This is a security scanning service. Using passive scanning techniques, it will check a website to ensure compliance with a number of common and recommended security standards.
Nothing! It's 100% free to use this service. The goal is to improve security across the internet and make security checks easily accessible to developers who may not be knowledgeable about all the security protocols they should be using.
No. Although security scanners have a reputation for throwing thousands of requests per minute at a website (and sometimes DOSing it in the process), this tool makes only two (three for HTTPS) requests to your site. It will not submit any forms or data, nor will it download files or otherwise harm your site in any way. Think of it as two people loading your web page.
This scanner will check your response headers and page body for a number of common web security standards. For example, it will check for the presence of X-Frame-Options, the HttpOnly and Secure flags for cookies, the use of HTTPS, etc. It does not current support checking for other known vulnerabilities such as cross-site scripting or SQL injection (that would require more intense scans).
It depends. This site is aiming for an absolute best security approach. If you are scanning a blog or a simple static site, you probably don't need HTTPS or X-Frame-Options might be overkill. This scan works best for slightly more complex web apps that may have login forms, transfer sensitive user information, or otherwise require more security. This doesn't mean you can't scan simple sites; it just means the results will be much less helpful.
Yes, anyone can scan any website (with a few exceptions). However, unlike other scanners this is not actively checking for vulnerabilities but instead passively looking at the response that everyone receives. In other words, anyone can see the data this tool sees simply by visiting the web page. There is no 'hacking' or attacking occurring.
I'm not a lawyer, so this is answer is offered "as is." However, this scan does nothing more than perform a GET request of the URL in question and analyze the headers and content for various security best practices. There is no modification of content, cookies, URL parameters, or any other kind of injection or repeated requesting. If you are a site owner and still do not feel comfortable allowing others to send this request, you may add your site to the blacklist via the email in the footer. This being said, you ARE legally responsible for any action you take using these results. So if it tells you that site X doesn't use STS and you perform a man-in-the-middle attack, you're legally responsible.
Because discussing the answer to the previous question with federal agents in my apartment is not something I have planned for this week.
The grade is a percentage calculated based on the number of tests successfully performed (not those skipped or that returned an error) and the result of each test. Each test is given a severity ranking based on how large of a security concern and how exploitable the vulnerability is (I assigned these; they are based on my research and may not represent real world conditions for every website). Based on this ranking, a numerical value between 0 and 10 is given to the test for 'possible points.' Then, based on the results, either some or all of those points will be added to the score for later calculation of a percentage.
Within each test result, there is a tab for 'More Information.' For many of the tests, it includes information about implementing the security practice or includes links that provide further instruction. By adding the security check and re-running the scan, your grade should improve if the scan was successful and the check implemented correctly.
Yes! Every scan is given a unique id that is also part of the URL. Simply copy the URL and share it. Because results contain a lot of information (and I don't have infinite storage for the site's database) results may be deleted after 30 days.
Because this is a learning project I finished up in a weekend and there are probably errors. I did my best to implement the checks, but there will undoubtedly be something that it misses or reads incorrectly. If you find a glaring error, feel free to shoot me an email at matthewdf10 (at) gmail (dot) com.
Yes, I've scanned the site with itself. As I mentioned, not every security check is necessary for every website. The score reflects adherence to a long list of security policies, many of which may be excessive for a very simple site. It is ultimately up to the developer to implement the necessary precautions; this site simply helps point out if something might be missing.
I'm a student studying computer networking and security. I've done a lot of research, reading, and project development on my own time related to web application security. I've also had multiple internships working in network and application security, including a six month co-op at Mozilla where I worked primarily with web application security where I worked on a larger scale version of something similar to this. I am certainly not an expert! I made this project as a learning experience for me, as well as to help improve security around the web. I enjoy hacking on personal projects, setting up services in VMs and breaking them, and responsibly reporting web security bugs. My email is matthewdf10 (at) gmail (dot) com if you have additional questions.
Absolutely, it's hosted over at my GitHub: https://github.com/matthewdfuller/Web-Security-GUI.
Dot TK domains are free. I'm not making any money from this service so I don't plan to spend extra money on it.
Top