What We Check
Security isn't one thing — it's four overlapping layers. We check HTTP headers, SSL certificates, privacy compliance, and DNS authentication in a single pass.
Security Headers (6 Checks)
Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, Referrer-Policy, and Permissions-Policy. Each header is graded individually with implementation guidance.
SSL/TLS Analysis
Certificate validity and expiry date, TLS version (1.2 vs 1.3), cipher suite strength, HSTS implementation, and certificate chain validation. We flag certificates expiring within 30 days.
Cookie Consent Detection
We detect 10+ consent management platforms (Cookiebot, OneTrust, CookieYes, Termly, and more) and check whether consent is collected before tracking scripts fire.
Tracker Inventory
We identify 15 tracker categories: analytics, advertising, social, heatmaps, session recording, A/B testing, and more. Each tracker is named, categorized, and assessed for GDPR compliance implications.
DNS & Email Security
SPF, DKIM, and DMARC record validation. Mail provider identification. CAA records check. Missing email authentication is one of the most common vectors for domain spoofing.
Ad Platform Detection
We detect 13 advertising platforms via their conversion pixels and scripts: Google Ads, Meta/Facebook, LinkedIn, TikTok, Twitter/X, Pinterest, Snapchat, Microsoft Ads, Amazon, Taboola, Outbrain, Criteo, and AdRoll.
What You Learn
Security findings are specific and actionable. We don't just say "improve your security" — we tell you exactly what's missing and how to fix it.
Missing Content-Security-Policy header
Your site has no CSP header, which means any injected script can execute freely. This is the single most impactful security header for preventing XSS attacks. We provide a starter policy tailored to your detected technology stack.
SSL certificate expires in 12 days
Your certificate from Let's Encrypt expires on March 19. If auto-renewal fails, your site will show a browser security warning that blocks most visitors. We recommend verifying your renewal cron job immediately.
Google Analytics fires before cookie consent
Your GA4 tracking script loads in the page head and fires immediately, before your CookieYes consent banner has been accepted. Under GDPR, this constitutes processing personal data without consent. The fix: defer GA4 until consent is granted.
Why This Matters
A security breach doesn't have to be dramatic to be costly. A missing HSTS header means your visitors can be silently redirected to a fake version of your site. A DMARC failure means anyone can send emails that look like they come from your domain. An expired SSL certificate means Chrome shows a full-page warning that 99% of visitors won't click through.
Privacy compliance is no longer optional. GDPR fines can reach 4% of annual revenue. Even small businesses face enforcement — cookie consent isn't just a popup, it's a legal requirement that most implementations get wrong. If your analytics fire before consent is granted, you're technically in violation.
Our audit catches the gaps that generic security scanners miss. We don't just check if you have HTTPS — we verify TLS version, check for HSTS preloading, validate your certificate chain, and flag upcoming expiry dates. The result is a clear, prioritized list of security improvements ranked by risk and effort.
Related Features
SEO Audit
Security and SEO are intertwined. HTTPS is a ranking factor, and blocked crawlers hurt indexing.
View SEO Audit →Performance Audit
Security headers can affect load performance. See how your site balances security with speed.
View Performance Audit →