Security Report

leadline.dev ·

Premium Report
83/100
Overall Security Score
Infrastructure & Hosting
85/100
SSL / TLS
100/100
Security Headers
7/100
Application & Penetration Security
100/100
Content & Malware
100/100
Technology & APIs
100/100
Email Security
0/100
Compliance & Policies
40/100
Performance & SEO
50/100
Domain Intelligence
90/100
Additional Security
96/100
Vulnerability Management
100/100

Infrastructure & Hosting

Group Score: 85/100
This category examines the foundational elements of your website’s infrastructure: the IP address, WHOIS registration, open ports, and DNS records (A, MX, SPF, DKIM, DMARC, CAA). It works by performing DNS lookups, WHOIS queries, and port scans. Proper configuration here ensures your domain is correctly resolved, email is deliverable, and attackers cannot exploit misconfigured DNS or open services. A low score may indicate missing email authentication records (SPF/DKIM/DMARC) or exposed ports that could be entry points for hackers.
IP & Hosting InformationScore: 100/100
Risk: Info
Impact: Identifies where the server is located.
IP: 64.29.17.65 · Hosting: Amazon.com, Inc. (United States, CA)
Why this matters: Knowing your server’s IP address and hosting provider helps with troubleshooting, DDoS protection, and compliance. This information is publicly available and not a security risk. However, it can be useful to verify that your site is hosted where you expect and to identify if you are behind a CDN (like Cloudflare) which may hide the origin IP. No action needed unless the hosting provider is incorrect (e.g., your site was compromised and redirected).
WHOIS (Registrar, Expiry)Score: 100/100
Risk: Info
Impact: WHOIS data may be private.
WHOIS lookup failed (domain may have privacy protection)
→ Domain registration may be private – no action needed.
Why this matters: WHOIS data is often hidden by domain privacy services. This is normal and not a security risk. However, without WHOIS data you cannot verify the domain's expiry date or registrar. If you own the domain, ensure your contact information is up‑to‑date with your registrar to receive renewal reminders. No immediate action is required if you have enabled auto‑renew.
Open PortsScore: 100/100
Risk: Low
Impact: Open ports increase attack surface and may expose internal services.
Open: HTTP, HTTPS
Why this matters: This check scans for open ports on your server. Open ports like SSH (22), FTP (21), and database ports (3306, 5432) are common entry points for attackers. For a web server, only ports 80 (HTTP) and 443 (HTTPS) should be open to the public. The score decreases by 25 points for each dangerous port found. Action: review your firewall rules and close unnecessary ports.
DNS Health (A, MX, SPF, DKIM, DMARC, CAA)Score: 40/100
Risk: Medium
Impact: DNS issues affect email deliverability and security.
A: 2, MX: 0, SPF: No, DKIM: No, DMARC: No, CAA: Yes, NS: 2, SOA: Yes, DNSSEC: Unknown (server limitation)
→ Publish missing DNS records (SPF, DKIM, DMARC, CAA).
Why this matters: DNS records control email security, authentication, and certificate issuance. SPF (Sender Policy Framework) lists which servers can send email on your behalf, preventing spoofing. DKIM (DomainKeys Identified Mail) signs outgoing emails to prove they are legitimate. DMARC (Domain‑based Message Authentication) tells receivers what to do with emails that fail SPF/DKIM. CAA (Certificate Authority Authorization) restricts which CAs can issue certificates for your domain. Missing these records makes your domain vulnerable to email spoofing, phishing, and certificate misuse. Action: add the missing TXT records to your DNS zone.
Fix steps:
  • Add SPF: `v=spf1 mx ~all`
  • Generate DKIM key and publish a `selector._domainkey` TXT record
  • Add DMARC: `v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com`

SSL / TLS

Group Score: 100/100
SSL/TLS certificates encrypt data between your visitor’s browser and your server. This category checks the certificate’s issuer, expiry date, and the TLS protocol version supported (TLS 1.2 or 1.3). It works by establishing a secure connection and reading the certificate details. Without a valid certificate, all data (passwords, credit cards, etc.) can be intercepted. A low score means your certificate is expired or you’re using outdated TLS versions (1.0/1.1), which are vulnerable to attacks like POODLE and BEAST.
SSL / TLSScore: 100/100
Risk: Low
Impact: Expired or invalid SSL breaks HTTPS security.
Issuer: R12 · Expires: 2026-07-01 (48 days) · Signature algorithm: RSA-SHA256
→ SSL certificate is healthy.
Why this matters: SSL/TLS certificates encrypt all data between the user and your server. Without a valid certificate, attackers can intercept login credentials, payment details, and other sensitive information. Browsers also show a security warning, destroying user trust. This check verifies the certificate's issuer, expiry date, and chain validity. Short‑lived certificates (e.g., Let's Encrypt's 90‑day) are acceptable; a penalty is only applied when expiry is very near (under 30 days).
TLS Version & CiphersScore: 100/100
Risk: Info
Impact: Weak TLS allows attackers to decrypt or hijack connections.
Negotiated: TLSv1.3 (best)
Why this matters: TLS 1.0 and 1.1 are obsolete and vulnerable to attacks like POODLE and BEAST. TLS 1.2 is secure, but TLS 1.3 offers better performance and security. This check scores based on the highest protocol your server supports. Enabling TLS 1.3 is recommended but not mandatory for a high score.

