick check. F12 → Network → page request → Response Headers. Zero tools needed.

Direct URL test

Best for: Path exposure. Manually visit flagged paths in browser. Content visible = file is exposed. 404 = blocked correctly.

ssllabs.com/ssltest

Best for: Full TLS audit. Cipher suites, certificate chain, HSTS preloading, expiry. Free, no login.

What This Scanner Cannot Detect

SQL injection / XSS vulnerabilities — Requires sending crafted payloads. Use Burp Suite, OWASP ZAP, or a penetration tester.
Authentication weaknesses — Cannot test rate limiting, 2FA, or brute-force protection without sending login attempts.
Malware / backdoors — Requires file-system access. Use Sucuri SiteCheck, ClamAV, or platform-specific integrity checkers.
Outdated dependencies / CVEs — Requires a CVE database lookup. Use Snyk, npm audit, composer audit, or WPScan.
Database security — Cannot check DB user privileges, exposed ports, or insecure connections.
File permissions — Server-side permission checks require direct access (SSH, FTP).
SSL certificate expiry / cipher strength — Use ssllabs.com/ssltest for a full TLS audit.
WAF-filtered results — Cloudflare, Sucuri WAF, or Akamai may return 403 for all paths, masking real exposure. Use curl or browser to verify.
Email security (SPF/DKIM/DMARC) — Out of scope. Use mxtoolbox.com to audit email sender records.

Web SecurityScanner

Web Security
Scanner