Skip to content
>_ITDITDWeb Security Platform

Site Security Audit

A full audit of your own (ownership-verified) site: secret exposure (.env/.git/DB dumps), TLS certificate, HTTP security headers, CSP weaknesses & CORS misconfig, cookie flags, email auth (SPF/DKIM/DMARC) and CAA — plus correlation of exposed products against our CISA KEV (actively-exploited) catalog. One graded report with fixes and an AI fix prompt.

This site's server passively fetches the target site (no attack, no exploratory scanning). For safety you can only audit a domain whose ownership you've verified. Internal/private addresses are blocked.
Try an example (audit this site itself, itdef.net)

How to use

  1. 1

    Enter your own site's domain

    e.g. example.com. You can't audit someone else's site — ownership verification is required.

  2. 2

    Verify ownership (any one of three ways)

    Place the shown token via ①a meta tag (easiest — just paste into your homepage <head>), ②a DNS TXT record, or ③a file (one-click download → drop it in /.well-known/). The audit won't start until it's verified.

  3. 3

    Hit 'Verify ownership & audit' for the full check

    It checks secret exposure (.env/.git/DB dumps), TLS cert, headers, CSP/CORS, cookies, email auth and KEV correlation (actively-exploited CVEs), and shows an A–F overall grade.

  4. 4

    Fix from red to amber

    Each item shows why it's risky and how to fix it. A copy-paste AI prompt is included — paste it into ChatGPT / Claude for steps tailored to your stack.

  5. 5

    (Optional) sign up for free monitoring

    Add your email to be notified only when posture worsens. It won't start until you click the confirm link, and you can unsubscribe anytime.

Why it matters

The first thing this tool looks for is an unintentionally public .env, .git, or DB dump left in a web-reachable directory — the exact accident that started this site. On top of that it bundles the TLS certificate, headers, cookie flags, email auth and version disclosure into one 'checkup' of your own ownership-verified site. Ownership verification is required so this never becomes an 'attack tool' aimed at others.

FAQ

QWhy is ownership verification required?
A

Checking whether sensitive files are public could be reconnaissance if aimed at someone else's site. We only audit once you've proven the domain is yours (DNS TXT or a file), which structurally prevents third-party scanning.

QDoes the audit load my site heavily?
A

No. It passively fetches a small fixed set of paths once each — no fuzzing, no attacks. It's about the load of opening a few pages in a browser.

QIf the grade is high, am I fully safe?
A

No. It checks representative high-signal items, not every possible risk. Don't over-trust a green result; pair it with least-exposure/least-privilege and ongoing checks of dependencies (OSV scanner), headers and email auth.

Related