Security Headers

Group Score: 7/100
HTTP security headers instruct browsers how to behave when visiting your site. This category checks for headers like HSTS, CSP, X‑Frame‑Options, and more. It works by analyzing the HTTP response headers sent by your server. These headers prevent common attacks: HSTS forces HTTPS, CSP blocks XSS, X‑Frame‑Options stops clickjacking. A low score means your site is missing critical headers, leaving it exposed to data theft, session hijacking, and UI redressing attacks.
Strict-Transport-Security 100/100
Present
Why this matters: HSTS (HTTP Strict Transport Security) forces browsers to always use HTTPS, even if the user types "http://". This completely prevents SSL stripping attacks where an attacker downgrades the connection to HTTP. It also enables the browser to preload your site into its list of HTTPS‑only domains. Without HSTS, a man‑in‑the‑middle can intercept the first request and serve a fake version of your site. Implementation: set max-age to at least one year (31536000 seconds) and include the preload directive if you intend to submit to the HSTS preload list.
X-Frame-Options 0/100
Missing
→ Set X-Frame-Options: DENY or SAMEORIGIN
Why this matters: Clickjacking attacks embed your site in a transparent iframe, tricking users into clicking invisible buttons. This can lead to account hijacking, unwanted actions, or malware installation. X-Frame-Options tells the browser whether your site can be framed. Use DENY to prevent all framing, or SAMEORIGIN to allow only from your own domain. Without this header, any malicious site can frame your pages and execute clickjacking attacks.
X-Content-Type-Options 0/100
Missing
→ Add X-Content-Type-Options: nosniff
Why this matters: Browsers sometimes "sniff" the MIME type of a resource, ignoring the Content-Type header. This can lead to security issues: an attacker could upload an image with embedded HTML/JavaScript, and the browser might execute it as a script (drive‑by download). X-Content-Type-Options: nosniff tells the browser to trust the declared Content-Type and not perform sniffing. This header is essential for sites that allow user‑uploaded content.
Content-Security-Policy 0/100
Missing
→ Implement CSP
Why this matters: CSP is the most effective defence against Cross‑Site Scripting (XSS). It allows you to create a whitelist of trusted sources for scripts, styles, images, and other resources. Any inline script or external script not in the whitelist will be blocked. CSP also prevents clickjacking, data injection, and can enforce HTTPS (upgrade-insecure-requests). Start with a report‑only policy, then move to enforcing. A well‑configured CSP stops almost all XSS attacks, even if your code has vulnerabilities.
Referrer-Policy 0/100
Missing
→ Add Referrer-Policy: strict-origin-when-cross-origin
Why this matters: When a user clicks a link, the browser sends a "Referer" header with the source URL. This can leak sensitive data like session tokens, API keys, or personal information present in the URL. Referrer-Policy controls how much referrer information is sent. "strict-origin-when-cross-origin" sends the full URL only for same‑origin requests, and only the origin for cross‑origin HTTPS requests. For HTTP to HTTPS, it sends nothing. This prevents data leaks while preserving functionality.
Permissions-Policy 0/100
Missing
→ Add Permissions-Policy: geolocation=(), microphone=()
Why this matters: Permissions-Policy (formerly Feature-Policy) allows you to disable browser features like geolocation, camera, microphone, fullscreen, and accelerometer for your site. This reduces privacy risks and prevents malicious scripts from accessing hardware without user consent. Even if you don’t use these features, an XSS vulnerability could allow an attacker to access them. By explicitly denying features you don’t need, you add a defence‑in‑depth layer.
Cross-Origin-Embedder-Policy 0/100
Missing
→ Add COEP: require-corp
Why this matters: COEP prevents a document from loading cross-origin resources that do not explicitly grant permission via CORP or CORS. This is critical for mitigating Spectre‑like side‑channel attacks, where a malicious site could read memory from another site loaded in the same process. COEP, together with COOP, enables cross‑origin isolation, allowing the use of powerful features like SharedArrayBuffer while maintaining security. Without it, your site remains vulnerable to certain speculative execution attacks.
Cross-Origin-Opener-Policy 0/100
Missing
→ Add COOP: same-origin
Why this matters: COOP isolates your browsing context from other origins. It prevents a malicious popup from controlling your page via `window.opener`, and blocks cross-origin attacks that rely on leaking information through the browsing context group. Setting COOP to `same-origin` ensures that only documents from the same origin share the same group, protecting your site from cross‑origin leaks. This is especially important for sensitive applications like banking or email.
Cross-Origin-Resource-Policy 0/100
Missing
→ Add CORP: same-origin
Why this matters: CORP prevents other websites from embedding your resources (images, scripts, styles) unless they are from the same origin. This stops data leakage via resource timing attacks and hotlinking. While not as critical as other headers, it adds an extra layer of privacy and can reduce bandwidth theft. Use `same-origin` to allow only your own domain to use your resources.
Cache-Control 100/100
Present
Why this matters: Cache-Control tells browsers and intermediate caches how to store your responses. For sensitive pages (user profile, dashboard, admin), you should use `no-store` to prevent any caching. Otherwise, an attacker with access to the user’s device (shared computer) could retrieve cached pages. For public resources, use `public, max-age=...`. Without proper cache directives, sensitive data may persist in browser history or disk cache, leading to information disclosure.
CSP Deep AnalysisScore: 0/100
Risk: High
Impact: No CSP allows XSS attacks.
Missing CSP
→ Implement a strict CSP policy.
Why this matters: Content-Security-Policy (CSP) is the most powerful defence against XSS. It lets you whitelist allowed sources for scripts, styles, images, and other content. Even if an attacker injects a script, CSP will block it unless it matches your whitelist. Without CSP, any XSS vulnerability can lead to full account compromise. Implementation: start with a report-only policy, then enforce. Example: `default-src 'self'; script-src 'self' https://trusted-cdn.com`.
Fix steps:
  • Start with `default-src 'self'`
CSP Directive AnalysisScore: 0/100
Risk: High
Impact: No CSP policy allows XSS attacks.
Missing CSP header
→ Implement a strict CSP policy.
Why this matters: CSP directives control which resources can be loaded. Without CSP, XSS protection is severely weakened.
Fix steps:
  • Start with `default-src 'self'`

