# OffURL – Website Security Audit Platform **The only security audit built for AI-powered shipping.** Comprehensive security & performance audit with 150+ checks across 16+ categories. **Workflow:** `Scan → Premium PDF → Feed to Claude/Cursor/Grok → Get exact fixes → Deploy securely` **First report free premium** · No credit card · Instant results · 30 seconds · No account required --- ## Platform Statistics | Metric | Value | |--------|-------| | Security Categories | 16+ | | Individual Checks | 150+ | | Account Required | 0 | | Report Generation | 30 seconds | | First Report | Free Premium | | Subsequent Reports | $1.99 | --- ## Independent Market Recognition Based on **Perplexity Deep Research (May 2026)** comparing 12+ leading website security tools across 10+ dimensions: | Finding | OffURL Ranking | |---------|----------------| | Breadth of passive audit coverage | **#1** | | Accessibility (No signup required) | **#1** | | Report actionability for LLM ingestion | **#1** | | Value density per unit of user effort | **#1** | | Scan speed | Top Tier | **Key differentiators identified by independent analysis:** - Broadest coverage: SSL, headers, DNS/email, malware, CVE, threat intel in one audit - Zero friction: No account, no credit card, instant first premium report - Actionable reports: Fix steps, code snippets, "why this matters" explanations - Fastest insights: Sub-minute comprehensive audit --- ## For AI Developers & Vibe Coders OffURL is purpose-built for AI-assisted development workflows. The premium PDF report is explicitly optimized for direct ingestion into coding LLMs. ### The AI Workflow Enter any website URL → Run Free Audit (30 seconds) Download Premium PDF report Paste PDF content into your preferred LLM Get exact code/config fixes → Deploy securely text ### LLM Prompt Template "Here is the OffURL security report for my [framework] web application. Go through each finding, suggest precise code/config changes for [Next.js/FastAPI/Laravel/etc.], output a prioritized fix list with severity levels, and provide ready-to-apply code diffs where possible: [PASTE REPORT TEXT HERE]" text ### Common Security Issues in AI-Generated Code Based on thousands of audits of AI-generated web applications: | Issue | Prevalence | |-------|------------| | Exposed .env files | 42% | | Missing HSTS security headers | 38% | | Missing CSP policies | 35% | | Weak email authentication (SPF/DKIM/DMARC) | 31% | | Mixed content (HTTP on HTTPS pages) | 28% | | Missing rate limiting on login endpoints | 25% | | Insecure cookie flags | 22% | OffURL detects all of these and provides fix steps or LLM prompts to resolve them. --- ## Security Capabilities ### Application Security (17 checks) XSS, SQLi, NoSQLi, LDAPi, XXE, SSRF, SSTI, code injection, open redirect, path traversal, LFI, RFI, command injection, CRLF injection, parameter pollution, CORS misconfiguration. ### Infrastructure & SSL (17 checks) SSL/TLS analysis, TLS versions (1.0-1.3), open ports (21,22,23,25,80,443,3306,5432,27017,6379,8080,8443), DNS health (A, MX, NS, SOA, DNSSEC), WHOIS (creation, expiry, registrar, privacy status), IP geolocation, hosting provider detection. ### Email Security (6 checks) SPF, DKIM, DMARC, BIMI, MTA-STS, TLS-RPT – complete spoofing protection audit with syntax validation. ### Security Headers (11+ checks) HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, COEP, CORP, Cache-Control, CSP deep analysis (unsafe-inline, unsafe-eval, wildcards detection). ### Content & Malware (16 checks) Mixed content