Security Scanning
Protect your visitors.
Identify security vulnerabilities before attackers do. Research from the OWASP Foundation shows that misconfigured security headers are among the most common web vulnerabilities. Our scanner checks over 40 rules including HSTS, CSP, X-Frame-Options, exposed files, and cookie flags. In our testing, fewer than 30% of websites implement all recommended headers.
Join Early Access$4.45M
average cost of a data breach globally
43%
of cyber attacks target small businesses
277 days
average time to identify and contain a breach
What is security scanning? A website security audit is an automated scan that identifies vulnerabilities in a site's configuration, including insecure headers, exposed sensitive files, missing HTTPS enforcement, cookie misconfigurations, and content security policy weaknesses.
What We Check
Comprehensive feature breakdown
Transport Security
- HTTPS and SSL/TLS certificate validation
- Mixed content detection
- HSTS header configuration
- Certificate expiry monitoring
- Protocol version checks (TLS 1.2+)
- Redirect chain security
Headers & Policies
- Content Security Policy (CSP) analysis
- X-Frame-Options validation
- X-Content-Type-Options check
- Referrer-Policy configuration
- Permissions-Policy review
- CORS configuration audit
Data Exposure
- Sensitive file exposure (.env, backups)
- Information disclosure in headers
- Directory listing detection
- Source map exposure check
- API key leakage scan
- Error message information leaks
Methodology
How we audit
HTTPS Verification
We verify your SSL/TLS configuration, certificate validity, and secure transport enforcement.
Header Analysis
Every security-related HTTP header is checked against current best practices and OWASP guidelines.
File Exposure Scan
We probe for commonly exposed sensitive files, backup files, and configuration files that should be private.
Cookie & Session Audit
Cookies are inspected for secure flags, SameSite attributes, and proper scoping.
Common Findings
Issues we commonly detect
Missing Content Security Policy
criticalWithout CSP, your site is vulnerable to cross-site scripting (XSS) and data injection attacks.
No HSTS header
seriousWithout HSTS, browsers may connect over insecure HTTP, exposing users to man-in-the-middle attacks.
Exposed .env or config files
criticalPublicly accessible configuration files can leak database credentials, API keys, and secrets.
Cookies without Secure flag
seriousCookies sent over unencrypted connections can be intercepted and used for session hijacking.
Missing X-Frame-Options
moderateWithout frame protection, your site can be embedded in malicious pages for clickjacking attacks.
Server version disclosure
minorRevealing server software and versions helps attackers find known vulnerabilities to exploit.
Key Takeaways
- Checks 40+ security factors including headers, HTTPS, cookies, and exposed files.
- Non-intrusive scanning that identifies misconfigurations without exploiting vulnerabilities.
- Security headers are your first line of defence against XSS, clickjacking, and protocol attacks.
Why security matters for your business
A single security breach can destroy customer trust and cost millions. Proactive scanning prevents the most common attack vectors.
FAQ
Frequently asked questions
What security issues does Kritano detect?
Kritano runs 40+ security checks per page, including HTTPS enforcement, security header analysis (CSP, HSTS, X-Frame-Options), exposed sensitive files, cookie security flags (Secure, HttpOnly, SameSite), mixed content, and information disclosure vulnerabilities.
Is Kritano a penetration testing tool?
No. Kritano performs non-intrusive, read-only security scanning. It checks your site's publicly visible configuration for common misconfigurations and vulnerabilities without attempting to exploit them. For full penetration testing, use a dedicated security firm.
How do security headers protect my website?
Security headers like Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), and X-Content-Type-Options instruct browsers to enforce security policies. They prevent cross-site scripting, clickjacking, protocol downgrade attacks, and MIME-type confusion.
Complete Coverage
Explore other audit dimensions
Founder of Kritano
5 years in web development. I specialise in web auditing, WCAG 2.2 compliance, and search engine optimisation.
I built Kritano after years of running audits with fragmented tools. I write about SEO, accessibility, security, and performance based on real auditing data from thousands of scans.
Last updated:
Find vulnerabilities before attackers do
Run a free security scan and get a clear picture of your site's defences.
Join Early Access