Application & Penetration Security

Group Score: 100/100
This category combines passive vulnerability scanning with active penetration testing. It tests for common web vulnerabilities (XSS, SQLi, SSRF, etc.) and simulates real‑world attacks (LFI, RFI, command injection, CRLF, parameter pollution, hidden endpoint discovery, rate limiting bypass, CORS misconfiguration). Each test uses safe, read‑only payloads. A low score indicates serious security flaws that must be fixed immediately.
XSS (Reflected)Score: 100/100
Risk: Low
Impact: XSS can hijack user sessions, deface pages, or steal credentials.
No reflected XSS detected
Why this matters: Cross‑Site Scripting (XSS) allows attackers to inject malicious scripts into your web pages. This can lead to session hijacking, credential theft, defacement, and malware distribution. This test sends multiple payloads via query parameters and checks if they are reflected in a dangerous context (event handlers, `<script>` tags, `javascript:` URLs). Additionally, a blind XSS payload (script tag pointing to our callback endpoint) is injected – if our server receives the callback, the vulnerability is confirmed. The callback endpoint logs hits without storing any data. To avoid false positives, the test only flags payloads that appear in dangerous contexts, not just anywhere in the response. Fix: always escape output using context‑appropriate functions in PHP. Also implement a strict Content Security Policy (CSP) to block inline scripts, and set HTTPOnly and Secure flags on cookies.
SQL InjectionScore: 100/100
Risk: Low
Impact: SQLi can steal or destroy your entire database.
No simple SQLi detected
Why this matters: SQL injection is one of the most dangerous vulnerabilities. Attackers can insert malicious SQL code into input fields, allowing them to read, modify, or delete database contents. This test sends payloads like `' OR '1'='1` and checks for delayed responses (time‑based) or SQL error messages. If vulnerable, an attacker could dump your entire user database, including passwords. Fix: never concatenate user input into SQL queries. Use prepared statements (parameterized queries) or an ORM. Also, limit database user privileges and hide error details.
NoSQL InjectionScore: 100/100
Risk: Low
Impact: NoSQL injection can bypass authentication and extract data.
No obvious NoSQL injection
Why this matters: NoSQL injection affects databases like MongoDB, CouchDB, and Firebase. Attackers can inject operators like `` (not equal) or `` (greater than) to bypass authentication or extract data. This test sends such operators and checks for error messages or unexpected behaviour. Fix: validate input types, use the database's safe query builder, and avoid passing user input directly as query operators. For MongoDB, use `new MongoDB\BSON\Regex()` for user‑supplied patterns and filter out keys starting with `$`.
LDAP InjectionScore: 100/100
Risk: Low
Impact: LDAP injection can bypass authentication and expose directory data.
No LDAP injection
Why this matters: LDAP injection attacks occur when user input is used unsafely in LDAP search filters. Attackers can inject operators like `*)(uid=*` to bypass authentication or retrieve all directory entries. This test injects a wildcard payload and checks if the response indicates a successful LDAP search. Fix: always escape special characters (`*`, `(`, `)`, `\`, `NUL`) using `ldap_escape()` before inserting into filters. Also validate input against a whitelist of allowed values.
XXE (XML)Score: 100/100
Risk: Info
Impact: XXE can read local files, cause SSRF, or DoS.
No obvious XXE
Why this matters: XML External Entity (XXE) attacks occur when an XML parser processes external entities defined in user‑supplied XML. Attackers can read local files (e.g., `/etc/passwd`), perform SSRF, or cause denial of service. This test checks if the `/xml` endpoint (or any endpoint that might process XML) returns a response containing `DOCTYPE` (excluding the HTML5 doctype) and `entity`. If such content is returned, it suggests that an XML parser is active and might be vulnerable. Fix: disable external entity loading in your XML parser. In PHP, use `libxml_disable_entity_loader(true);` before parsing. In Java, set `setFeature` to false. For .NET, set `XmlReaderSettings.DtdProcessing = DtdProcessing.Prohibit`. Also upgrade to a modern XML parser that disables external entities by default.
SSRFScore: 100/100
Risk: Low
Impact: SSRF can access internal services.
No SSRF detected
Why this matters: Server‑Side Request Forgery (SSRF) allows attackers to make your server send requests to internal services (metadata endpoints, localhost, internal IPs). This can leak cloud credentials, access internal admin panels, or perform port scanning. The test tries to fetch common internal URLs. If the response contains sensitive data (AWS instance metadata, phpMyAdmin, or short root‑like responses), your site is vulnerable. To avoid false positives, this version ignores normal HTML pages, safe markers (`<!DOCTYPE html`, `function`, etc.), and very short error responses. Fix: whitelist allowed external domains, block IP addresses in private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, 169.254.0.0/16), and never use user‑supplied URLs directly.
SSTIScore: 100/100
Risk: Low
Impact: SSTI can lead to remote code execution (RCE).
No SSTI
Why this matters: Server‑Side Template Injection (SSTI) occurs when user input is concatenated into a template without proper escaping. Attackers can inject template directives that execute arbitrary code on the server. This test sends payloads like `{{7*7}}X` – if the server returns `49X`, it’s vulnerable. Fix: never pass user input directly to `render()` or `eval()`. Use template engines that auto‑escape and disable access to dangerous functions.
Code InjectionScore: 100/100
Risk: Low
Impact: Code injection allows full server compromise (RCE).
No code injection
Why this matters: Code injection allows attackers to execute arbitrary system commands on your server. This is the most severe vulnerability, often leading to full server compromise, data theft, and malware installation. The test sends payloads that would execute `id` or `eval` if injected into an `eval()` or `system()` call. If the output contains `uid=` or `1+1=2`, your site is vulnerable. Fix: never use `eval()`, `system()`, `exec()`, `passthru()`, or backticks with user input. If you must, use a strict whitelist and escape properly. Better: refactor to avoid dynamic code execution entirely.
Open RedirectScore: 100/100
Risk: Low
Impact: Open redirect enables phishing attacks.
No open redirect
Why this matters: Open redirect occurs when a URL parameter controls the destination of a redirect without validation. Attackers can craft links that appear to be from your site but redirect users to malicious phishing pages. This can be used in social engineering attacks to steal credentials. This test checks if a redirect parameter can be set to `https://evil.com` and if the browser actually goes there. Fix: never accept user‑supplied URLs for redirects. Use a whitelist of allowed destinations (e.g., `/dashboard`, `/profile`). Alternatively, use relative paths only.
Path TraversalScore: 100/100
Risk: Low
Impact: Path traversal allows arbitrary file read.
No path traversal
Why this matters: Path traversal (directory traversal) allows attackers to read arbitrary files on the server by manipulating file paths with `../` sequences. This can expose configuration files, source code, passwords, and even system files like `/etc/passwd`. The test tries common traversal payloads and checks if the response contains `root:x:` (a marker for the Unix password file). Fix: never use user input directly in file paths. Use `basename()` to extract the filename and restrict to a specific directory using `realpath()` and `str_starts_with()`. Better: map filenames to database IDs and store files outside the webroot.
