21 live public-safe checks, 67 scanner pages.
Find the hidden issues before they cost traffic, trust, or data.
secgates checks your site for security gaps, setup mistakes, blocked crawlers, slow pages, email problems, uptime risk, and accessibility mistakes. Each unlocked finding includes evidence and a clear fix note.
Find the check you care about.
Every scanner page explains what the check looks for, why it matters, and the issues it can reveal.
SQL Injection Scanner
Detect SQL injection vulnerabilities in your web application before attackers exploit them.
View scanner →VulnerabilityVerified site requiredCross-Site Scripting (XSS) Scanner
Find XSS vulnerabilities that could let attackers inject malicious scripts into your pages.
View scanner →ConfigurationRuns nowSecurity Headers Scanner
Check if your site has the right HTTP security headers to prevent common attacks.
View scanner →ConfigurationRuns nowCSP Quality Scanner
Grade your Content Security Policy for real XSS containment, unsafe fallbacks, reporting, and Trusted Types readiness.
View scanner →ConfigurationRuns nowPermissions Policy Scanner
Check whether risky browser features like camera, microphone, geolocation, payment, USB, and clipboard access are locked down.
View scanner →ConfigurationRuns nowCross-Origin Isolation Scanner
Read-only review of COOP, COEP, and CORP headers that help isolate your site from cross-origin leaks and opener abuse.
View scanner →ConfigurationPlanned public-safeFetch Metadata Isolation Scanner
Safe-mode check for whether sensitive routes can reject suspicious cross-site requests using Sec-Fetch browser signals.
View scanner →VulnerabilityRuns nowAPI Key Exposure Scanner
Detect exposed API keys, tokens, and secrets in your frontend code and responses.
View scanner →ConfigurationPlanned public-safeSSL/TLS Security Scanner
Verify your SSL/TLS configuration, certificate validity, and encryption strength.
View scanner →ConfigurationRuns nowHSTS Preload Readiness Scanner
Check whether your HTTPS enforcement is strong enough for safe HSTS preload submission and staged rollout.
View scanner →ConfigurationPlanned public-safeDangerous HTTP Methods Scanner
Check whether public servers advertise risky methods like PUT, DELETE, TRACE, CONNECT, or method override behavior.
View scanner →VulnerabilityRuns nowCORS Misconfiguration Scanner
Detect dangerous CORS policies that could allow unauthorized cross-origin access.
View scanner →VulnerabilityVerified site requiredCSRF Protection Scanner
Check if your forms and API endpoints are protected against cross-site request forgery.
View scanner →ConfigurationRuns nowCookie & Session Security Scanner
Audit cookie flags, session management, and token security for your application.
View scanner →VulnerabilityRuns nowReferrer & URL Secret Leakage Scanner
Find reset tokens, invite codes, emails, IDs, or secrets in URLs that could leak through browser referrers.
View scanner →VulnerabilityVerified site requiredAuthentication Flow Scanner
Test your login, signup, and password reset flows for common security weaknesses.
View scanner →ConfigurationVerified site requiredOAuth/OIDC Flow Scanner
Review OAuth and OpenID Connect setup for weak redirect handling, missing PKCE, state, nonce, issuer, and audience checks.
View scanner →ConfigurationVerified site requiredSAML SSO Scanner
Read-only review of SAML metadata, certificate runway, signed response expectations, ACS URLs, and risky SSO defaults.
View scanner →InfrastructureRuns nowDNS & Email Security Scanner
Verify DNS configuration, SPF, DKIM, DMARC records, and domain security.
View scanner →VulnerabilityVerified site requiredOpen Redirect Scanner
Find URL redirect vulnerabilities that attackers use for phishing campaigns.
View scanner →VulnerabilityVerified site requiredHost Header Injection Scanner
Check whether Host and proxy headers can influence redirects, links, cache keys, or generated URLs.
View scanner →VulnerabilityVerified site requiredGraphQL Security Scanner
Audit your GraphQL API for introspection leaks, injection, and query complexity attacks.