detection, eval() calls, base64_decode, document.write(), fromCharCode, gzinflate, system() calls, CoinHive miner, credit card skimmers, obfuscated code, exposed .env/.git/backup/error_log files, email disclosure, code snippets analysis. ### Technology Stack Detection (18+ technologies) CMS (WordPress, Drupal, Joomla, Shopify), JS frameworks (React, Vue, Angular, jQuery, Svelte, Alpine.js, HTMX), backend (PHP, Laravel, Node.js, Express, Django, Rails, ASP.NET), build tools (Webpack, Vite, Parcel, Gulp, Grunt), hosting/CDN (Cloudflare, Nginx, Apache, LiteSpeed). ### Penetration Testing (11 tests) LFI, RFI, command injection, CRLF injection, parameter pollution, hidden endpoint fuzzing (25+ paths), rate limiting test (30 requests/3 seconds), CORS misconfiguration, CSRF protection detection, HTTP methods (PUT/DELETE/TRACE/CONNECT), cookie security (Secure/HttpOnly/SameSite). ### Performance & SEO (8 checks) Page load time, TTFB, page size, GZIP/Brotli compression, cache headers, resource hints (preload/preconnect/dns-prefetch), sitemap validation, broken links detection, SEO metadata (canonical, OG tags, Twitter Cards, JSON-LD, H1, title length, description length). ### Domain Intelligence (15 checks) Domain age, Archive.org first crawl, SEOkicks Pop score, related domains, Wikipedia backlinks, Google indexing status (via DuckDuckGo), GEO match (server vs content), suspicious TLD detection (.xyz/.top/.click), typosquatting detection (200+ domains), brand impersonation (70+ brands), suspicious text patterns (urgent/panic language), phishing blocklist, threat intelligence (URLhaus, Feodo Tracker, PhishTank). ### Accessibility (WCAG 2.1 - 6 checks) Image alt attributes, ARIA attributes, heading hierarchy (H1-H6), HTML lang attribute, color contrast, focus indicators. ### Compliance & Policies robots.txt validation, security.txt (RFC 9116), CSRF token detection. ### Vulnerability Management Software version detection (WordPress, jQuery, Bootstrap, React, Vue, Angular, server software), CVE lookup via NVD API (7-day cache), CPE mapping. ### Additional Security MFA detection, external script risk analysis (supply chain attacks), subdomain takeover detection (9 subdomains: www, mail, ftp, blog, shop, api, dev, staging, test), API endpoint discovery (REST, GraphQL, Swagger), exposed API key detection. ### Hidden Endpoint Fuzzing Paths Scans 25+ sensitive paths including: `/admin`, `/wp-admin`, `/backup`, `/backup.zip`, `/api`, `/api/v1`, `/swagger`, `/docs`, `/phpmyadmin`, `/mysql`, `/db`, `/.env`, `/.git`, `/.git/config`, `/info.php`, `/phpinfo.php`, `/server-status`, `/cpanel`, `/webmail` ### Rate Limiting Test Sends 30 rapid requests to `/login`, `/reset-password`, `/api/login` in ~3 seconds. Detects HTTP 429 (Too Many Requests), 403, or 503 responses. Measures success rate and duration. ### Subdomain Takeover Detection Detects dangling CNAME records pointing to unclaimed external services (AWS S3, GitHub Pages, Heroku, Azure Storage, WordPress.com, Shopify, Fastly, Cloudfront). --- ## Weighted Scoring System | Severity | Weight | Examples | |----------|--------|----------| | **Critical** | 5x | SQLi, RCE, SSRF, SSTI, malware, LFI/RFI, command injection, subdomain takeover, threat intel hit | | **High** | 4x | XSS, open redirect, CRLF, CORS misconfig, missing rate limiting, insecure cookies, exposed .env/.git | | **Medium** | 3x | Missing email security (SPF/DKIM/DMARC), missing HSTS/CSP/XFO, DNS health issues, open dangerous ports, mixed content, email disclosure, missing COEP/COOP | | **Low** | 2x | Missing X-Content-Type-Options, Referrer-Policy, Permissions-Policy, CORP, Cache-Control, CSRF, dangerous