CSRF ProtectionScore: 100/100
Risk: Low
Impact: Missing CSRF allows state‑changing attacks.
Forms appear to have CSRF protection
Why this matters: Cross‑Site Request Forgery (CSRF) attacks trick a logged‑in user into submitting a malicious request to your site without their knowledge (e.g., changing password, transferring money). This check looks for forms that contain a hidden CSRF token field. If a form is missing such a token, it may be vulnerable. Fix: include a unique, unpredictable token in every state‑changing form (POST, PUT, DELETE). Validate the token on the server side and ensure it matches the user’s session. Modern frameworks provide built‑in CSRF protection (Laravel, Django, Rails).
HTTP MethodsScore: 100/100
Risk: Low
Impact: Dangerous methods allow resource modification.
No dangerous HTTP methods enabled
Why this matters: HTTP methods like PUT, DELETE, TRACE, and CONNECT are rarely needed on a public web server. If enabled, they can be abused: PUT to upload malicious files, DELETE to remove content, TRACE to conduct cross‑site tracing attacks, and CONNECT to proxy requests. This check tests whether these methods return a `200 OK` response. If they do, you should disable them immediately. Use the provided fix examples in `.htaccess` (Apache) or server block (Nginx). Only keep GET, HEAD, and POST.
Cookie SecurityScore: 100/100
Risk: Low
Impact: Insecure cookies can be stolen via XSS or MITM.
Cookies are secure
Why this matters: Cookies without proper flags are vulnerable to theft. The `Secure` flag ensures cookies are only sent over HTTPS, preventing network sniffing. `HttpOnly` prevents client‑side scripts from accessing the cookie, mitigating XSS attacks. `SameSite` prevents cross‑site request forgery (CSRF). This check examines the `Set-Cookie` headers for these flags. Missing flags mean your session cookies can be stolen or replayed. Action: update your application’s cookie settings to include all three flags. For session cookies, also consider setting `SameSite=Strict` or `Lax`.
LFI (Local File Inclusion)Score: 100/100
Risk: Low
Impact: LFI can expose sensitive files.
No LFI detected
Why this matters: Local File Inclusion (LFI) occurs when an application includes a file based on user input without proper sanitisation. Attackers can use path traversal (e.g., `../../etc/passwd`) to read sensitive files like configuration files, source code, or system password files. This test sends a variety of traversal payloads to common parameter names (file, page, path, etc.) and checks the response for tell‑tale markers (e.g., 'root:x:'). If a file is disclosed, an attacker could escalate privileges or pivot to other attacks. Mitigation: avoid passing user input to file inclusion functions; use whitelists and input validation.
RFI (Remote File Inclusion)Score: 100/100
Risk: Low
Impact: RFI can lead to full server compromise.
No RFI detected
Why this matters: Remote File Inclusion (RFI) allows attackers to include a remote file, often leading to remote code execution. This test attempts to include a safe, non‑malicious remote file (e.g., from a test server) and checks if its content appears in the response. If successful, an attacker could host a malicious script on their own server and execute it on your site. Mitigation: disable `allow_url_include` in PHP, whitelist allowed domains, and never accept user input for file paths.
Command InjectionScore: 100/100
Risk: Low
Impact: Command injection allows RCE.
No command injection detected
Why this matters: Command injection occurs when unsanitised user input is passed to a system shell. Attackers can execute arbitrary commands on the server. This test sends safe `echo` commands (e.g., `echo test`) and checks if the output appears in the response. If vulnerable, an attacker could read, write, or delete files, install backdoors, or take full control of the server. Mitigation: avoid using `exec()`, `system()`, `shell_exec()`, or backticks with user input; use built‑in functions or escape rigorously.
HTTP Header Injection (CRLF)Score: 100/100
Risk: Low
Impact: CRLF can lead to response splitting.
No CRLF injection detected
Why this matters: CRLF injection occurs when an attacker injects carriage return (`
`) and line feed (`
`) characters into HTTP headers. This can split the response, allowing the attacker to add arbitrary headers or even inject malicious content (e.g., XSS). This test sends payloads like `%0d%0aSet-Cookie: session=injected` and checks for header splitting. Mitigation: sanitise user input by removing or encoding `
` and `
`, and use safe header‑setting functions.
Parameter PollutionScore: 100/100
Risk: Low
Impact: May bypass security controls.
No obvious parameter pollution
Why this matters: Parameter pollution happens when duplicate parameters are sent in a request (e.g., `?id=1&id=2`). Some applications or WAFs may process only the first or last value, leading to bypasses. Attackers can use this to override security controls, inject SQL, or cause unexpected behaviour. This test sends duplicate parameters and checks for inconsistencies. Mitigation: validate all parameters, reject duplicate keys, and use strict input parsing.
Hidden Endpoint FuzzingScore: 100/100
Risk: Low
Impact: Exposed endpoints may lead to unauthorised access.
No hidden endpoints detected
Why this matters: Hidden endpoints like `/admin`, `/backup`, or `/phpmyadmin` can be exploited if left unprotected. This test scans for common paths and verifies that the response is a genuine page (not a 404 error, not the homepage, and not a blank page). To reduce false positives, it ignores empty responses (under 100 bytes), pages identical to the homepage, and responses containing typical 404 phrases. If a path returns a 200 OK with unique content, it is likely a real endpoint. Action: restrict access to sensitive directories using authentication (e.g., `.htaccess` password protection), IP whitelists, or firewall rules. Move configuration files outside the webroot. Delete any backup files left in the webroot. Also consider using a security scanner to detect unintended exposure.
Rate Limiting TestScore: 100/100
Risk: Low
Impact: No rate limiting allows brute‑force attacks.
Sent 30 requests to /login, /reset-password, /api/login in 0.07 sec, 0 succeeded
Why this matters: Rate limiting prevents brute‑force attacks by limiting the number of requests a client can make in a given time. This test sends a burst of 30 rapid requests to common endpoints and checks for HTTP 429 (Too Many Requests) or other blocking status codes (403, 503). If all requests succeed, an attacker could launch a brute‑force attack without restriction. This test also measures the request rate (requests per second) to detect throttling. Mitigation: implement rate limiting using Redis, Memcached, or web server modules (e.g., `mod_evasive`, `ngx_http_limit_req_module`). Consider adding CAPTCHA after a few failed attempts.
CORS MisconfigurationScore: 100/100
Risk: Low
Impact: CORS misconfiguration can leak data.
CORS correctly configured or not present
Why this matters: Cross‑Origin Resource Sharing (CORS) controls which domains can access your resources. A misconfigured CORS policy (e.g., `Access-Control-Allow-Origin: *`) allows any website to read sensitive data from your site, potentially leading to data theft. This test checks for wildcard or dynamically reflected origins. Mitigation: restrict `Access-Control-Allow-Origin` to trusted domains, avoid `*`, and validate the `Origin` header on the server side.