View scanner →VulnerabilityVerified site requiredWebSocket Security Scanner
Find insecure WebSocket usage, weak origin handling, missing authentication signals, and exposed real-time channels.
View scanner →VulnerabilityVerified site requiredJWT Security Audit
Check JSON Web Tokens for weak signing, exposed keys, and unsafe setup.
View scanner →VulnerabilityPlanned public-safeTech Stack & CVE Scanner
Identify your technology stack and check for known vulnerabilities (CVEs).
View scanner →InfrastructurePlanned public-safeCMS & Plugin Exposure Scanner
Detect CMS fingerprints, exposed plugin versions, user enumeration paths, xmlrpc.php, and risky public endpoints.
View scanner →VulnerabilityRuns nowSource Map & Build Artifact Exposure Scanner
Find exposed source maps, debug bundles, build manifests, and leaked implementation details in production assets.
View scanner →VulnerabilityPlanned public-safeBackup & Forgotten File Exposure Scanner
Find exposed .bak, .old, .zip, .env, database dumps, editor temp files, and copied source files.
View scanner →MonitoringPlanned public-safeThreat Intelligence Scanner
Check if your domain or IP appears on blocklists, malware databases, or threat feeds.
View scanner →ComplianceRuns nowLegal Compliance Scanner
Check for privacy policy, cookie consent, terms of service, and GDPR compliance indicators.
View scanner →ComplianceRuns nowSecurity.txt & Vulnerability Disclosure Scanner
Verify your security.txt, disclosure contacts, policy links, expiry, and vulnerability intake readiness.
View scanner →InfrastructurePlanned public-safeDDoS Protection Scanner
Evaluate your site's resilience against distributed denial-of-service attacks.
View scanner →VulnerabilityVerified site requiredFile Upload Security Scanner
Test file upload endpoints for unrestricted uploads and remote code execution risks.
View scanner →MonitoringPlanned public-safeAudit Logging & Monitoring Scanner
Verify that security events are properly logged and monitored in your application.
View scanner →InfrastructurePlanned public-safeMobile API Rate Limiting Scanner
Check API endpoints for proper rate limiting and abuse prevention on mobile-facing APIs.
View scanner →InfrastructurePlanned public-safeDomain Hijacking Detection
Detect subdomain takeover vulnerabilities and domain registration security issues.
View scanner →VulnerabilityVerified site requiredDebug Endpoints Scanner
Find exposed debug routes, admin panels, and development endpoints left in production.
View scanner →VulnerabilityVerified site requiredPath Traversal & File Include Scanner
Look for safe signals that file paths, includes, or download routes may expose files outside the intended folder.
View scanner →VulnerabilityVerified site requiredSSRF Exposure Scanner
Find URL-fetching inputs, callback fields, image importers, and webhook flows that may need server-side request protections.
View scanner →VulnerabilityVerified site requiredInput Validation Scanner
Test form fields and API inputs for proper validation and sanitization.
View scanner →InfrastructurePlanned public-safeVercel Hosting Security Scanner
Audit Vercel-specific security settings, headers, and deployment configuration.
View scanner →InfrastructurePlanned public-safeNetlify Hosting Security Scanner
Check Netlify-specific security configuration, headers, and deployment settings.
View scanner →InfrastructurePlanned public-safeCloudflare Security Scanner
Audit Cloudflare configuration, WAF settings, and CDN security features.
View scanner →InfrastructurePlanned public-safePublic Cloud Storage Exposure Scanner
Detect public S3, Google Cloud Storage, Azure Blob, and R2 bucket URLs and read-only exposure signals.
View scanner →InfrastructureRuns nowSubresource Integrity & Third-Party Script Scanner
Audit third-party scripts, missing SRI hashes, external dependency risk, and browser-side supply-chain exposure.
View scanner →VulnerabilityRuns nowThird-Party PII Leakage Scanner
Find emails, user IDs, tokens, order IDs, and sensitive page data sent to analytics, pixels, chat widgets, or A/B tools.
