What can someone learn about your site without hacking it?

Somebody opens your homepage, but they don't read the copy. They open devtools, watch the headers come back, pull your DNS, click through the certificate, and start a text file with your name on it. They never type a password and they never trip a single alert.

That's reconnaissance, and it's the first thing that happens to any site that gets attention. Not exploits, not brute force, not anything you'd see in a log as an attack. Just a stranger looking at what you've already made public and writing it down. The uncomfortable part is how much of it you handed over on purpose, without ever deciding to.

So ask it plainly: if someone studied your site from the outside for ten minutes, before touching a single thing, what would they walk away knowing?

What the street sees

Your site is talking before anyone asks it anything. Open a connection and the server volunteers a stack of facts.

The response headers tell whoever's listening what you run. A Server: nginx/1.18.0 header pins your web server and its exact version. An X-Powered-By: Express header names your application framework. Your TLS certificate, which has to be public for HTTPS to work at all, carries every subdomain you put on it in the SAN list, so api., staging., internal-admin. are all readable by anyone who looks. Your DNS records are public by definition: an outsider can pull your mail setup and see whether your SPF record exists, whether your DMARC policy is p=none, whether you have a CAA record at all.

None of this requires a login. None of it trips an alert. It's the same information your browser uses every time it loads the page, just collected and read with intent.

The first pass is about building a profile. What you run, how old it is, where your soft edges probably are. By the time anyone tries anything, they already know where to aim.

From facts to a plan

A version string isn't dangerous on its own. It becomes dangerous when someone pairs it with a list of known vulnerabilities for that exact version. That's a thirty-second lookup. If your Server header says you're three years behind on patches, you've published a shopping list, and your tech stack being public is its own problem worth understanding.

The same logic runs across everything that's exposed. Each public fact narrows the search.

• A robots.txt that disallows /admin doesn't hide it, it advertises it. Crawlers read robots.txt first, and so does anyone curious.
• Source maps left in production hand over your original, unminified source, including comments and internal route names you assumed nobody would read.
• A dangling CNAME pointing at a deprovisioned cloud service is a subdomain takeover waiting to happen, and it's visible in your DNS.
• Common paths get probed without ceremony: /.env, /.git/config, /backup.sql, /wp-config.php.bak. If any of those returns content instead of a 404, the recon phase just became the breach.

Notice none of this involves attacking you in the sense you'd picture. It's reading. The work an attacker does before the work you'd actually notice.

What recon does not see

Be precise about the boundary, because it's the honest part. Passive reconnaissance from outside cannot see your business logic. It can't test whether your authorization checks hold, whether one user can read another's data, whether your payment flow can be tricked. It doesn't log in, doesn't submit payloads, doesn't try injection. Those failures are real and a passive scan won't find them. That's what a pentest is for, and a pentest is a different, deeper exercise.

What recon sees is the outside surface: the headers, the certs, the DNS, the files that answer when they shouldn't, the secrets that escaped into your JavaScript. That surface is large, it's mostly invisible to you because you never look at your own site the way a stranger does, and it's exactly where most real-world compromises start. The attacker reads the street before they ever knock.

Read your own house first

The fix for reconnaissance is to know what's readable and decide whether you meant to expose it. Hiding isn't on the table; the data is public by design. You can't act on a surface you've never seen.

SurfaceCheckr builds that same profile and hands it to you first. It reads the headers, walks the DNS and email records, checks the certificate, probes the common exposed paths, and scans your shipped JavaScript for secrets, then writes up what it found in a few minutes. Every one of those things is readable by anyone, which is exactly why we can read it with no access to your servers and nothing installed on them.

The honest limit is that we only see the street. A passive external scan can't tell you whether your authorization holds or your payment flow can be tricked; that's pentest work. But the recon profile is the part most people have never once looked at, and it's where you start.