For developers and teams who ship without a security team
Find what your last deploy left exposed.
NullShield is a website security scanner with memory: it runs 22 checks mapped to the OWASP Top 10 against your live site, gives you the exact fix for every issue in plain English, and remembers every scan — so you can prove your security got better, not worse.
$49/mo · cancel in two clicks
Aligned with the OWASP Top 10:2025 and the Mozilla Observatory methodology.
You scanned once. Then you shipped 40 times.
You ran a free header check months ago. Got a B. Felt fine. Since then you added a CDN, changed a cookie, wired up a new analytics tag, and pasted in code an AI wrote. That B is fiction now — and you have no idea what it became.
So when a prospect sends a security questionnaire, you guess. When a client asks "is it secure?", you say "I think so." And the day something leaks, you don't find out from a dashboard — you find out from a customer.
And the free tool you leaned on is going away. securityheaders.com's scanner is being retired in April 2026. Even when it worked, it never remembered yesterday's scan — so it could never tell you whether you were getting safer or sloppier.
Without NullShield
- ✗ "Is it secure?" — "…I think so."
- ✗ A one-off grade with no memory
- ✗ A wall of jargon you can't action
- ✗ No idea what last week's deploy broke
- ✗ Security questionnaires you can't answer
With NullShield
- ✓ "Here's our A, and here's the report"
- ✓ Every scan kept — see the trend
- ✓ Plain-English fix for every finding
- ✓ "3 fixed, 1 new, score 72 → 91"
- ✓ A PDF you hand straight to the client
Why it's not just another header checker
It remembers
Every scan is kept. Re-scan after you ship and NullShield shows you exactly what you fixed, what regressed, and how your grade moved — scan over scan. Free tools give you a number and forget you.
It explains, then fixes
Every finding tells you what it is, why it matters, and the exact change to make — with a link to the OWASP or MDN page. No security degree required.
No AI guesswork
The scan is deterministic. The same site gets the same result every time — a grade you can defend to a client or an auditor, not a number an AI made up.
22 checks. One URL. 60 seconds.
No install, no agent, no code change. Paste your address — NullShield does the rest.
🔒 TLS & HTTPS
Valid, current encryption — and that HTTP actually redirects to HTTPS.
🛡️ Security headers
HSTS, CSP, X-Frame-Options and the modern cross-origin isolation headers.
🌐 CORS policy
Whether your site hands data to any origin that asks — credentials and all.
🍪 Cookies
Secure, HttpOnly and SameSite flags that keep sessions from being stolen.
🗝️ Exposed secrets
Hunts for .env, .git, npm tokens, cloud keys and private keys left public.
📦 Supply chain
End-of-life JavaScript libraries and dependency lockfiles served to the world.
🪪 Information disclosure
Server versions and verbose error pages that hand attackers a roadmap.
🚪 Methods & listings
Dangerous HTTP methods and open directory listings you didn't mean to ship.
📧 Email & DNS
SPF, DMARC, DKIM, CAA and DNSSEC that stop spoofing in your name.
🏷️ Script integrity
Third-party scripts that can be silently swapped without Subresource Integrity.
The maths is not close
- Unlimited scans & targets (fair use, 1,000/mo)
- Full history & before/after comparison
- Plain-English explanation + exact fix per finding
- PDF + HTML reports to hand to clients and auditors
- API access to scan in your CI/CD pipeline
If your first scan finds nothing worth fixing, don't pay.
Run your first scan. If it doesn't surface a single issue you'd actually want to fix, email us inside 7 days and we refund the month — and you keep the report. Cancelling later is two clicks, same as signing up.
Straight answers
Isn't this just securityheaders.com?
No. That checks response headers, once, with no memory — and it's being retired in April 2026. NullShield runs 22 checks beyond headers (TLS, CORS, exposed files, supply chain, DNS), keeps every scan so you can compare, and hands you the exact fix for each one.
Do I have to install anything?
Nothing. It's a black-box external scan — you give it your URL, it does the rest. No agent, no code change, no access to your servers.
Is this a penetration test?
No, and we won't pretend it is. A pentest is a deep, point-in-time engagement that costs thousands. NullShield is continuous external posture monitoring — the thing you run on every deploy between pentests, so the pentest finds less.
Will an AI invent findings?
There's no AI in the scan. Every check is a deterministic rule mapped to the OWASP Top 10. The same site gets the same grade every time — one you can defend to a client or auditor.
What happens if I cancel?
Two clicks, same medium you signed up in. No phone call, no retention maze. Your past reports stay downloadable.
Stop guessing whether it's secure.
Scan, fix, re-scan — and watch your grade climb. Your first report is 60 seconds away.
Start scanning my site — $49/moCancel in two clicks.