Enter any website URL
Paste or type the URL of the website you want to scan. WebShield accepts any publicly accessible domain or page.
Check what your website is exposing before someone else does.
WebShield scans any URL across transport, network, and application layers. It checks security headers, TLS handshakes, CVEs, cookies, DNS configuration, email authentication, exposed file paths, third-party trackers, and technology fingerprints. Results include a scored report with a 22-article knowledge base and copy-paste remediation configs.
How it works
Enter a URL, get a security report, fix what matters.
WebShield opens raw TLS sockets, resolves DNS, probes exposed paths, inspects every response header, and fingerprints third-party scripts. Results are scored, graded, and paired with a knowledge base article and remediation config for each finding.
Review the security report
WebShield scores your site across transport, content, privacy, cookies, and CORS categories. Each finding links to a knowledge base article explaining the risk and providing platform-specific remediation configs.
Act on the findings
Each finding is presented with enough context to understand the risk. Use the report to prioritize fixes, share with your development team, or verify that a remediation worked.
What it catches
The security gaps that most websites overlook.
Security headers and CSP parsing
Checks CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, and COEP. A custom parser tokenizes CSP directives to detect unsafe-inline, unsafe-eval, and missing object restrictions.
CVE detection via OSV.dev
Static analysis of script filenames and content to fingerprint outdated libraries (jQuery 1.x, Angular 1.x, and others) and verify against the OSV.dev vulnerability database for known CVEs with public exploits.
TLS handshake and cipher analysis
Opens raw TLS sockets to inspect negotiated protocol, ALPN support, cipher suites, forward secrecy, OCSP stapling, certificate chain, and key type. Enforces TLS 1.2 minimum and flags deprecated configurations.
DNS and email authentication
Resolves CAA, MX, and DNSSEC records. Probes email authentication across SPF, DMARC, DKIM (13 common selectors), MTA-STS, TLS-RPT, and BIMI to surface spoofing and deliverability risks.
Exposed paths and server leaks
Probes for .git/config, .env, .DS_Store, phpinfo, server-status, and security.txt. Each probe validates response content, not just status codes, to avoid false positives from SPA catch-all routes.
Tracker inventory and tech fingerprinting
Identifies third-party trackers (Google Analytics, Meta Pixel, TikTok, Clarity, and 20+ others) and fingerprints server technology, CDNs, frameworks, and CMS platforms from headers, cookies, and HTML patterns.
CORS, SRI, and application checks
Flags CORS wildcards with credentials, missing Subresource Integrity on external scripts, reverse tabnabbing on target-blank links, mixed HTTP content on HTTPS pages, and cookie security attributes.
Knowledge base and remediation engine
Every finding links to one of 22 in-depth articles explaining the vulnerability, its impact, and how to fix it. The remediation engine generates copy-paste configs for Nginx, Apache, Vercel, Netlify, Cloudflare, AWS, IIS, Express, Go, and PHP.
Built with
Custom scanning engine with a modern web frontend.
WebShield uses a custom Node.js scanning engine that opens raw TLS sockets, pins DNS resolutions to prevent SSRF, and follows redirects with per-hop IP validation. Scan results persist in Supabase and are rendered in a Next.js 16 frontend with shareable report URLs, a compare tool, and a 22-article knowledge base.
FAQ
Common questions about WebShield.
Yes. WebShield is free to use with no signup required. Enter any URL and get a security report immediately.
WebShield scans across transport, network, and application layers: security headers (CSP, HSTS, COOP, COEP, Permissions-Policy), TLS handshakes and cipher suites, CVEs in JavaScript libraries via OSV.dev, cookie security, DNS (CAA, MX, DNSSEC), email authentication (SPF, DMARC, DKIM, MTA-STS, BIMI), exposed paths (.git, .env, phpinfo), CORS, SRI, reverse tabnabbing, third-party tracker inventory, and technology fingerprinting.
WebShield can scan any publicly accessible URL. It cannot scan sites behind authentication or firewalls that block external requests.
WebShield covers transport, network, and application layers in a single scan. Beyond security headers, it checks DNS configuration, email authentication, exposed file paths, third-party trackers, technology fingerprinting, and CVEs. It also includes a 22-article knowledge base with detailed explanations and copy-paste remediation configs for Nginx, Apache, Vercel, Netlify, Cloudflare, AWS CloudFront, IIS, Express, Go, and PHP.
Yes. Scan results persist in Supabase and can be shared via unique report URLs. Each scan produces a fresh report based on the current state of the target website.
Yes. WebShield includes 22 in-depth articles covering every vulnerability it detects. Each article explains the risk, provides remediation steps, and includes copy-paste configuration snippets for multiple platforms including Nginx, Apache, Vercel, Netlify, Cloudflare Workers, AWS CloudFront, IIS, Express, Go, and PHP.
Built by Orygn
WebShield is one of several tools Orygn has built to make security assessment more accessible.
Orygn builds custom software, internal tools, and security-focused systems for small businesses and growing teams. WebShield is a working example of that approach applied to website security posture.
Open WebShield