VibeSnype
← Back

What the free scan checks

Every scan runs 9 security modules in parallel. All checks below are included in the free tier - no account required.

Security Headers

Missing HTTP headers that protect your visitors from common browser attacks.

  • Content-Security-Policy (CSP) - Prevents XSS attacks by controlling which resources the browser may load.
  • Strict-Transport-Security (HSTS) - Forces browsers to only use HTTPS - prevents protocol downgrade attacks.
  • X-Content-Type-Options - Stops browsers from guessing file types, preventing MIME-sniffing exploits.
  • X-Frame-Options - Protects against clickjacking by controlling if your site can be embedded in iframes.
  • Referrer-Policy - Controls how much URL information is sent to third parties.
  • Permissions-Policy - Restricts which browser features (camera, mic, geolocation) pages may use.

TLS / SSL

Your HTTPS connection quality - certificates, protocol versions and cipher strength.

  • Certificate validity & expiry - Warns if your certificate expires within 30 days or has already expired.
  • Self-signed certificate - Detects certificates not issued by a trusted CA - browsers block these.
  • Weak cipher suites - Flags broken algorithms like RC4, 3DES, or NULL that can be cracked.
  • TLS 1.0 / 1.1 acceptance - Deprecated protocol versions with known vulnerabilities (BEAST, POODLE).
  • Certificate Transparency logs - Verifies your certificate appears in public CT logs - required by all browsers.

DNS Security

Email spoofing protection and DNS integrity configuration.

  • SPF record - Specifies which mail servers may send email for your domain - prevents spoofing.
  • DMARC record & policy - Instructs receiving servers what to do with failed email auth. Warns if p=none.
  • DKIM record - Cryptographic email signature - verified at common selectors.
  • CAA records - Restricts which Certificate Authorities may issue certs for your domain.
  • DNSSEC - Cryptographic protection against DNS cache poisoning attacks.

Cookie Security

Flags insecure cookie configurations that enable session theft and CSRF.

  • Secure flag - Prevents cookies from being sent over unencrypted HTTP connections.
  • HttpOnly flag - Blocks JavaScript from reading cookies - breaks XSS session-steal attacks.
  • SameSite attribute - Prevents cookies from being sent on cross-site requests (CSRF protection).
  • __Host- / __Secure- prefix rules - Validates cookie prefix compliance for maximum browser-enforced security.

Open Ports

TCP port scan for publicly reachable services that should not be internet-facing.

  • MySQL (3306) - Direct database access from the internet.
  • PostgreSQL (5432) - Direct database access from the internet.
  • MongoDB (27017) - Often deployed without auth - thousands of databases have been wiped.
  • Redis (6379) - No auth by default - exposes all cached data and allows server compromise.
  • Elasticsearch (9200) - HTTP API with full data access - no auth in older versions.
  • FTP (21), Telnet (23), SSH (22), Memcached (11211) - Legacy or dangerous services exposed to the internet.

File & Code Exposure

Publicly accessible files that should never be reachable.

  • .env / .env.local / .env.production - Exposes API keys, database credentials, and secrets.
  • .git/config & .git/HEAD - Leaks repository structure and may expose source code.
  • backup.sql / dump.sql / db.sqlite - Full database dumps readable by anyone.
  • firebase.json, backup.zip - Configuration and backup files with sensitive data.

Content & Behavior Analysis

Page-level checks covering CORS, redirects, caching, and client-side security.

  • Subresource Integrity (SRI) - Detects external CDN scripts loaded without an integrity hash.
  • Mixed content - HTTP resources loaded on an HTTPS page.
  • Insecure WebSocket (ws://) - Unencrypted WebSocket connections that expose real-time data.
  • Exposed source maps (.js.map) - Source maps reveal your full unminified frontend code.
  • CORS misconfiguration - Wildcard or reflected Origin headers that allow cross-origin data theft.
  • HTTP → HTTPS redirect - Checks that HTTP traffic is redirected to HTTPS.
  • Open redirect - Detects if redirect parameters can send users to external sites.
  • Dangerous HTTP methods (TRACE/PUT/DELETE) - Methods that can be exploited if misconfigured.
  • Cache-Control on sensitive pages - Missing no-store on /login and /dashboard - browser caches sensitive content.
  • Clickjacking (CSP frame-ancestors) - Checks both X-Frame-Options and CSP frame-ancestors for full protection.
  • Login endpoint enumeration - Different responses for valid vs. invalid email reveal registered accounts.
  • robots.txt & sitemap.xml path disclosure - Sensitive internal paths disclosed to scanners and attackers.
  • Meta-tag information leaks - Staging URLs, API keys, or debug flags in HTML meta tags.
  • Form action hijacking - Forms submitting over HTTP or to external domains.

Server & Network

Tech stack fingerprinting and exposed admin/debug interfaces.

  • Server version header - Version numbers in Server header help attackers find known exploits.
  • X-Powered-By header - Exposes framework and runtime versions.
  • Admin panels (/wp-admin, /phpmyadmin, /adminer) - Publicly reachable admin interfaces targeted by bots.
  • Debug & internal routes (/_debug, /telescope, /horizon) - Framework debug tools that should never be public.

Ready to scan your site?

Free, instant, no login required.

Run a free scan