Content & Malware

Group Score: 100/100
This category scans the content of your web pages for security issues: mixed content (HTTP resources loaded on HTTPS pages), malware patterns (eval, base64_decode, obfuscated code), exposed email addresses, sensitive files (backups, .env, .git), and dangerous code snippets. It works by fetching your HTML and parsing it for suspicious strings and patterns. Mixed content breaks HTTPS security, malware patterns indicate possible backdoors, and exposed emails invite spam. A low score may mean your site has been compromised or is leaking sensitive information.
Mixed ContentScore: 100/100
Risk: Info
Impact: HTTP resources can be intercepted or modified.
No mixed content
Why this matters: Mixed content occurs when an HTTPS page loads resources (images, scripts, styles) over HTTP. Active mixed content (scripts, iframes) can be intercepted and modified by attackers, breaking HTTPS security completely. Even passive mixed content (images) can be used for tracking or defacement. Browsers block active mixed content, but that may break your site. To fix, change all internal URLs to protocol-relative (`//example.com/image.jpg`) or absolute HTTPS. For external resources, ensure they support HTTPS. Alternatively, add the CSP directive `upgrade-insecure-requests` to automatically upgrade HTTP requests to HTTPS.
Malware PatternsScore: 100/100
Risk: Info
Impact: Malicious code can steal data, deface site, or inject ads.
No suspicious patterns
Why this matters: This check searches for common malware signatures: `eval()`, `base64_decode`, obfuscated strings, crypto miners (CoinHive), and credit card skimmers. It works by scanning the raw HTML and JavaScript of your homepage for these patterns. To reduce false positives, it ignores known minified libraries from trusted CDNs (e.g., Tailwind, Bootstrap, jQuery). If any suspicious pattern is found, your site may be hacked. Hackers inject such code to steal data, mine cryptocurrency, or redirect users. Action: review the flagged code, compare with a clean backup, scan your server with a security tool (e.g., Wordfence for WordPress), and update all software. Consider installing a Web Application Firewall (WAF) to block future injections.
Email DisclosureScore: 100/100
Risk: Low
Impact: Emails can be harvested by spammers.
No email addresses exposed
Why this matters: Email addresses found in HTML source code can be harvested by automated bots and used for spam, phishing, or targeted attacks. Even if you use `mailto:` links, bots can still extract the address. To reduce exposure, use a contact form that sends emails server‑side without revealing the recipient address. If you must display an email, obfuscate it using JavaScript (e.g., split the address and join it) or use a third‑party service like Cloudflare Email Obfuscation. This check counts the number of unique email addresses found.
Sensitive FilesScore: 100/100
Risk: Info
Impact: Exposed files can leak credentials.
No sensitive files exposed
Why this matters: Sensitive files like `.env`, backup archives, database dumps, and debug logs contain credentials, API keys, and internal configurations. If accessible via the web, attackers can download them and compromise your entire application. This check probes for common sensitive file paths. If any return HTTP 200, they are publicly accessible. To reduce false positives, this version ignores custom 404 pages, empty responses (under 100 bytes), and pages identical to the homepage. Fix: move all configuration files outside the public webroot. For files that must stay inside, add web server rules to deny access (e.g., `.htaccess` `deny from all`). Delete any backup files left in the webroot. Action: review your web server logs for unauthorised access attempts to these paths.
Code Snippets AnalysisScore: 100/100
Risk: Low
Impact: May contain malware or backdoors.
No dangerous function calls detected
Why this matters: Malicious code often uses functions like `eval()`, `base64_decode()`, or `system()` to execute hidden commands. This check extracts surrounding code snippets for manual review. It only flags actual function calls (with parentheses) to avoid false positives from variable names or comments. If a dangerous function is found, it may indicate a backdoor or malware. Action: manually inspect the flagged code. Compare it with a clean backup. If you are certain the code is legitimate (e.g., a legitimate library that uses `eval`), you can ignore the warning. Otherwise, remove or sanitize the dangerous functions and scan your server with a reputable security tool.

Technology & APIs

Group Score: 100/100
This category identifies the technologies your site uses: content management systems (WordPress, Drupal, Joomla), JavaScript frameworks (React, Vue, Angular), build tools (Webpack, Vite), hosting providers, and exposed API endpoints or keys. It works by examining HTML source code, JavaScript files, and HTTP headers. Knowing your tech stack helps you keep everything updated, because outdated components often contain known vulnerabilities. Exposed APIs or hardcoded keys can lead to data breaches. A low score means you’re using outdated software or leaking secrets.
Technology Stack (CMS, Frameworks, Hosting)Score: 100/100
Risk: Info
Impact: Outdated components may have known vulnerabilities.
Angular, Webpack, Web server: Vercel, Hosting: Amazon.com, Inc.
→ Keep all components updated.
Why this matters: Knowing your technology stack helps you track vulnerabilities and update outdated components. Each detected CMS, framework, or library may have known security issues if not kept up‑to‑date. Attackers often scan for specific versions of WordPress, jQuery, or server software to exploit unpatched CVEs. Action: maintain an inventory of all software used, subscribe to security advisories, and apply updates promptly. Hide server version headers to reduce information leakage.
Evidence:
Angular, Webpack, Web server: Vercel, Hosting: Amazon.com, Inc.
API Detection (Endpoints, Keys)Score: 100/100
Risk: Info
Impact: Exposed APIs or keys can lead to data breaches.
No suspicious APIs detected
Why this matters: Exposed API endpoints and keys in client‑side code can lead to data breaches, unauthorised access, and quota theft. Attackers can call those APIs directly, bypassing your frontend restrictions. This check finds URLs containing 'api', GraphQL references, Swagger docs, and hardcoded secrets. Action: move API calls to a backend proxy that validates authentication and rate limits. Never embed API keys in HTML or JavaScript. Use environment variables or a secrets manager.

