Passive · safe on any site · no login to scan

Everything an attacker sees from outside. Graded.

Exposed admin panels, leaked secrets, dangling CNAMEs, missing hardening - checked passively, in minutes. We read what your site already serves to the public. We never touch your backend.

The grade and issue count are free. Unlock every finding - and exactly how to fix it - by verifying an email at your domain. $9/month with monthly re-scans and change alerts, or $49 once.

See an example report →
The outside view

Your site tells strangers more than you think.

Before anyone logs in, your servers hand out headers, certificates, DNS records and files to whoever asks. Most of it is harmless. Some of it is a map. We read all of it - the way an attacker would - and tell you what stands out.

$ yoursite.com
what the street sees
Servernginx/1.18.0
FrameworkX-Powered-By: Express
DNS / emailSPF missing, DMARC p=none
TLS certexpires in 9 days
Exposed/.git/config is readable
Every fact here was read from outside. No login, no payload, no touching the backend.
The verdict

One grade. No jargon. Then the receipts.

Every finding is weighted by how much it actually exposes you, rolled into a single A-to-F grade a non-engineer can act on. A real leak - an exposed key, a public bucket, an expired cert - is a hard fail, no matter how clean the rest looks.

A
B
C
D
F
why this site landed on F
  • ·/.env downloadable by anyone
  • ·no HTTPS redirect, no HSTS
  • ·SPF and DMARC missing
A grade is the first thing a stranger forms about you, and they form it in seconds.
What we keep finding

24% of sites we scan have a serious problem open right now.

That's a critical or high-severity exposure - an expired or mismatched certificate, a known-vulnerable library, an unprotected admin panel, a leaked secret. Only 76% of the sites we check earn an A or B. Yours might not be one of them.

A · 10%B · 66%C · 17%D · 3%E · 0%F · 3%

Distribution across 29 sites checked on SurfaceCheckr. Sites people choose to scan skew toward the curious and the worried - so treat this as “sites checked here,” not the whole web.

How it works

Three steps. No agent, no access, no attack traffic.

  1. 1

    Paste a domain

    Any site you can reach. No account, no install, no permission needed to see what's already public.

  2. 2

    We read the surface

    Headers, TLS, exposed files, admin panels, leaked secrets, DNS and email hygiene - passively, in parallel.

  3. 3

    Get a graded report

    A shareable report at its own private URL: your grade, the count, and - once unlocked - every fix.

Find out what your site is leaking.

It takes a domain and a couple of minutes. The grade costs nothing.