Skip to content
>_ITDITDWeb Security Platform

Site Security Audit

A full audit of your own (ownership-verified) site: secret exposure (.env/.git/DB dumps), TLS certificate, HTTP security headers, CSP weaknesses & CORS misconfig, cookie flags, email auth (SPF/DKIM/DMARC) and CAA — plus correlation of exposed products against our CISA KEV (actively-exploited) catalog. One graded report with fixes and an AI fix prompt.

This site's server passively fetches the target site (no attack, no exploratory scanning). For safety you can only audit a domain whose ownership you've verified. Internal/private addresses are blocked.
Try an example (audit this site itself, itdef.net)
B
Overall grade
80 / 100
https://itdef.net/ja · Ownership verified via file

Exposed sensitive files

None of the 24 sensitive paths/directories checked were publicly readable.

TLS certificate

  • Certificate is valid (83 days left).
    • Issuer: Let's Encrypt
    • Protocol: TLSv1.3
    • Cipher suite: TLS_AES_128_GCM_SHA256
    • Expires: Sep 5 07:14:55 2026 GMT

    Transport (HTTPS)

    • Reachable over HTTPS.
    • http redirects to HTTPS.
    • HSTS is enabled.

    Security headers

    Grade B (86/100). Missing/weak items: 1.

    Details in the Security Headers Check

    CSP (Content-Security-Policy) strength

    • 'unsafe-inline' (allows inline JS — badly weakens XSS protection; move to nonce/hash)
    Rebuild it with the CSP Builder

    CORS (cross-origin resource sharing)

    No dangerous CORS origin reflection seen.

    Cookie security flags

    These cookies are missing safety flags.

    • NEXT_LOCALE missing: Secure, HttpOnly

    Email authentication (anti-spoofing)

    • spf Missing
    • dkim OK
    • dmarc Weak
    Details in the SPF/DKIM/DMARC Checker

    Version disclosure

    No prominent server/framework version strings are exposed.

    No CAA (optional, but CAA lets you limit which CAs may issue).
    No security.txt (optional, but a /.well-known/security.txt contact is helpful).

    AI remediation prompt (copy-paste)

    Paste into Claude / ChatGPT for concrete fixes for your stack.

    You are a web security expert. An audit of my own site (itdef.net) found the issues below. For defensive/remediation purposes only, tell me how to fix each one safely on my stack (nginx / Apache / Caddy / cloud, etc.) with concrete commands/config. Ask if anything is unclear, and tell me how to verify the fixes afterward.

- Security headers: content-security-policy
- CSP (Content-Security-Policy) strength: unsafe-inline
- Cookie security flags: NEXT_LOCALE (Secure, HttpOnly)
- Email authentication (anti-spoofing): SPF missing
- Email authentication (anti-spoofing): DMARC weak

Note: keep existing working behavior intact. No attack techniques or bypasses needed.

    Monitor this site (free)

    Add your email and we'll periodically re-audit this site, emailing you only when its posture gets worse (a new KEV match, a grade drop, or a cert about to expire). It starts only after you click the confirm link (anti-spam). Unsubscribe anytime.

    How to use

    1. 1

      Enter your own site's domain

      e.g. example.com. You can't audit someone else's site — ownership verification is required.

    2. 2

      Verify ownership (any one of three ways)

      Place the shown token via ①a meta tag (easiest — just paste into your homepage <head>), ②a DNS TXT record, or ③a file (one-click download → drop it in /.well-known/). The audit won't start until it's verified.

    3. 3

      Hit 'Verify ownership & audit' for the full check

      It checks secret exposure (.env/.git/DB dumps), TLS cert, headers, CSP/CORS, cookies, email auth and KEV correlation (actively-exploited CVEs), and shows an A–F overall grade.

    4. 4

      Fix from red to amber

      Each item shows why it's risky and how to fix it. A copy-paste AI prompt is included — paste it into ChatGPT / Claude for steps tailored to your stack.

    5. 5

      (Optional) sign up for free monitoring

      Add your email to be notified only when posture worsens. It won't start until you click the confirm link, and you can unsubscribe anytime.

    Why it matters

    The first thing this tool looks for is an unintentionally public .env, .git, or DB dump left in a web-reachable directory — the exact accident that started this site. On top of that it bundles the TLS certificate, headers, cookie flags, email auth and version disclosure into one 'checkup' of your own ownership-verified site. Ownership verification is required so this never becomes an 'attack tool' aimed at others.

    FAQ

    QWhy is ownership verification required?
    A

    Checking whether sensitive files are public could be reconnaissance if aimed at someone else's site. We only audit once you've proven the domain is yours (DNS TXT or a file), which structurally prevents third-party scanning.

    QDoes the audit load my site heavily?
    A

    No. It passively fetches a small fixed set of paths once each — no fuzzing, no attacks. It's about the load of opening a few pages in a browser.

    QIf the grade is high, am I fully safe?
    A

    No. It checks representative high-signal items, not every possible risk. Don't over-trust a green result; pair it with least-exposure/least-privilege and ongoing checks of dependencies (OSV scanner), headers and email auth.

    Related