HTTP methods | | **Info** | 1x | SSL/TLS version, IP/hosting info, private WHOIS, technology stack, performance metrics, SEO metadata, accessibility, robots.txt, security.txt, MFA detection | **Formula:** `Score = (Σ(check_score × weight)) / Σ(weight)` Overall score reflects real security risk, not just number of checks passed. --- ## Free vs Premium Comparison | Feature | Free | Premium | |---------|------|---------| | Security report with overall & group scores | ✅ | ✅ | | Detailed findings for every check | ❌ | ✅ | | Actionable fix steps & code snippets | ❌ | ✅ | | "Why this matters" explanations | ❌ | ✅ | | Print / PDF full report | ❌ | ✅ | | LLM-optimized PDF format | ❌ | ✅ | | Report retention | 24 hours | 90 days | | Cost per report (after first free) | $0 | $1.99 | **First report is always free premium** · No credit card required for free tier. --- ## Report Structure (16 Categories) 1. Infrastructure & Hosting (IP, WHOIS, open ports, DNS health) 2. SSL / TLS (certificate issuer, expiry, TLS version) 3. Security Headers (HSTS, CSP, XFO, COEP, COOP, CORP, Cache-Control) 4. Application & Penetration Security (XSS, SQLi, SSRF, SSTI, LFI, RFI, command injection, CSRF, cookie security, rate limiting) 5. Content & Malware (mixed content, malware patterns, email disclosure, sensitive files) 6. Technology & APIs (stack detection, API endpoints, exposed keys) 7. Email Security (SPF, DKIM, DMARC, BIMI, MTA-STS, TLS-RPT) 8. Compliance & Policies (robots.txt, security.txt) 9. Performance & SEO (load time, TTFB, compression, sitemap, metadata) 10. Domain Intelligence (age, archive, backlinks, indexing, GEO match) 11. Additional Security (MFA, threat intel, external scripts, accessibility, subdomain takeover) 12. Vulnerability Management (version detection, CVE lookup) --- ## Technical Specifications | Specification | Value | |---------------|-------| | PHP Version | 8.3.30 | | Database | MySQL | | CDN | Cloudflare | | Hosting | Hostinger (Lithuania) | | Server IP | 46.202.142.1 | | Scan Duration | 10-30 seconds | | Supported Protocols | HTTPS only (HTTP → 301 redirect) | ### Timeouts | Function | Timeout | |----------|---------| | fetchSiteData() | 20 seconds | | dns_get_record() | 5 seconds | | fsockopen() (ports) | 1 second | | WHOIS API | 5 seconds | | NVD API | 5 seconds | ### Cache Configuration | Cache Type | Duration | |------------|----------| | NVD CVE data | 7 days | | Google indexing status | 24 hours | | Threat intelligence (URLhaus) | 1 hour | | Threat intelligence (Feodo) | 1 hour | | Threat intelligence (PhishTank) | 2 hours | --- ## Security Headers Complete Reference | Header | Recommended Value | Protection | |--------|-------------------|------------| | Strict-Transport-Security | `max-age=31536000; includeSubDomains; preload` | Prevents SSL stripping | | Content-Security-Policy | `default-src 'self'; script-src 'self' 'nonce-{random}'; object-src 'none'; frame-ancestors 'none'` | Blocks XSS, clickjacking | | X-Frame-Options | `DENY` or `SAMEORIGIN` | Prevents clickjacking | | X-Content-Type-Options | `nosniff` | Blocks MIME sniffing | | Referrer-Policy | `strict-origin-when-cross-origin` | Controls referer leakage | | Permissions-Policy | `geolocation=(), microphone=(), camera=()` | Disables unused APIs | | Cross-Origin-Embedder-Policy | `require-corp` | Mitigates Spectre attacks | | Cross-Origin-Opener-Policy | `same-origin` | Isolates browsing contexts | | Cross-Origin-Resource-Policy | `same-origin` | Prevents cross-origin embedding | | Cache-Control | `no-store, no-cache, must-revalidate` | Prevents sensitive data caching | --- ## Limited Audit Mode When OffURL cannot connect to your web server (firewall rules, Cloudflare "I'm Under Attack" mode, or server downtime), Limited Audit Mode automatically activates. ### Checks Performed (No web connection required) - DNS Health (A, MX, TXT, NS, SOA records, DNSSEC status) - Email Security (SPF, DKIM, DMARC, BIMI, MTA-STS, TLS-RPT) - Open Ports (21,22,23,25,80,443,3306,5432,27017,6379,8080,8443) - WHOIS (creation date, expiry date, registrar, privacy status) - Domain Intelligence (age, Archive.org history, SEO metrics) - Threat Intelligence (URLhaus, Feodo Tracker, PhishTank) - Subdomain Security (9 common subdomain CNAME checks) ### Checks Skipped (Require web connection) - SSL Certificate Validation - Security Headers - Malware Scanning - XSS/SQLi/SSRF/SSTI Testing - LFI/RFI/Command Injection Testing - Performance Metrics - SEO Metadata - Accessibility Checks - Rate Limiting Tests - Hidden Endpoint Fuzzing - Mixed Content Detection **Resolution:** Whitelist IP `46.202.142.1` and disable bot protection temporarily for a full audit. --- ## Vulnerability Detection Methodology ### XSS Detection (13 payloads) - `` - `">` - `javascript:alert(1)` - `">` - `">` - `">` - `">
` - `\\";alert(1);//` - `` `-alert(1)-` `` - `${alert(1)}` - `javascript:alert`1`` - `` `\'-alert(1)-` `` - `` ### SQL Injection Detection - Boolean-based: `' OR '1'='1` - Time-based: `' OR SLEEP(5)--` (detects 4+ second delay) - Error-based: Database error message patterns (mysql_fetch, SQL syntax, ORA-[0-9]{5}, PostgreSQL, PDOException) ### SSRF Detection Probes internal endpoints including AWS metadata (`http://169.254.169.254/latest/meta-data/`), local admin (`http://127.0.0.1:8080/admin`), database (`http://localhost/phpmyadmin`), IPv6 localhost (`http://[::1]/`), generic secret (`http://0.0.0.0/secret`). ### SSTI Detection - `{{7*7}}X` → expects `49X` - `${7*7}Y` → expects `49Y` - `*{7*7}Z` → expects `49Z` ### Malware Pattern Detection (with false positive reduction) Ignores known minified libraries from trusted CDNs (Tailwind, Bootstrap, jQuery, React, Vue, Angular, Cloudflare CDN, Google Fonts). ### LFI Detection Payloads include `../../../../etc/passwd`, `..\..\..\..\windows\win.ini`, URL encoded variants (`%2e%2e%2f`). Detection markers: `root:x:`, `[extensions]`. ### Command Injection Detection Payloads: `; echo test`, `| echo test`, `` echo test ``. Detection: String `test` appears in response. ### CRLF Injection Detection Payload: `%0d%0aX-Custom-Test: injected`. Detection: `X-Custom-Test: injected` appears in response headers. ### Cookie Security Scoring - Each missing flag (Secure, HttpOnly, SameSite) reduces score by 25 points - Additional 25 point penalty for missing both Secure and HttpOnly ### Email Disclosure Scoring - `score = 100 - min(50, emailCount × 10)` (Max 50% reduction) ### SEO Metadata Scoring - Title length penalty: <30 or >60 chars (-10) - Description length penalty: <50 or >160 chars (-10) - Missing canonical (-15) - Missing OG tags (-15) - Missing Twitter Card (-10) - Missing JSON-LD (-10) - Missing H1 (-10) --- ## Frequently Asked Questions ### General Questions
What is a website security audit? A website security audit is a comprehensive evaluation of your website's security posture. It checks for vulnerabilities like XSS, SQL injection, malware, SSL issues, misconfigured security headers, open ports, and email security gaps. OffURL performs 150+ checks to identify security weaknesses before attackers can exploit them.