Email Security

Group Score: 0/100
Email security records (SPF, DKIM, DMARC, BIMI, MTA-STS, TLS-RPT) protect your domain from spoofing and ensure email deliverability. This category queries DNS TXT records to verify each record’s presence and syntax. SPF authorizes which servers can send email for your domain. DKIM adds a digital signature to outgoing emails. DMARC tells receivers what to do if SPF or DKIM fails. BIMI adds your logo to supported email clients. MTA-STS enforces TLS encryption for email delivery. A low score means attackers can impersonate your domain, leading to phishing and reputational damage.
Email Security (SPF/DKIM/DMARC/BIMI/MTA-STS/TLS-RPT)Score: 0/100
Risk: Medium
Impact: Missing records allow email spoofing.
SPF: No, DKIM: No, DMARC: No, BIMI: No, MTA-STS: No, TLS-RPT: No
→ Publish missing email security records.
Why this matters: Email authentication records protect your domain from being spoofed in phishing emails. SPF (Sender Policy Framework) lists authorised mail servers. DKIM (DomainKeys Identified Mail) signs outgoing emails to verify authenticity. DMARC (Domain‑based Message Authentication) tells receivers how to handle emails that fail SPF/DKIM. BIMI (Brand Indicators for Message Identification) displays your logo in supporting email clients. MTA‑STS (Mail Transfer Agent Strict Transport Security) enforces TLS encryption for email delivery. TLS‑RPT provides reporting. Missing these records makes it easy for attackers to impersonate your domain and send fraudulent emails that bypass spam filters.
Fix steps:
  • Add SPF: `v=spf1 mx ~all` (prevents spoofing)
  • Generate DKIM key and publish `selector._domainkey` TXT (signs outgoing emails)
  • Add DMARC: `v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com` (tells receivers what to do with failed SPF/DKIM)
  • Add BIMI: `v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/cert.pem` (displays brand logo in email clients)
  • Add MTA-STS TXT record: `v=STSv1; id=2023010100` (enforces TLS for email delivery)
  • Add TLS-RPT TXT record: `v=TLSRPTv1; rua=mailto:tls-rua@yourdomain.com` (reports TLS failures)

Compliance & Policies

Group Score: 40/100
This category checks for two important files: robots.txt and security.txt. robots.txt tells search engines which paths to crawl (but is not a security control – it only guides bots). security.txt provides a standardized way for security researchers to contact you. The scanner checks if these files exist and, for security.txt, validates required fields (Contact and Expires). A low score may mean you’re missing security.txt (which makes it harder for researchers to report vulnerabilities) or robots.txt exposes sensitive paths (though it should never be relied upon for security).
Robots.txtScore: 80/100
Risk: Medium
Impact: Robots.txt is not a security control.
Disallows: /admin
→ Remove sensitive paths from robots.txt and use authentication.
Why this matters: Robots.txt tells search engine crawlers which paths to ignore. However, it is not a security control – it’s a public file that anyone can read. Listing sensitive paths (like `/admin` or `/backup`) in robots.txt actually advertises them to attackers. Instead of relying on robots.txt to hide pages, use proper authentication and access controls. This check warns if you have disallowed sensitive directories. Action: remove those entries from robots.txt and secure the actual directories with `.htaccess` (password protect) or server configuration.
Fix steps:
  • Remove sensitive paths from robots.txt.
  • Use proper access controls (e.g., .htaccess) for sensitive directories.
Evidence:
User-Agent: *
Allow: /
Allow: /llms.txt
Allow: /llms-full.txt
Allow: /llms-priority.txt
Allow: /rss.xml
Disallow: /api/
Disallow: /admin/
Disallow: /dashboard/
Disallow: /auth/
Disallow: /extension/
Disallow: /login
Disallow: /signup
Disallow: /onboarding
Disallow: /paywall
Disallow: /post-checkout
Disallow: /forgot-password
Disallow: /pricing/checkout
Disallow: /r/
Disallow: /static/
Disallow: /*?utm_
Disallow: /*?sort=
Disallow: /*?filter=

Sitemap: https://leadline.dev/sitemap.xml
Security.txtScore: 0/100
Risk: Info
Impact: Missing security.txt makes it harder for researchers to contact you.
Not found
→ Create security.txt
Fix steps:
  • Create `/.well-known/security.txt` with:\nContact: mailto:security@example.com\nExpires: 2025-12-31

Performance & SEO

Group Score: 50/100
This category measures how fast your site loads and whether it’s optimized for search engines. It checks page load time, Time To First Byte (TTFB), page size, GZIP/Brotli compression, cache headers, resource hints (preload, preconnect), and SEO metadata (canonical URLs, Open Graph tags, JSON-LD). It works by measuring actual download times and parsing HTML. Slow pages hurt user experience and SEO rankings; missing metadata prevents social sharing and search engine indexing. A low score means your site needs performance tuning and better SEO practices.
Performance (GZIP, Cache, Resource Hints)Score: 100/100
Risk: Low
Impact: Slow pages hurt user experience and SEO rankings.
Load time: 0.17 sec | TTFB: 0.11 sec | Size: 239.39 KB | GZIP: No | Brotli: No | Cache: Yes | Resource hints: preload
Why this matters: Performance affects user experience, SEO rankings, and conversion rates. This check measures total load time, Time To First Byte (TTFB), page size, and checks for GZIP/Brotli compression, cache headers, and resource hints. Slow load times indicate optimisation opportunities. Action: enable compression (GZIP or Brotli), leverage browser caching with `Cache-Control`, use a CDN, optimise images, and consider using resource hints like `preconnect` to speed up third‑party connections.
SEO MetadataScore: 0/100
Risk: Info
Impact: Missing metadata hurts social sharing and SEO.
Canonical: No, OG: No, Twitter Card: No, JSON-LD: No
→ Add missing metadata for better SEO and social sharing.
Why this matters: SEO metadata helps search engines understand your page content and improves how your site appears when shared on social media (Open Graph, Twitter Cards). Canonical URLs prevent duplicate content issues. JSON‑LD structured data enables rich snippets in search results (e.g., reviews, products, events). This check verifies the presence of these tags. Missing metadata won't cause security issues but harms your site’s visibility and click‑through rates. Add the recommended tags using a plugin or manually in your HTML `<head>`.
Fix steps:
  • <link rel="canonical" href="https://example.com/page">
  • <meta property="og:title" content="Page Title">
  • <meta property="og:image" content="https://example.com/image.jpg">
  • <meta name="twitter:card" content="summary_large_image">
  • <script type="application/ld+json">{ "@context": "https://schema.org", "@type": "WebSite", "url": "https://example.com" }</script>

