For developers and teams who ship without a security team

Find what your last deploy left exposed.

NullShield is a website security scanner with memory: it runs 22 checks mapped to the OWASP Top 10 against your live site, gives you the exact fix for every issue in plain English, and remembers every scan — so you can prove your security got better, not worse.

$49/mo · cancel in two clicks

A02 Security MisconfigurationA04 Cryptographic FailuresA03 Supply ChainA08 Data IntegrityA10 Exceptional Conditions

Aligned with the OWASP Top 10:2025 and the Mozilla Observatory methodology.

You scanned once. Then you shipped 40 times.

You ran a free header check months ago. Got a B. Felt fine. Since then you added a CDN, changed a cookie, wired up a new analytics tag, and pasted in code an AI wrote. That B is fiction now — and you have no idea what it became.

So when a prospect sends a security questionnaire, you guess. When a client asks "is it secure?", you say "I think so." And the day something leaks, you don't find out from a dashboard — you find out from a customer.

And the free tool you leaned on is going away. securityheaders.com's scanner is being retired in April 2026. Even when it worked, it never remembered yesterday's scan — so it could never tell you whether you were getting safer or sloppier.

Without NullShield

  • ✗ "Is it secure?" — "…I think so."
  • ✗ A one-off grade with no memory
  • ✗ A wall of jargon you can't action
  • ✗ No idea what last week's deploy broke
  • ✗ Security questionnaires you can't answer

With NullShield

  • ✓ "Here's our A, and here's the report"
  • ✓ Every scan kept — see the trend
  • ✓ Plain-English fix for every finding
  • ✓ "3 fixed, 1 new, score 72 → 91"
  • ✓ A PDF you hand straight to the client

Why it's not just another header checker

🔁

It remembers

Every scan is kept. Re-scan after you ship and NullShield shows you exactly what you fixed, what regressed, and how your grade moved — scan over scan. Free tools give you a number and forget you.

🧭

It explains, then fixes

Every finding tells you what it is, why it matters, and the exact change to make — with a link to the OWASP or MDN page. No security degree required.

⚖️

No AI guesswork

The scan is deterministic. The same site gets the same result every time — a grade you can defend to a client or an auditor, not a number an AI made up.

22 checks. One URL. 60 seconds.

No install, no agent, no code change. Paste your address — NullShield does the rest.

🔒 TLS & HTTPS

Valid, current encryption — and that HTTP actually redirects to HTTPS.

🛡️ Security headers

HSTS, CSP, X-Frame-Options and the modern cross-origin isolation headers.

🌐 CORS policy

Whether your site hands data to any origin that asks — credentials and all.

🍪 Cookies

Secure, HttpOnly and SameSite flags that keep sessions from being stolen.

🗝️ Exposed secrets

Hunts for .env, .git, npm tokens, cloud keys and private keys left public.

📦 Supply chain

End-of-life JavaScript libraries and dependency lockfiles served to the world.

🪪 Information disclosure

Server versions and verbose error pages that hand attackers a roadmap.

🚪 Methods & listings

Dangerous HTTP methods and open directory listings you didn't mean to ship.

📧 Email & DNS

SPF, DMARC, DKIM, CAA and DNSSEC that stop spoofing in your name.

🏷️ Script integrity

Third-party scripts that can be silently swapped without Subresource Integrity.

See all 22 checks, in the open →

The maths is not close

A one-off penetration test £3,000–£10,000 — and stale your next deploy
Hiring someone to own this £60,000+/year
One breach you hear about from a customer the account, and the trust
NullShield, every deploy, forever $49/mo
  • Unlimited scans & targets (fair use, 1,000/mo)
  • Full history & before/after comparison
  • Plain-English explanation + exact fix per finding
  • PDF + HTML reports to hand to clients and auditors
  • API access to scan in your CI/CD pipeline

If your first scan finds nothing worth fixing, don't pay.

Run your first scan. If it doesn't surface a single issue you'd actually want to fix, email us inside 7 days and we refund the month — and you keep the report. Cancelling later is two clicks, same as signing up.

Straight answers

Isn't this just securityheaders.com?

No. That checks response headers, once, with no memory — and it's being retired in April 2026. NullShield runs 22 checks beyond headers (TLS, CORS, exposed files, supply chain, DNS), keeps every scan so you can compare, and hands you the exact fix for each one.

Do I have to install anything?

Nothing. It's a black-box external scan — you give it your URL, it does the rest. No agent, no code change, no access to your servers.

Is this a penetration test?

No, and we won't pretend it is. A pentest is a deep, point-in-time engagement that costs thousands. NullShield is continuous external posture monitoring — the thing you run on every deploy between pentests, so the pentest finds less.

Will an AI invent findings?

There's no AI in the scan. Every check is a deterministic rule mapped to the OWASP Top 10. The same site gets the same grade every time — one you can defend to a client or auditor.

What happens if I cancel?

Two clicks, same medium you signed up in. No phone call, no retention maze. Your past reports stay downloadable.

Stop guessing whether it's secure.

Scan, fix, re-scan — and watch your grade climb. Your first report is 60 seconds away.

Start scanning my site — $49/mo

Cancel in two clicks.