Free website security scanners: what each one checks, and what they all miss
Search "free website security scanner" and you get a wall of tools, half of them lead-capture forms that email you a "report" to book a sales call. The genuinely useful free ones do exist, and the honest thing nobody tells you is that each good one checks exactly one narrow slice of your security. Run them all and you've covered a lot. The trouble is the seam between them, which is where the things that actually leak your data tend to sit.
Here's a straight map of the free tools worth your time, what each really checks, and the gap they leave when you line them up.
The free tools that are actually good
Qualys SSL Labs does one thing extremely well: it deep-analyzes your TLS configuration and grades it A+ to F. Protocol versions, cipher suites, certificate chain, forward secrecy, dozens of browser handshake simulations. It's free, needs no login, and it's the reference standard for TLS. It checks nothing else. No headers, no DNS, no files, no JavaScript. TLS, one host, on demand.
Mozilla's HTTP Observatory (now on MDN, since the old Observatory was retired in 2024) grades your HTTP security configuration: CSP, cookies, CORS, HSTS, Referrer-Policy, SRI, clickjacking protection. About a dozen header-level tests, scored and graded. It deliberately dropped TLS analysis and says it won't add it back, and it doesn't check for vulnerable software, DNS, or anything behind the headers.
SecurityHeaders.com grades the same family of HTTP response headers, A+ to F, and is the fastest manual header check there is. Worth noting if you automate it: its programmatic API is being retired in April 2026, though the free web tool stays up.
Sucuri SiteCheck answers a different question: is my site infected or blocklisted? It's a free remote scanner that reads your rendered pages for malware, defacement, suspicious redirects, out-of-date CMS versions, and whether you're on a Google or PhishTank blocklist. It's aimed at WordPress and CMS owners, and Sucuri is honest that a remote scanner can't see server-side, so it misses backdoors and database infections by design.
ImmuniWeb's Community Edition is the broadest free set: separate tests for website security, SSL, dark-web credential exposure, email, and privacy, each with its own grade. It even offers free weekly monitoring of up to 3 hosts. The catch is in the shape: each test is a separate tool with a separate report, free results are listed publicly by default unless you tick "hide," and the deeper technical detail sits behind a paid tier.
There are also focused open-source tools for the parts these miss: Retire.js flags JavaScript libraries with known CVEs, and tools like KeyLeak Detector hunt for API keys exposed in your bundles. Both are real and free, and both are command-line tools you run yourself rather than a hosted scan.
The seam between them
Notice what just happened. To cover your external surface with free tools you'd run SSL Labs for TLS, Observatory or SecurityHeaders for headers, SiteCheck for malware, Retire.js for libraries, and something else for secrets and exposed files. Five tools, five reports, five separate grades, on no shared schedule.
| SSL Labs | Headers | SiteCheck | One report | |
|---|---|---|---|---|
| TLS / certificate | ||||
| Security headers | ||||
| Malware / blocklist | ||||
| Secrets in JS bundle | ||||
| Exposed .env, .git | ||||
| SPF, DMARC, CAA | ||||
| Outdated JS libraries |
The rows that no mainstream free hosted scanner covers are the expensive ones: a Stripe key in your bundle, a reachable /.env, an SPF record that lets anyone spoof you, a dangling subdomain. Those are exactly the findings attackers automate, and they fall in the seam between the single-purpose tools. You can close that seam with the open-source command-line tools, but now you're maintaining a small pipeline of five-plus checks instead of looking at your security.
Where SurfaceCheckr fits
We're honest about this: for any single band, the specialist tool is as good or better. SSL Labs will out-analyze us on TLS. Observatory and SecurityHeaders are the header standard. SiteCheck owns malware detection. We don't claim to beat any of them at their one thing.
What SurfaceCheckr does is consolidate. The Stripe key in your bundle and the reachable /.env, the rows in that table no single free tool touches, are findings you can check from outside without logging into anything, because that's exactly where they sit: out in the public surface an attacker reads. So we read that whole surface in one pass. TLS, headers, cookies, CORS, secrets in your JavaScript, exposed files, vulnerable libraries, SRI, and the DNS and email records (SPF, DMARC, CAA, subdomain takeover) that the free graders skip, returned as one A-to-F grade and re-run on a schedule so a new leak shows up the day it ships. That's the same external vantage as every tool on this page, which means the same honest limit: we don't authenticate, we don't replace a pentest. If you'd rather run the free specialists yourself, they're all linked above and they're all worth using. If you'd rather see the whole surface in one grade, that's the thing we built, and the first scan is free.
Find it before someone else does.
Paste your domain. The grade and issue count are free, and you'll see in a couple of minutes exactly what's reachable from outside.