View scanner →VulnerabilityVerified site requiredDependency Vulnerability Scanner
Scan your project dependencies for known vulnerabilities and outdated packages.
View scanner →ConfigurationVerified site requiredSupabase Security Scanner
Audit your Supabase project for RLS misconfigurations, exposed APIs, and insecure auth settings.
View scanner →ConfigurationVerified site requiredFirebase Security Scanner
Check Firebase Security Rules, authentication settings, and Firestore/RTDB access controls.
View scanner →InfrastructureVerified site requiredGitHub Repository Security Scanner
Scan your GitHub repository for leaked secrets, misconfigured Actions, and supply chain risks.
View scanner →VulnerabilityVerified site requiredBrowser Storage & Session Token Scanner
Detect JWTs, refresh tokens, and session identifiers stored in localStorage or sessionStorage.
View scanner →ConfigurationRuns nowService Worker & PWA Security Scanner
Read-only review of service worker scope, PWA manifest settings, offline caching, and stale authenticated page risks.
View scanner →VulnerabilityVerified site requiredSource Code SAST Scanner
Scan connected GitHub repositories for high-risk auth, secret, CORS, SQL, SSRF, and cookie patterns.
View scanner →VulnerabilityVerified site requiredWebhook Signature Verification Scanner
Find webhook handlers that appear to trust provider events without verifying signatures.
View scanner →VulnerabilityVerified site requiredIDOR & Broken Access Control Scanner
Find exposed admin routes, unauthenticated APIs, sequential IDs, and mass data exposure.
View scanner →VulnerabilityVerified site requiredTenant Isolation Scanner
Use two authenticated test actors to verify tenant-scoped resources cannot be read across accounts.
View scanner →InfrastructurePlanned public-safeAPI Inventory & OpenAPI Exposure Scanner
Find public APIs, exposed OpenAPI documents, old endpoints, and API docs that should not be public.
View scanner →ConfigurationPlanned public-safeCache-Control & CDN Leakage Scanner
Check cache headers, CDN behavior, private response storage, and accidental caching of personalized or sensitive content.
View scanner →SEO & AEORuns nowSEO Scanner
Grade search reach with 68 checks for crawl access, page titles, schema depth, content quality, links, and vital metrics.
View scanner →SEO & AEOPlanned public-safeAEO Scanner (AI Visibility)
Check whether answer systems from OpenAI, Anthropic, Perplexity, and Google can fetch, parse, and reference your pages. 46 checks.
View scanner →VulnerabilityRuns nowAI Feature Exposure Scanner
Passive detection of public chat, search, or agent features that may need prompt-injection, data leakage, and tool-use protections.
View scanner →SEO & AEORuns nowRobots, Sitemap & AI Crawler Governance Scanner
Audit robots.txt, sitemap coverage, AI crawler controls, snippet directives, and crawl governance for search and answer engines.
View scanner →MonitoringPlanned public-safeUptime Monitoring & Status Pages
External availability checks on a one-minute cadence with incident history, recovery notifications, and a shareable status hub.
View scanner →PerformanceRuns nowPerformance & Core Web Vitals Scanner
Lab diagnostics plus field web-vitals data from CrUX and RUM, with daily regression warnings before rankings or conversions fall.
View scanner →AccessibilityRuns nowAccessibility Scanner (WCAG)
Automated WCAG 2.x Level AA checks across page structure, forms, navigation, and media.
View scanner →MonitoringPlanned public-safeEmail Deliverability Monitor
SPF, DKIM, DMARC, MX, MTA-STS, and BIMI checked continuously - with a managed DMARC report inbox.
View scanner →MonitoringPlanned public-safeDomain Watchtower
Domain expiry, transfer locks, nameserver changes, DNSSEC, CAA, and certificate renewal time - watched daily.
View scanner →Run the scan and see the issue count first.
Subscribe when you want to reveal the findings, evidence, and AI-ready fixes.