Domain Intelligence

Group Score: 90/100
This category analyses domain reputation, search engine presence, and content authenticity. It checks domain age (via WHOIS and Archive.org), SEO metrics (domain length, TLD, backlink popularity), related domains, Wikipedia backlinks, Google indexing status, GEO match (server location vs content claims), suspicious domain structure (TLD/subdomain), typosquatting, brand impersonation (phishing detection via title/description), suspicious text patterns, and phishing blocklist checks. All checks use free public data and heuristics. A low score may indicate a very young domain, poor SEO, or signs of phishing/malware.
Domain Age & ArchiveScore: 100/100
Risk: Info
Impact: Domain age affects trust and SEO.
Creation date: Unknown · First crawl: Unknown
Why this matters: Domain age and archive history help assess trustworthiness. Older domains with consistent archival are generally more legitimate. Young domains (under 30 days) are often used for spam or phishing. This check uses WHOIS (whoisjson.com) to get the domain’s creation date and the Internet Archive Wayback Machine to find the first crawl date. The score is reduced for domains younger than 30 days. If your domain is new, focus on building trust through content and security best practices. If the creation date is unknown (WHOIS privacy), no penalty is applied.
SEO Metrics (Length, TLD, Pop)Score: 100/100
Risk: Info
Impact: SEO metrics affect search ranking.
Length: 12 characters · TLD: .dev · SEOkicks Pop: N/A
Why this matters: Domain length and TLD can affect SEO and memorability. Shorter domains are often more valuable. SEOkicks Pop estimates the number of referring domains (backlinks) – a higher pop indicates stronger backlink profile. This check uses a free API from SEOkicks (no key required). The score is informational only – it does not affect security. However, a very long domain or an unusual TLD (e.g., .xyz, .top) may be less trustworthy. Action: if your domain is long, consider a shorter redirect. Build quality backlinks to improve your site's authority.
Related DomainsScore: 100/100
Risk: Info
Impact: Identifies similar sites.
No related domains found
Why this matters: Related domains show sites with similar audience or backlink profiles. This can indicate industry relevance or potential competition. The test uses SEOkicks' free API to find domains that share backlinks with yours. The score is informational only – no security impact. Action: review the related domains; if they are malicious or spammy, consider disavowing shared backlinks via Google Search Console. If you see domains you don't recognise, investigate whether they are linking to you legitimately.
Wikipedia BacklinksScore: 0/100
Risk: Info
Impact: Authority signal.
No Wikipedia backlinks
Why this matters: Wikipedia backlinks are a strong trust signal. Domains cited on Wikipedia are generally authoritative and less likely to be malicious. This check uses Wikipedia's free API to count how many Wikipedia pages link to your domain. A score of 0 means no Wikipedia backlinks – this is normal for most websites. If you have a Wikipedia page, ensure it links to your official domain. Action: if you believe your site deserves a citation, improve your content to become a reference in your field.
Google Indexing StatusScore: 100/100
Risk: Info
Impact: Affects search visibility.
Domain is likely indexed (DuckDuckGo check)
Why this matters: This check uses the DuckDuckGo API to see if your domain appears in search results. DuckDuckGo's index is primarily sourced from Bing, but it serves as a reliable proxy for Google indexing. A positive result strongly suggests your site is indexed by major search engines. If you need to confirm with Google directly, use Google Search Console. Action: no immediate action needed, but ensure your robots.txt does not block crawlers and that you have submitted a sitemap.
GEO Match (Server vs Content)Score: 100/100
Risk: Info
Impact: No suspicious GEO mismatch.
Server country: US · No high‑risk mismatch detected
Why this matters: GEO mismatch (e.g., server in Russia but site claims to be in USA) can indicate malicious redirects or fake sites. Your server is located in a normal hosting region (not in the high‑risk list), so no penalty is applied. Even if your site mentions other countries, it is not considered suspicious. Action: no action needed.
Suspicious Domain StructureScore: 100/100
Risk: Info
Impact: Suspicious domain structure may indicate phishing.
Domain structure looks normal
Why this matters: Attackers often use cheap, suspicious TLDs (like .xyz, .top, .click) or subdomains containing words like 'login', 'secure', or brand names to trick users. This check flags such patterns. A suspicious TLD or subdomain does not guarantee malicious intent – some legitimate sites use these TLDs. However, it is a strong indicator of phishing or spam when combined with other suspicious signals. Action: if your domain uses a suspicious TLD or subdomain, consider moving to a more reputable TLD (e.g., .com, .org, .net). If you are a legitimate site, add a security.txt file and other trust signals to reassure users.
Brand Impersonation (Phishing)Score: 100/100
Risk: Low
Impact: Phishing risk: impersonating trusted brands.
No brand impersonation detected
Why this matters: Phishing sites often copy brand names in the page title and meta description to trick search engines and users. This check extracts the title and description and compares them against a list of well‑known brands (social media, banks, tech, retail). To avoid false positives, it ignores common phrases like 'Google Fonts' or 'Apple Music'. It also requires that the brand name appears as a whole word, not part of a longer phrase. If the brand is mentioned and the domain is not an official domain for that brand, it is flagged as potential phishing. Action: if you legitimately mention a brand (e.g., 'We use Google Analytics'), ensure the title/description clarifies that you are not impersonating the brand. For your own brand, use a consistent domain name.
Suspicious Text PatternsScore: 100/100
Risk: Info
Impact: May indicate social engineering.
No urgent/panic language detected
Why this matters: Phishing pages often use fear‑based language (e.g., 'your account will be suspended', 'urgent action required') to pressure users into acting without thinking. This check scans the page content for such phrases. The score is reduced if multiple patterns are found. The test is heuristic and may produce false positives on legitimate pages that use similar language for non‑malicious purposes (e.g., a legal notice). Action: review the flagged text. If your site legitimately uses such language, you can ignore the warning. Otherwise, rephrase to avoid creating unnecessary panic.
Phishing DetectionScore: 100/100
Risk: Low
Impact: Phishing sites steal user credentials.
Not listed in known phishing databases
Why this matters: Phishing websites impersonate legitimate brands to steal credentials, credit card numbers, or personal information. This check compares the domain against a small local blocklist (expandable). If your domain is listed, it means your site may have been compromised or is being used for phishing. Action: immediately investigate the source code, remove malicious content, and request delisting from phishing databases. For better coverage, integrate the Google Safe Browsing API (free tier available).

