Sign In
Access your IPWhois.net account
No account? Create one

Website Security Scanner

What This Scanner Checks

Most website security audits start with the same six things: is the SSL certificate valid and not about to expire, are the right HTTP security headers in place, can someone spoof email from the domain, is the server IP flagged on any blacklists, does HTTP redirect cleanly to HTTPS, and is HTTP/2 running. This tool checks all six at once and rolls them into a single score out of 100.

The weighting reflects real-world impact: security headers carry 35 points because they protect against a wide range of browser-level attacks and most sites are still missing several of them. SSL health carries 25 points. Email authentication carries 20. Blacklist status, HTTPS redirect and HTTP/2 share the remaining 20 between them.

How Each Category Is Scored

SSL Certificate (up to 25 pts)

A valid certificate is the bare minimum for any site handling user data, but validity alone is not enough. The scanner checks that the certificate matches the hostname, that it is not within 30 days of expiry, and that the key length is at least 2048-bit RSA or 256-bit EC. A mismatched hostname or expired certificate wipes out the entire SSL score regardless of everything else.

Security Headers (up to 35 pts)

Seven headers are checked: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy and X-XSS-Protection. Each one correctly set adds 5 points. These headers cost nothing to add and protect against clickjacking, XSS, MIME sniffing and SSL stripping. Most sites are missing at least three of them.

Email Authentication (up to 20 pts)

SPF, DKIM and DMARC work together to make it hard for anyone to send email pretending to be from your domain. SPF with -all gets 8 points. DMARC with reject or quarantine policy gets 7 points. A valid DKIM record gets 5 points. Getting all three right is one of the most impactful things a domain owner can do to protect their brand reputation.

Blacklist Status (10 pts)

The domain is resolved to its IP address, then checked against 10 major DNSBL blacklists including Spamhaus ZEN, SpamCop, SORBS and Barracuda. A single listing means zero points for this category. Being on a blacklist affects email deliverability and can lower trust scores with some browsers and security products.

HTTPS Redirect and HTTP/2 (up to 10 pts)

A proper HTTP to HTTPS redirect means visitors who type your address without https:// get sent there automatically with a 301 or 302. HTTP/2 is the current version of the HTTP protocol and loads pages noticeably faster than HTTP/1.1 by multiplexing requests over a single connection. Both are table stakes for any well-run site.

Frequently Asked Questions

What score should I aim for?

A grade B (70 or above) means the fundamentals are covered. Grade A (85 or above) means someone has put real effort into hardening the configuration. Below 55 there are usually quick wins available, particularly around security headers, that take less than an hour to fix.

How hard is it to fix the issues?

Security headers are the easiest fix. On Apache you add a few Header always set lines to your config or .htaccess. On Nginx you add them to the server block. No code changes needed. SPF and DMARC are DNS records you add through your domain registrar. DKIM requires a key pair generated by your mail provider, which will give you exact instructions.

Why does the scan take several seconds?

Six separate checks run in sequence: an SSL handshake, an HTTP HEAD request, four DNS lookups for SPF/DKIM/DMARC/MX, ten DNSBL queries and an HTTP redirect probe. Each has its own network timeout. The total usually lands between 5 and 15 seconds depending on how responsive the target server is. Results are cached for 30 minutes.