Full audit coverage

Everything we check — all 22 of them.

One URL. No install. NullShield runs every check below against your live site, then shows you the result of each one — including the ones you already pass. This is the entire methodology, in the open.

Deterministic and mapped to the OWASP Top 10:2025 — the same site gets the same grade every time.

Transport Security

4 checks

How traffic to your site is encrypted and kept private in transit.

TLS / SSL Certificate

What we check: We open a live HTTPS connection and inspect the certificate — validity, issuer and expiry.

Why it matters: An invalid, expired or untrusted certificate makes browsers warn visitors and breaks trust instantly.

TLS Protocol Versions

What we check: We actively probe whether the deprecated TLS 1.0 and TLS 1.1 protocols are still accepted.

Why it matters: Old TLS versions have known weaknesses and fail modern compliance (PCI DSS, baseline hardening).

HSTS Strength

What we check: When HTTP Strict Transport Security is present we grade its max-age, includeSubDomains and preload readiness.

Why it matters: A weak HSTS policy still leaves a window for downgrade and cookie-stealing attacks on first visit.

HTTPS Redirect

What we check: We request the plain-HTTP version of your site and confirm it forces an upgrade to HTTPS.

Why it matters: Without a redirect, visitors and search engines can land on an unencrypted copy of your site.

Security Headers

2 checks

The HTTP response headers that instruct browsers how to defend your visitors.

HTTP Security Headers

What we check: We check the full set of protective response headers — HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy and the cross-origin isolation headers.

Why it matters: These headers are the cheapest, highest-leverage defence against clickjacking, MIME sniffing and data leakage.

Content Security Policy

What we check: When a CSP is set we grade its quality — unsafe-inline, unsafe-eval, wildcard sources and missing directives.

Why it matters: A loose CSP gives a false sense of safety; a tight one is the single best defence against cross-site scripting.

Cookies & Sessions

1 checks

Whether the cookies your site sets are protected against theft and tampering.

Cookie Flags

What we check: We inspect every cookie your site sets for the Secure, HttpOnly and SameSite attributes.

Why it matters: Session cookies without these flags can be stolen over the network or by malicious scripts, hijacking accounts.

Frontend & Content Integrity

4 checks

The scripts, libraries and markup served to your visitors' browsers.

Page Content & Forms

What we check: We parse the rendered HTML for mixed (HTTP) content and forms that submit without CSRF protection.

Why it matters: Mixed content silently breaks encryption, and unprotected forms invite cross-site request forgery.

Subresource Integrity

What we check: We list third-party scripts and stylesheets loaded without an integrity (SRI) hash.

Why it matters: If a CDN you depend on is compromised, SRI is what stops the attacker's code running on your site.

Exposed Source Maps

What we check: We probe whether your first-party JavaScript source maps are publicly reachable.

Why it matters: Published source maps hand attackers your original, commented source code — including logic you meant to hide.

Outdated JavaScript Libraries

What we check: We fingerprint front-end libraries and flag end-of-life versions (old jQuery, Bootstrap, AngularJS, Moment.js).

Why it matters: Unmaintained libraries accumulate public, unpatched vulnerabilities that scanners and bots actively hunt for.

Exposure & Information Disclosure

4 checks

Files, paths and error messages that should never be reachable by the public.

Exposed Sensitive Paths

What we check: We safely probe two dozen high-risk paths — .env, .git, config files, credential stores and admin panels.

Why it matters: A single reachable .env or .git directory can leak database passwords, API keys and your entire codebase.

Directory Listing

What we check: We check common folders for auto-generated index pages that expose their contents.

Why it matters: Open directory listings let anyone browse and download files you never intended to publish.

Error & Debug Disclosure

What we check: We trigger an error path and look for stack traces and debug output from ASP.NET, PHP, Python or the database.

Why it matters: Verbose errors hand attackers your framework, file paths and queries — a roadmap for the next attack.

Version & Banner Disclosure

What we check: We read fingerprinting headers (Server, X-Powered-By, X-AspNet-Version) for software and version numbers.

Why it matters: Advertising exact versions lets attackers match your stack to known exploits in seconds.

Server & API Configuration

4 checks

How your server answers requests, and what it advertises about itself.

HTTP Methods

What we check: We inspect which methods the server advertises and test for the dangerous TRACE method.

Why it matters: Unsafe methods and TRACE enable cross-site tracing and unintended writes against your application.

Cross-Domain Policy Files

What we check: We check for permissive crossdomain.xml and clientaccesspolicy.xml files.

Why it matters: A wildcard cross-domain policy lets other sites' code read responses meant only for your users.

CORS Configuration

What we check: We test your Cross-Origin Resource Sharing policy for wildcard origins, reflected origins and credentialed access.

Why it matters: A misconfigured CORS policy can let any website read your authenticated API responses on a visitor's behalf.

GraphQL Introspection

What we check: We probe common GraphQL endpoints to see whether schema introspection is open to the public.

Why it matters: Open introspection maps your entire API — every type, field and mutation — for an attacker to study.

Email & Domain (DNS)

1 checks

The DNS records that stop your domain being spoofed and your email forged.

Email & DNS Records

What we check: We resolve your domain's SPF, DKIM, DMARC, DNSSEC and CAA records.

Why it matters: Missing SPF/DKIM/DMARC means anyone can send email that looks like it came from your domain.

Disclosure Hygiene

2 checks

The small, expected files that signal a site is professionally maintained.

robots.txt

What we check: We fetch robots.txt and check whether it is present and not accidentally leaking sensitive paths.

Why it matters: A sane robots.txt guides search engines; a careless one can advertise the exact paths you wanted hidden.

security.txt

What we check: We look for a /.well-known/security.txt with valid Contact and Expires fields (RFC 9116).

Why it matters: A security.txt gives researchers a way to report vulnerabilities to you instead of disclosing them publicly.

See your own report in 60 seconds.

Every check above, run against your site, with the exact fix for anything that fails — and a re-scan in 14 days to prove it got better.

Scan my site — $49/mo

Cancel in two clicks · no contract