How does OffURL's security scanner work? OffURL analyzes your website by performing passive and active security tests. It checks SSL certificates, security headers, DNS records, email security (SPF/DKIM/DMARC), scans for malware patterns, tests for vulnerabilities (XSS, SQL injection, SSRF), checks open ports, analyzes performance, validates SEO metadata, and tests accessibility compliance. The scan completes in under 30 seconds and provides an actionable report.
Is the security audit really free? Yes. Your first security report is completely free and includes premium features like detailed findings, fix steps, and the full 150+ checks. No credit card required. Subsequent reports cost $1.99 for premium access. The free version provides overall scores and group scores.
What vulnerabilities can OffURL detect? OffURL detects Cross-Site Scripting (XSS), SQL Injection, NoSQL Injection, LDAP Injection, XXE (XML External Entity), Server-Side Request Forgery (SSRF), Server-Side Template Injection (SSTI), Code Injection, Command Injection, Open Redirect, Path Traversal, Local File Inclusion (LFI), Remote File Inclusion (RFI), CRLF Injection, Parameter Pollution, and CORS Misconfiguration.
Does OffURL check email security? Yes. OffURL checks SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), DMARC (Domain-based Message Authentication), BIMI (Brand Indicators for Message Identification), MTA-STS (Mail Transfer Agent Strict Transport Security), and TLS-RPT (TLS Reporting). These records prevent email spoofing and phishing.
How long does the security audit take? Most security audits complete in 10-30 seconds. The scan includes DNS lookups, SSL analysis, HTTP requests, port scanning, and vulnerability tests. Reports remain available for 24 hours (free) or 90 days (premium).
Do I need to create an account? No. OffURL works without registration. Your first audit is free with premium features included. We use anonymous cookies to track free premium usage. No personal information is collected.
What makes OffURL different from other security scanners? OffURL combines 150+ security checks across 16+ categories including application security, infrastructure, SSL/TLS, email security, security headers, malware detection, DNS health, penetration testing, performance metrics, SEO validation, accessibility compliance, and domain intelligence. Independent market analysis (Perplexity Deep Research, May 2026) ranked OffURL #1 for value density, breadth of coverage, and report actionability among 12+ leading tools.
What happens if OffURL can't connect to my website? If OffURL cannot establish a connection to your web server (due to firewall rules, Cloudflare "I'm Under Attack" mode, or server downtime), we automatically switch to Limited Audit Mode. In this mode, we still perform all DNS-based checks (WHOIS, open ports, email security, domain intelligence, threat intelligence, and subdomain takeover). SSL certificate validation, security headers, malware scanning, XSS/SQLi testing, and performance metrics are skipped. Whitelist IP 46.202.142.1 for a full audit.
### AI & Vibe Coder Questions
Is OffURL good for vibe coders and AI-assisted developers? Absolutely. OffURL is built specifically for AI-assisted development workflows. Zero friction - no account, no credit card, instant premium report. The premium PDF report is engineered for direct ingestion into coding LLMs like Claude, Cursor, Grok, GPT, and Gemini. AI-generated code often has common security gaps - OffURL catches all of them. Run an audit on your deployed URL, download the PDF, paste it into your LLM, and get exact fixes for your framework.
How do I fix security issues using AI? Copy the entire premium report text and paste it into your preferred LLM with this prompt: "Here is the OffURL security report for my [framework] web application. Go through each finding, suggest precise code/config changes, output a prioritized fix list with severity levels, and provide ready-to-apply code diffs where possible." The LLM will analyze the report and give you exact fixes tailored to your stack.
How can I improve my security score with AI? Step 1: Run an OffURL audit and download the premium PDF. Step 2: Paste the report into Claude, Cursor, Grok, or GPT. Step 3: Ask the LLM to provide specific fixes for your framework. Step 4: Apply the changes. Step 5: Re-run the audit to verify improvement. Most users see a 20-40 point increase after one AI-assisted fix round.
