Get an instant analysis of HTTP security headers, TLS configuration, DNS records, and cookie security. No account needed, no limits on free scans.
For example.com
Every scan evaluates 15+ HTTP security headers and grades each one individually. Instead of telling you only whether a header is present, FlawPilot reports how well it's configured, because a misconfigured Content-Security-Policy can be worse than none at all. Configuration quality matters as much as presence.
A live OpenAI key was leaked in /static/app.js; rotate immediately.
The Content-Security-Policy header is absent from HTTP responses.
Define explicit permissions for camera, microphone, and geolocation.
HSTS configured with max-age=31536000; includeSubDomains.
Security headers are only one layer of your website's defenses. Each scan also evaluates your TLS/SSL certificate and protocol configuration, DNS security records including DNSSEC and CAA, cookie attributes (Secure, HttpOnly, SameSite), and a detailed breakdown of every Content-Security-Policy directive. You get a complete picture from a single run.
Certificate validity, protocol version, and cipher strength evaluated.
No CAA record found. Any CA can issue certificates for this domain.
Cookie '_session_id' is missing HttpOnly and SameSite attributes.
Each directive analyzed for unsafe sources and policy quality.
The scanner doesn't just list problems. Every finding ships with a plain-English explanation of the risk, a severity label, and step-by-step instructions for how to fix it. Recommendations are sorted by impact so you know which changes will lift your score the most, and whether you're on Apache, Nginx, or a CDN, the guidance adapts to your setup.
Define allowed content sources to prevent XSS attacks.
Add X-Frame-Options to all HTTP responses to block clickjacking.
Submit your domain to the HSTS preload list for maximum protection.
Add the SameSite attribute to prevent cross-site request forgery.
Free, instant results. Enter any URL and see your security score in seconds.
