Free, no signup

How secure is your website?

Paste your address and find out in seconds. The scanner checks your home page and DNS the way a browser and an attacker do, then hands you a copy-paste AI fix for every issue it finds.

We read your home page only. No login, nothing to install, nothing stored.

  • Security headers
  • HTTPS and cookies
  • DNS and email auth
  • Exposed secrets
  • Clickjacking
How it works

How to check if a website is secure

Paste your address, read the score, paste the AI fixes. No account, no install, no security knowledge needed.

  1. Paste your website address

    Type your domain and run the check. No account, no install, nothing to verify. The scanner reads your public home page and your DNS, the same way a browser or an attacker would.

    SCAN
    yourwebsite.com Scan
  2. Read your security score

    You get a score out of 100, weighted by severity, with every issue found on your home page listed from critical to minor: missing security headers, weak HTTPS, insecure cookies, exposed secrets, email spoofing risk and more.

    Security headersCritical
    Cookie flagsWarning
    Email spoofing (SPF, DMARC)Warning
    HTTPS and certificatePass
  3. Fix each issue with the AI prompt

    Every issue comes with a plain explanation and a ready-to-paste prompt. Drop it into ChatGPT, Claude or Cursor and the fix is written for you, no security knowledge needed.

    Critical Fix ready
What it checks

Everything the padlock does not tell you

The padlock only means the connection is encrypted. The scanner checks the rest, the configuration an attacker actually looks for, with a passive read of your home page and DNS.

01

Security headers

Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options and Referrer-Policy, the browser-level defenses against injection, clickjacking and downgrade attacks.

02

HTTPS and cookies

Whether your site forces HTTPS and sets session cookies with the Secure and HttpOnly flags, so they cannot be stolen or sent in the clear.

03

DNS and email spoofing

SPF, DMARC and DNSSEC, so nobody can send an email that looks like it came from your domain or hijack your DNS records.

04

Exposed secrets

API keys, tokens and credentials accidentally shipped in the code your home page sends to every visitor.

05

Clickjacking and framing

Whether your pages can be loaded inside a hidden frame on another site to trick your visitors into clicking things.

06

Content and mixed loading

Forms posting over plain HTTP, mixed content, and other leaks that browsers warn your visitors about.

FAQ

Checking a website, answered

Still unsure about something? Ask us and we answer fast.

Paste the website address into the scanner above and run it. In a few seconds you get a security score and every issue found on the home page: missing security headers, weak HTTPS, insecure cookies, exposed secrets, and email spoofing risk. You can also look for the padlock and https in the address bar, but that only tells you the connection is encrypted, not that the site is configured safely. A scan checks the things the padlock does not.

Yes, it is completely free and there is no signup. You paste your URL and get the result on your home page in seconds. To scan every page, get a fix for every issue, and re-scan automatically each week with an alert when something breaks, you can create a free Amabrik account.

The free check scans your home page, which is enough to surface most configuration issues, since headers, HTTPS, cookies and DNS are usually set site-wide. To crawl every page and keep watching over time, the full scan inside Amabrik does that.

Every issue comes with a plain explanation and a ready-to-use prompt. You copy that prompt into ChatGPT, Claude or Cursor and it applies the fix for you, written for the person who built the site, not a security engineer.

Yes. The scanner only does passive checks: it reads the public home page and DNS records. It never logs in, never attacks the site, and never changes anything, so it is safe to run on your own site.

A secure website forces HTTPS with a valid certificate, sets the right security headers (CSP, HSTS, X-Frame-Options), keeps session cookies Secure and HttpOnly, has email authentication (SPF and DMARC) so its domain cannot be spoofed, and ships no secret keys in its public code. The scanner checks each of these and tells you which are missing.

Check it whenever you ship changes, and at least once a month. A new plugin, script or config change can quietly open a hole, so continuous monitoring catches problems you would otherwise miss until it is too late.