What's the typical AI security workflow? 1) Deploy your web application to a URL. 2) Run an OffURL audit (30 seconds). 3) Download the premium PDF report. 4) Paste the report into your LLM. 5) Ask for prioritized fixes for your specific framework. 6) Apply fixes and redeploy. 7) Re-run OffURL to verify improvements. Most vibe coders complete this in under 15 minutes.
What are the most common security issues in AI-generated code? Based on thousands of audits of AI-generated web applications: exposed .env files (42%), missing HSTS security headers (38%), missing CSP policies (35%), weak email authentication (31%), mixed content (28%), missing rate limiting on login endpoints (25%), and insecure cookie flags (22%). OffURL detects all of these and provides fix steps or LLM prompts to resolve them.
Can I use OffURL with Cursor or Windsurf? Yes. Run an audit, download the premium PDF, then use this prompt: "@security-audit I need to secure my [Next.js/FastAPI/etc.] web application. Here's the OffURL report. Identify the top 3 critical issues and generate the exact code changes needed to fix them." The AI IDE will analyze the report and suggest inline fixes directly in your codebase.
### Comparison Questions
How does OffURL compare to Sucuri, DarkScout, or Pentest-Tools? Independent market analysis (Perplexity Deep Research, May 2026) compared 12+ tools. Key findings: OffURL offers the broadest passive audit coverage (SSL, headers, DNS/email, malware, CVE, threat intel). DarkScout is fastest (under 30 seconds). Sucuri is best for malware/blacklist triage. Pentest-Tools is stronger for active technical scanning. For fast, broadly useful website security auditing with minimal friction, OffURL offers the strongest value balance.
Does OffURL work with static sites or SPAs? Yes, OffURL works with any publicly accessible website URL including static sites (HTML/CSS/JS), single-page applications (React, Vue, Angular), and traditional server-rendered sites. However, note that our scanner analyzes raw HTML responses without executing JavaScript. For SPAs, we check the initial HTML response, security headers, SSL configuration, DNS health, email security, and infrastructure - which covers most critical security issues.
--- ## Trust & Privacy - **Data auto-deleted after 30 days** (90 days for premium reports) - **No API keys required** for any functionality - **Transparent scanning** with clear methodology - **No personal information collected** - anonymous identifiers only - **Payment processing via Stripe** (PCI Level 1 certified) - **HTTPS-only communication** with TLS 1.2/1.3 - **Security headers enforced** on all responses --- ## API Endpoints | Endpoint | Method | Description | |----------|--------|-------------| | `/` | GET | Homepage with audit form | | `/audit.php` | POST | Submit domain for security audit (requires csrf_token) | | `/report/{slug}` | GET | View audit report (6-8 character alphanumeric slug) | | `/premium-upgrade.php` | GET | Upgrade report to premium | | `/payment-return.php` | GET | Payment confirmation handler | | `/.well-known/security.txt` | GET | Security contact information | | `/robots.txt` | GET | Crawler directives | | `/sitemap.xml` | GET | XML sitemap | | `/llms.txt` | GET | LLM-optimized documentation | --- ## LLM/AI Optimization OffURL is optimized for LLM extraction with: - Server-side rendered HTML (no JavaScript-dependent critical content) - JSON-LD structured data (WebSite, Organization, SoftwareApplication, FAQPage, HowTo schemas) - Entity-based optimization with @id anchors - FAQ section with 26 question-answer pairs - llms.txt file with complete platform documentation - Premium PDF reports engineered for direct LLM ingestion - AI crawler allowlist (GPTBot, ClaudeBot, Google-Extended, PerplexityBot, GrokBot) --- ## Contact Information - **General Inquiries:** contact@offurl.com - **Security Reports:** https://offurl.com/.well-known/security.txt - **Response Time:** 24-48 hours ---