Website Security Test

  • Daily limit 0/3
  • Plan name Free

Only scan websites you own or are authorized to test. Free: passive scan of any URL. Verify ownership (below) to unlock active checks. Premium proxy and Google-exposure scan are in the Advanced (Pro) plan.

Available in Advanced plan

Available in Advanced plan

Available in Advanced plan

Available in Advanced plan

Verify site ownership (unlocks active checks)

Log in to get your verification token and run active checks on sites you own.

The Website Security Test is a free online tool that audits any website for common security issues in seconds. It checks your HTTPS and TLS setup, HTTP security headers, cookie flags, and exposed sensitive files. It also flags software version disclosure. In advanced mode it finds private or sensitive pages indexed in Google. You get a clear security score, a letter grade, and a prioritised list of fixes.

What is the Website Security Test?

A fast, attacker's-eye audit

The tool inspects your site from the outside, the same way an automated scanner or attacker would. It uses only safe, read-only requests. It does not log in, change anything, or attempt any exploit.

In a few seconds you learn which protections are in place, which are missing, and which are misconfigured. Every result is grouped by category and ordered by severity, so you fix the dangerous things first.

This makes it ideal for a quick pre-launch check, a routine monthly audit, or a fast triage of a site you have just taken over.

What it checks

The scan covers six areas. These are the encrypted connection and certificate, the browser security headers, and cookie attributes. It also covers exposed files and directory listings, software disclosure, and search-engine exposure.

Each check returns one of four states: critical, warning, info, or passed. It comes with the evidence and a recommended remediation.

Why security affects your SEO

Search engines favour sites served over HTTPS. A leaked staging copy or an indexed admin panel can dilute rankings and expose data. A secure, well-configured site protects your visitors and your organic visibility at once.

Fixing the reported issues improves trust signals and reduces sensitive content in the index. It also removes browser warnings that scare visitors away.

Benefits of using the Website Security Test

  • Get a single, easy-to-read security score and an A+ to F grade for any URL.
  • See missing or weak security headers (CSP, HSTS, X-Content-Type-Options and more) explained in plain language.
  • Detect exposed .env, .git, backup and SQL files before someone else does.
  • Spot open directory listings and verbose server banners that help attackers.
  • Check your TLS certificate validity, expiry date, and whether legacy protocols are still enabled.
  • In advanced mode, search Google for sensitive content that should never have been indexed.
  • Receive a clear, actionable fix for every problem - no security jargon required.

Key features

  • Twenty-plus individual checks across six security categories.
  • Severity-based scoring so you always know what to fix first.
  • HTTPS redirect, HSTS and mixed-content detection.
  • Full security-header grading aligned with current OWASP guidance.
  • Cookie Secure, HttpOnly and SameSite inspection.
  • Exposed-file and directory-listing probing with safe requests only.
  • Optional Google exposure scan and premium proxy in paid plans.
  • Remediation guidance for every check, ready to hand to a developer.
  • Email authentication and DNS hardening: SPF, DMARC and CAA records, plus CORS policy review.
  • DNSSEC, Subresource Integrity for external scripts, and data-scraping / WAF detection.
  • Indicative GDPR and PCI DSS compliance tests that flag the web-observable basics - not a substitute for a formal legal or PCI audit.
  • Googlebot vs browser comparison to detect cloaking - compares HTTP status, redirects, SEO signals and a percentage of content change, complementing the HTTP Request tool.

Comparison of the Website Security Test with other tools

Functionality DiagnoSEO Other tools
One combined score for headers, TLS, cookies and exposure
Security-header grading (similar to SecurityHeaders.com or Mozilla Observatory)
TLS certificate and protocol summary (similar to Qualys SSL Labs)
Exposed .env / .git / backup file detection
Detection of sensitive pages indexed in Google
Plain-language remediation for every finding
No account required for a basic scan
Part of a full SEO toolset, alongside audit and SERP tools

What's free and what's in Pro

The passive scan is free for any URL, with no account required. Active checks that probe your server run only after you verify ownership of the site (or allow DiagnoSEO in robots.txt). The Advanced (Pro) plan adds the heavier features.

Capability Free Verified owner Advanced (Pro)
Security headers, HTTPS/TLS, cookies, version disclosure
robots.txt / security.txt presence
Sensitive content indexed in Google
Exposed .env / .git / backup files✅ (basic depth)✅ (deeper)
Directory listing detection
CMS user enumeration
Premium proxy (bypass WAF / geo-blocking)

How to use the Website Security Test

  1. Go to the Website Security Test in the tool panel.
  2. In the Website URL field, enter the full address you want to test, for example https://example.com.
  3. If you are on a paid plan, open Advanced settings to enable the premium proxy or the Google exposure scan.
  4. Click the Scan website button and wait a few seconds for the report.
  5. Read the overall score and grade at the top of the results.
  6. Work down the categories, starting with any critical findings.
  7. Open each issue to see the evidence and the recommended fix.
  8. Apply the fixes on your server or in your CMS, then run the scan again to confirm.

Case study

The starting point

Imagine you have just taken over a mid-sized online store. You want a quick security read before planning any work.

You open the tool, paste the store's homepage URL, and click Scan website.

Within seconds you see an overall grade of C, with three critical findings highlighted in red.

Reading the report

The first critical issue is an exposed .env file with database credentials. The second is a missing HTTP-to-HTTPS redirect. The third is an expired part of the certificate chain.

The headers category also shows missing Content-Security-Policy and HSTS headers. Each comes with a short explanation of the risk.

Fixing the issues

Following the recommendations, you block public access to the .env file. You force HTTPS with a 301 redirect. You renew the certificate with automated renewal enabled.

You then add a Content-Security-Policy and a long-lived HSTS header, exactly as the report suggests.

The result

You run the scan again. The critical findings are gone, the headers category turns green, and the overall grade rises to A.

The store is now safer for customers, free of browser warnings, and in a much stronger position for search visibility.

FAQ

  • Yes. The tool only sends safe, read-only requests to public addresses. It never logs in, changes data, or attempts any exploit.

  • No. A basic scan is available without an account. A paid plan unlocks advanced options such as the premium proxy and the Google exposure scan.

  • The score is a 0-100 summary of all checks, weighted by severity, and it maps to a letter grade from A+ to F. Higher is better.

  • In advanced mode the tool runs targeted search queries for your domain to surface admin panels, listings and files that should not be public.

  • No. It is a fast configuration audit for common issues. A professional penetration test goes much deeper and is still recommended for critical systems.

See also

Unlock Higher Rankings and Quality Traffic

Grow your business with the #1 AI-powered full stack software for SEO and content marketing.

Upgrade to Pro