Security headers
Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options and Referrer-Policy, the browser-level defenses against injection, clickjacking and downgrade attacks.
Paste your address and find out in seconds. The scanner checks your home page and DNS the way a browser and an attacker do, then hands you a copy-paste AI fix for every issue it finds.
We read your home page only. No login, nothing to install, nothing stored.
Scan every page, get the copy-paste fix for every issue, and a re-scan every week with an email the moment something breaks. Starts with a 7-day trial, no card needed.
Paste your address, read the score, paste the AI fixes. No account, no install, no security knowledge needed.
Type your domain and run the check. No account, no install, nothing to verify. The scanner reads your public home page and your DNS, the same way a browser or an attacker would.
You get a score out of 100, weighted by severity, with every issue found on your home page listed from critical to minor: missing security headers, weak HTTPS, insecure cookies, exposed secrets, email spoofing risk and more.
Every issue comes with a plain explanation and a ready-to-paste prompt. Drop it into ChatGPT, Claude or Cursor and the fix is written for you, no security knowledge needed.
The padlock only means the connection is encrypted. The scanner checks the rest, the configuration an attacker actually looks for, with a passive read of your home page and DNS.
Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options and Referrer-Policy, the browser-level defenses against injection, clickjacking and downgrade attacks.
Whether your site forces HTTPS and sets session cookies with the Secure and HttpOnly flags, so they cannot be stolen or sent in the clear.
SPF, DMARC and DNSSEC, so nobody can send an email that looks like it came from your domain or hijack your DNS records.
API keys, tokens and credentials accidentally shipped in the code your home page sends to every visitor.
Whether your pages can be loaded inside a hidden frame on another site to trick your visitors into clicking things.
Forms posting over plain HTTP, mixed content, and other leaks that browsers warn your visitors about.
Paste the website address into the scanner above and run it. In a few seconds you get a security score and every issue found on the home page: missing security headers, weak HTTPS, insecure cookies, exposed secrets, and email spoofing risk. You can also look for the padlock and https in the address bar, but that only tells you the connection is encrypted, not that the site is configured safely. A scan checks the things the padlock does not.
Yes, it is completely free and there is no signup. You paste your URL and get the result on your home page in seconds. To scan every page, get a fix for every issue, and re-scan automatically each week with an alert when something breaks, you can create a free Amabrik account.
The free check scans your home page, which is enough to surface most configuration issues, since headers, HTTPS, cookies and DNS are usually set site-wide. To crawl every page and keep watching over time, the full scan inside Amabrik does that.
Every issue comes with a plain explanation and a ready-to-use prompt. You copy that prompt into ChatGPT, Claude or Cursor and it applies the fix for you, written for the person who built the site, not a security engineer.
Yes. The scanner only does passive checks: it reads the public home page and DNS records. It never logs in, never attacks the site, and never changes anything, so it is safe to run on your own site.
A secure website forces HTTPS with a valid certificate, sets the right security headers (CSP, HSTS, X-Frame-Options), keeps session cookies Secure and HttpOnly, has email authentication (SPF and DMARC) so its domain cannot be spoofed, and ships no secret keys in its public code. The scanner checks each of these and tells you which are missing.
Check it whenever you ship changes, and at least once a month. A new plugin, script or config change can quietly open a hole, so continuous monitoring catches problems you would otherwise miss until it is too late.