Free Tool

Free Website
Security Check

Enter your URL and get an instant A–F security grade — TLS, security headers, cookies, and exposed information, checked in seconds.

Passive, read-only checks — no signup required.

What we check

Passive checks of your public attack surface

🔒

TLS & certificate

Protocol versions, certificate validity and expiry, and whether traffic is forced onto HTTPS.

🛡️

Security headers

Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, and friends.

🍪

Cookie security

Secure, HttpOnly, and SameSite flags on the cookies your site sets — the difference between a session and a stolen session.

📡

Exposed information

Server banners, framework version leaks, and other details your responses reveal to anyone who asks.

FAQ

Security check questions

What does the free website security check test?

The check runs passive, read-only inspections of your site's public surface: TLS configuration and certificate validity, HTTP security headers (Content-Security-Policy, HSTS, X-Frame-Options and others), cookie security flags, redirect behavior, and information the server exposes about itself. It sends the same kind of requests a normal browser does — nothing intrusive.

Is it safe to run on a production website?

Yes. Every check is passive and read-only — equivalent to visiting the site in a browser and reading the responses. No exploitation is attempted, no forms are submitted, and no payloads are sent.

How is the A–F grade calculated?

Each finding reduces a 0–100 score, weighted by severity: high-severity issues cost the most, informational findings the least. The final score maps to a letter grade — A and B indicate a strong baseline, C and D show meaningful gaps, and F signals critical issues in the site's public configuration.

How is this different from a full Penetrify penetration test?

The free check reads surface signals only — it never interacts with your application logic. A full Penetrify AI pentest actively attempts exploitation: it logs in, tests authentication and session handling, probes for injection (SQLi, XSS), hunts IDOR and broken access control, and chains findings the way a real attacker would. The free check tells you how your site looks from the outside; the pentest tells you what an attacker could actually do.

Beyond the surface

Find what a grade can't show

Headers and TLS are the front door. Penetrify's AI pentest tests what's behind it — authentication, access control, injection, and business logic. Results in minutes.