Additional Security

Group Score: 96/100
This category covers several important security aspects: MFA detection (whether your login forms mention 2FA), threat intelligence (URLhaus, Feodo Tracker, PhishTank), external script risks (third‑party scripts that could be hijacked), accessibility (WCAG compliance), and subdomain takeover risks. It works by scanning HTML, checking blacklists, and analyzing external resources. A low score may indicate you lack MFA, use risky external scripts, or have accessibility issues.
Authentication & MFAScore: 100/100
Risk: Info
Impact: MFA greatly reduces account takeover risk.
No login forms
Why this matters: Multi‑Factor Authentication (MFA) adds a second layer of security beyond just a password. Even if a password is stolen, the attacker cannot log in without the second factor (e.g., a one‑time code from an authenticator app). This check looks for login forms and mentions of MFA in the page content. If you have a login form but no mention of MFA, you are strongly encouraged to implement it. Many platforms offer built‑in MFA (WordPress plugins, Laravel packages, cloud IAM).
Threat IntelligenceScore: 100/100
Risk: Info
Impact: Domain may be compromised or malicious.
Not found in threat intelligence feeds
Why this matters: Threat intelligence feeds (URLhaus, Feodo Tracker, PhishTank) aggregate known malicious domains and IP addresses. If your domain appears, it may have been compromised or used for phishing. This check downloads fresh feeds hourly and caches them locally – no API keys required. It checks whether your domain or its IP address is listed in any of these feeds. A positive result is critical and requires immediate investigation. Action: if listed, scan your server for malware, remove malicious content, and request delisting from the respective feed. For URLhaus, you can submit a removal request. For PhishTank, mark the domain as not phishing. Also consider implementing a Web Application Firewall (WAF) to prevent future compromises.
External Risks (Third-Party Scripts)Score: 100/100
Risk: Low
Impact: External scripts can be hijacked (supply chain attack).
No suspicious external scripts
Why this matters: External scripts from third‑party domains can be hijacked (supply chain attack) or introduce malicious code without your knowledge. This check lists all external script sources that are not from common CDNs. Even trusted CDNs can be compromised. To mitigate, use Subresource Integrity (SRI) – a hash that ensures the script hasn’t changed. For highly sensitive applications, consider self‑hosting critical libraries. Also, restrict external domains via Content Security Policy (CSP).
Accessibility (WCAG)Score: 80/100
Risk: Low
Impact: Accessibility issues affect users with disabilities.
Missing alt: 0, ARIA: Yes, Headings: No, lang: Yes
→ Improve accessibility: add alt text, ARIA labels, proper heading structure, and language attribute.
Why this matters: Web accessibility (WCAG) ensures that people with disabilities can use your site. Missing `alt` attributes on images makes screen readers announce nothing, harming users who are blind. Missing heading structure (`<h1>`, `<h2>`) prevents proper navigation. ARIA attributes help describe custom components. A missing `lang` attribute affects pronunciation for screen readers. While not a direct security issue, accessibility is a legal requirement in many jurisdictions (ADA, Section 508, EU Web Accessibility Directive). Action: add descriptive alt text, use semantic headings, and set the language.
Fix steps:
  • Ensure headings follow hierarchical order (h1, h2, h3...).
Subdomain TakeoverScore: 100/100
Risk: Info
Impact: Subdomain takeover allows attackers to host malicious content on your domain.
No subdomain takeover risks detected
Why this matters: Subdomain takeover occurs when a DNS CNAME record points to an external service (e.g., AWS S3 bucket, GitHub Pages, Heroku) that has been deleted or is no longer in use. An attacker can then claim that service (e.g., recreate the bucket) and host malicious content under your subdomain. This can lead to phishing, cookie theft, or bypassing CORS security. This check scans common subdomains (www, mail, api, dev, etc.) for CNAME records. If a CNAME is found, it checks whether the target domain resolves and whether the target returns a generic 'not found' page (HTTP 4xx). If the target does not resolve or returns a 404/410, it is flagged as potentially vulnerable. Action: remove unused CNAME records. If you still need the service, ensure the account is active and secure. Consider using a monitoring service to alert you of changes.

Vulnerability Management

Group Score: 100/100
This category detects software versions (WordPress, jQuery, Bootstrap, React, Vue, Angular, web servers) and queries the NVD (National Vulnerability Database) for known CVEs. The NVD API is free and does not require a key, but has rate limits – we cache results for 24 hours. If vulnerabilities are found, update the affected software immediately. A high score means no known vulnerabilities were detected in the software versions identified on your site.
Version VulnerabilitiesScore: 100/100
Risk: Low
Impact: Outdated software may contain known vulnerabilities.
No known vulnerabilities detected
→ Keep all software updated
Why this matters: This check detects software versions (WordPress, jQuery, Bootstrap, React, Vue, Angular, web servers) by scanning HTML source code and HTTP response headers. It then queries the NVD (National Vulnerability Database) for known CVEs (Common Vulnerabilities and Exposures) associated with those specific versions. The NVD API is free and does not require a key, but has rate limits – we cache results for 24 hours to stay within limits. If vulnerabilities are found, they are displayed with their CVE IDs and descriptions. Action: update the affected software immediately. Even if no vulnerabilities are detected, keeping software updated is a best practice. Also consider hiding version information in headers (e.g., `ServerTokens Prod` for Apache, `server_tokens off` for Nginx) to reduce information leakage.
Loading validity...
New Audit