Scan your website for security vulnerabilities β headers, TLS, exposed files, DNS and reputation. Get a detailed report with exactly what to fix.
6 security categories, 50+ individual checks in one free scan.
CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy checked.
Certificate validity, expiry date, HTTPS redirect and mixed content issues detected.
Tests if .env, .git/config, backup.sql, phpinfo.php and admin panels are publicly accessible.
Scans HTML for exposed emails, API keys (Stripe, AWS, GitHub) and sensitive code comments.
SPF, DMARC and DNSSEC records verified. Missing records leave you vulnerable to email spoofing.
Your server IP checked against Spamhaus, SpamCop and SORBS blacklists.
At minimum: HSTS (forces HTTPS), X-Content-Type-Options (prevents MIME sniffing), X-Frame-Options (prevents clickjacking) and Referrer-Policy. CSP is the most powerful but most complex to configure.
A .env file contains environment variables like database passwords, API keys and secret tokens. If it's publicly accessible, attackers can steal credentials and gain full access to your systems. Scanlei tests for this and 10+ other exposed file patterns.
We verify SPF records (prevents email spoofing), DMARC records (policy for failed SPF/DKIM), and DNSSEC (cryptographic validation of DNS responses). Missing these makes your domain vulnerable to phishing attacks.
Yes. Automated scanners constantly probe the internet for exactly these vulnerabilities. A .env file exposed for even a few hours can be found and exploited before you notice.
Website Security Headers: The Complete Guide (CSP, HSTS, X-Frame-Options)
9 min read