Free URL Security Scanner
14 security checks.
30 seconds. Free.
Enter any URL and get an instant security assessment. No account required. No credit card. Just results.
Powered by codelake's security engine. Your URL is scanned in real-time — nothing is stored.
14 Automated Checks
Comprehensive surface-level security assessment.
Each check examines a different aspect of your website's security posture — from HTTP headers to exposed files to technology fingerprinting.
HTTP Security Headers
Checks for Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and HSTS.
SSL/TLS Configuration
Validates certificate chain, protocol versions (TLS 1.2+), cipher suites, certificate expiry, and HSTS preload eligibility.
Cookie Security
Checks all cookies for Secure, HttpOnly, SameSite attributes. Flags session cookies without proper security flags.
CORS Configuration
Tests Cross-Origin Resource Sharing headers for overly permissive configurations, wildcard origins, and credential leaks.
Open Redirects
Tests common redirect parameters for open redirect vulnerabilities that could be used in phishing attacks.
Exposed Files
Checks for .env, .git/config, .DS_Store, wp-config.php, server-status, phpinfo, and 30+ commonly exposed paths.
API Key Leaks
Scans page source, JavaScript files, and inline scripts for exposed API keys, tokens, and credentials in client-side code.
Technology Fingerprinting
Identifies server software, frameworks, CMS, JavaScript libraries with version numbers. Flags outdated components with known CVEs.
Server Information Leaks
Checks for verbose Server headers, X-Powered-By, stack traces in error pages, and debug mode indicators.
Subresource Integrity
Verifies that external scripts and stylesheets use SRI hashes to prevent supply chain attacks via CDN compromise.
Mixed Content
Detects HTTP resources loaded on HTTPS pages — images, scripts, stylesheets, and iframes that break the security chain.
Form Security
Checks forms for HTTPS action URLs, autocomplete on sensitive fields, CSRF token presence, and proper input types.
DNS Configuration
Checks SPF, DKIM, and DMARC records. Validates DNSSEC. Tests for zone transfer vulnerabilities and dangling DNS records.
robots.txt & Sitemap
Analyzes robots.txt for accidentally disclosed admin paths and sensitive directories. Checks sitemap for hidden endpoints.
How It Works
Three steps. Zero friction.
Enter your URL
Paste any public URL. No sign-up, no API key, no configuration. Just a URL.
Wait 30 seconds
All 14 checks run simultaneously against your URL. Watch results appear in real-time as each check completes.
Get your report
Receive an A-F security grade with detailed findings, explanations, and actionable fix recommendations for every issue.
Severity Grading
Clear grading. Actionable recommendations.
Every FreeScan result gets an overall security grade from A to F, with individual pass/fail results for each of the 14 checks.
Excellent
All critical checks pass. Security headers, SSL, and cookies are properly configured.
Good
Minor issues found. Missing optional headers or minor SSL configuration improvements needed.
Fair
Several security gaps. Missing important headers, weak cookie configuration, or outdated technologies.
Poor
Significant security issues. Exposed files, API key leaks, or critical misconfigurations found.
Critical
Severe security failures. Open redirects, exposed sensitive files, missing SSL, or active credential leaks.
Example Report
What a FreeScan report looks like.
Scan result for
https://example-app.com
Scan any URL. Free. No sign-up.
Get your security grade in 30 seconds. Share it with your team. Fix the issues. Then scan again to see your improvement.