Website SecurityPosture Scanner
What We Scan
Six categories of passive, non-invasive security checks that evaluate your website's defense layers without any exploitation.
HTTPS / TLS Analysis
Verify HTTPS usage, detect TLS version (1.2/1.3), validate certificate expiration and issuer, and check for HSTS header presence.
HTTP Security Headers
Evaluate Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, Referrer-Policy, and Permissions-Policy.
Cookie Security
Detect all cookies set by the target and audit their flags: Secure, HttpOnly, and SameSite attributes for session protection.
Information Exposure
Check for server header leakage, technology/version exposure, open directory detection, and publicly accessible sensitive paths like /.git/ or /config.
Technology Fingerprinting
Identify the tech stack including frameworks, CMS, and server software. Flag outdated or potentially risky technologies using rule-based detection.
Reputation & Threat Signals
Check against external threat intelligence APIs and blacklist databases. Detect if the domain has been flagged for malware, phishing, or spam.
How It Works
From URL input to structured security report in four steps. Every check is passive and non-invasive.
URL Input & Validation
User submits a URL. The system normalizes it (handles http/https, trailing slashes, redirects) and validates the input format before proceeding.
Parallel Security Checks
The scanner dispatches modular checks in parallel: TLS analysis, header inspection, cookie auditing, exposure detection, tech fingerprinting, and reputation queries.
Weighted Scoring
Each category produces a sub-score. These are combined using a weighted model: TLS (20%), Headers (30%), Cookies (15%), Exposure (20%), Reputation (15%).
Report Generation
A structured JSON report is generated with a numerical score (0-100), letter grade (A-F), per-category breakdowns, and actionable issue cards with severity, impact, and fix recommendations.
// All checks complete in under 10 seconds for most websites
Scoring Methodology
A weighted scoring model that produces a numerical score (0-100) and a letter grade (A-F) based on five security categories.
Category Weights
// scoring formula
total = (tls * 0.20) + (headers * 0.30) + (cookies * 0.15) + (exposure * 0.20) + (reputation * 0.15)> Grade Scale
// Each sub-score is normalized to its max weight before aggregation
Clean MVP Architecture
Modular Python backend with one scanner per security category. Each scanner is independent, testable, and replaceable. The scoring engine aggregates results using configurable weights.
The frontend (this site) is a statically exported Next.js app that calls the FastAPI /scan endpoint. No server-side rendering needed — the backend does all the work.
FastAPI
Backend framework
Async-first, auto-generated OpenAPI docs, type validation via Pydantic
httpx
HTTP client
Async support, redirect following, TLS inspection capabilities
Python ssl
TLS analysis
Certificate parsing, TLS version detection from stdlib
Pydantic
Data validation
Structured request/response models with automatic validation
Next.js
Frontend
This very site -- React-based, statically exported, zero-cost hosting
Playwright
Dynamic inspection
Optional: renders JS-heavy sites for cookie and header capture
Project Structure
Scaling Roadmap
API & Code
Working MVP-level backend code and example scan output. Ready to extend into a production SaaS product.
/scanRequest Body
{ "url": "https://example.com" }Response (200 OK)
{
"url": "https://example.com",
"score": 82,
"grade": "B",
"categories": {
"tls": {
"score": 18,
"max": 20,
"status": "good",
"details": {
"https": true,
"tls_version": "TLSv1.3",
"cert_valid": true,
"cert_issuer": "Let's Encrypt",
"cert_expiry": "2026-08-15",
"hsts": true
}
},
"headers": {
"score": 21,
"max": 30,
"status": "warning",
"present": [
"X-Content-Type-Options",
"X-Frame-Options",
"Strict-Transport-Security"
],
"missing": [
"Content-Security-Policy",
"Permissions-Policy"
],
"weak": []
},
"cookies": {
"score": 13,
"max": 15,
"status": "good",
"cookies_found": 2,
"flags": {
"secure": true,
"httponly": true,
"samesite": "Lax"
}
},
"exposure": {
"score": 16,
"max": 20,
"status": "warning",
"server_header": "nginx/1.24.0",
"tech_detected": ["nginx", "React"],
"sensitive_paths": [],
"open_dirs": false
},
"reputation": {
"score": 14,
"max": 15,
"status": "good",
"blacklisted": false,
"safe_browsing": "clean",
"phishing": false
}
},
"issues": [
{
"severity": "high",
"issue": "Missing Content-Security-Policy",
"impact": "Increased risk of XSS attacks",
"recommendation": "Add: Content-Security-Policy: default-src 'self'"
},
{
"severity": "medium",
"issue": "Server version exposed (nginx/1.24.0)",
"impact": "Attackers can target known CVEs",
"recommendation": "Set: server_tokens off; in nginx.conf"
},
{
"severity": "medium",
"issue": "Missing Permissions-Policy",
"impact": "Browser features not restricted",
"recommendation": "Add: Permissions-Policy: camera=(), microphone=(), geolocation=()"
}
],
"summary": "Good security posture with room for improvement. TLS configuration is strong. Add missing security headers (CSP, Permissions-Policy) and hide server version to reach grade A."
}# main.py - FastAPI backend
from fastapi import FastAPI
from pydantic import BaseModel, HttpUrl
from scanners import tls_scanner, header_scanner, cookie_scanner
from scoring import calculate_score
app = FastAPI(title="SecureScan API")
class ScanRequest(BaseModel):
url: HttpUrl
@app.post("/scan")
async def scan_url(request: ScanRequest):
url = str(request.url)
# Run all scanners in parallel
tls_result = await tls_scanner.scan(url)
header_result = await header_scanner.scan(url)
cookie_result = await cookie_scanner.scan(url)
# ... exposure, reputation scanners
# Calculate weighted score
score, grade = calculate_score({
"tls": tls_result,
"headers": header_result,
"cookies": cookie_result,
})
return {
"url": url,
"score": score,
"grade": grade,
"categories": { ... },
"issues": collect_issues(tls_result, header_result, ...),
"summary": generate_summary(score, grade)
}
# --- header_scanner.py ---
import httpx
SECURITY_HEADERS = {
"Content-Security-Policy": 6,
"X-Frame-Options": 5,
"X-Content-Type-Options": 4,
"Strict-Transport-Security": 6,
"Referrer-Policy": 4,
"Permissions-Policy": 5,
}
async def scan(url: str) -> dict:
async with httpx.AsyncClient() as client:
resp = await client.get(url, follow_redirects=True)
present, missing, score = [], [], 0
for header, points in SECURITY_HEADERS.items():
if header.lower() in {k.lower() for k in resp.headers}:
present.append(header)
score += points
else:
missing.append(header)
return {
"score": score,
"max": sum(SECURITY_HEADERS.values()),
"present": present,
"missing": missing,
"issues": [
{
"severity": "high" if pts >= 5 else "medium",
"issue": f"Missing {h}",
"impact": get_impact(h),
"recommendation": get_fix(h),
}
for h, pts in SECURITY_HEADERS.items()
if h in missing
]
}Intelligence Layer
Every issue in the report includes three components designed for non-security-experts:
WHY it matters
Missing CSP allows attackers to inject malicious scripts that steal user data or redirect traffic.
HOW to fix it
Add to your server config: Content-Security-Policy: default-src 'self'; script-src 'self'
SEVERITY level
High / Medium / Low classification based on real-world exploitability and business impact.