Free security check · in seconds

Find out what your website is exposing — in 30 seconds

Paste your URL and get a 0-to-100 score with everything that's going wrong, sorted by severity. We tell you exactly how to fix each issue — you, your team, or your AI.

Confirmo que soy dueño de este sitio o tengo autorización para escanearlo. Ver términos.

See an example result

No card · nothing to install · we check your public surface, not a deep audit · we don't store your code.

Illustrative exampleSample data · scan your site to see your own

Escaneando…

0:21 / 0:30

HTTP headers100%
TLS / certificates88%
Cookies and session72%
CORS and redirects58%
Stack: Supabase / Firebase / Clerk38%
Compliance mapping18%

Hallazgos en vivo

CRIT3HIGH11MED24LOW47

CRIT
TLS certificate expired 4 days agocheckout.yourapp.com
ssl-expired
HIGH
CORS with wildcard and credentialsapi.yourapp.com
cors-wildcard
HIGH
Session cookie missing Secure flagapp.yourapp.com
cookie-missing-secure
MED
Missing Content-Security-Policywww.yourapp.com
csp-missing
LOW
X-Content-Type-Options absentblog.yourapp.com
x-content-type-options

What it does

Everything you need to protect your site

From the first scan to a report you can share, with clear results for any website owner (and for your AI, if you use one).

Review

What we check

We review what your site shows the world: configuration, certificates, cookies, access points, and the spots where problems tend to hide.

Saber más

Fix

We tell you how to fix it

Every issue comes with clear instructions to fix it. And if you use AI, the prompt is ready to paste into Claude, Cursor, or ChatGPT.

Saber más

Clarity

Score and priorities

A clear 0-to-100 score with every finding sorted by severity: critical, high, medium, low. No fear-mongering.

Saber más

Report

A report you can share

A report you can print or share with your team, your boss, or your client, with the evidence behind every finding.

Saber más

Teams

API for teams

Got several apps or want to automate? An API with keys to query your projects, scans, and findings.

Saber más

Honesty

No false promises

We only show what already works. Anything still on the way is marked as such — no hype, no empty promises.

Saber más

How you fix it

From problem to fix, no guessing

We explain every issue in plain words and what to do about it. And if you work with AI, we give you the prompt ready to paste.

Ready-to-paste prompts

Optimized for Claude Code, Cursor, and Windsurf. They include context for the detected framework (Next, Express, Django, Rails).

Concrete evidence

Each prompt starts from the finding, severity, category, URL, and technical evidence captured by the scanner.

Backend detection

We detect Supabase, Firebase, and Clerk in the frontend and tell you what to check: RLS, Security Rules, and test-mode keys served in production.

API to automate

The v1 endpoints let you query projects, scans, and findings with API keys on plans that include API access.

prompt.mdHIGH

# Finding: Content-Security-Policy header missing
# Detected framework: Next.js 15

I need you to fix this security issue in my
Next.js application.

Root cause:
- /_next/static and /api don't emit a CSP, so any
  injected script runs without restrictions.

Suggested change:
1. Define the CSP in `middleware.ts` with per-request nonces.
2. Allow 'self', your CDN, and your Supabase domain.
3. Add `upgrade-insecure-requests`.

Test:
- Curl /  →  Content-Security-Policy present and with nonce.
- Playwright: block inline script without nonce.

Why it matters: without a CSP, an injected script can
steal your users' data or hijack their session.

Checks

Technical security coverage in one place

Over 12 checks run in parallel on your site, in seconds. Nothing to install.

HTTP headers

CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy, and X-Content-Type-Options reviewed against modern rules.

TLS / SSL

We detect expiring certificates, outdated TLS, mixed content, and broken HTTPS.

Cookies

Secure, HttpOnly, SameSite, and `__Host` prefixes evaluated with session context.

CORS

Dangerous wildcards, `null` origins, and risky methods like TRACE.

Open redirects

We test common parameters (`next`, `url`, `returnTo`) against external domains.

Exposure and leaks

Exposed .env files, public source maps, open API schemas, and sensitive paths in robots.txt.

Platform

Built for any website

No noise and no fear-mongering: what matters first, in words you understand, with no need to be an expert.

Zero install

Paste your link and you're done. Nothing to install, no code to touch, nothing to configure.

In words you understand

We explain every issue in plain words and give you a step-by-step to fix it, yourself or with your AI.

Re-scan and confirm

Re-scan whenever you want to confirm that what you fixed is truly fixed.

Clear for you and your AI

Tidy results with evidence, easy to read for you and for your AI agent too.

How it works

From URL to fix in 3 steps

Scan

Paste your URL. In seconds we run 12+ passive checks on your public surface, with nothing installed on your site.

Prioritize

You see the score, severity, and a clear action plan: the critical stuff first, no jargon.

Fix

We tell you how to resolve each issue. If you use AI, copy the ready-made prompt. Re-scan to confirm.

Resources

Learn to protect your site and your data

Clear guides on web security and on each country's data protection laws (LGPD, CCPA, Law 21.719, and more). No jargon, ready to apply.

Security

Web security checklist

The essentials to protect your site, even if you're not technical.

Saber más

Laws by country

Data protection where you operate

LGPD (Brazil), CCPA (USA), Law 21.719 (Chile), and more, explained simply.

Saber más

Guides

HTTPS, SSL, and the basics

What they are and why your site needs them.

Saber más

See the whole blog

Find out if your website is secure in under 5 minutes

Sign up for free, see your first finding, and whenever you want to fix it, unlock the step-by-step instructions with a paid plan. Nothing installed on your site.

Scan for free See pricing

Frequently asked questions

What does the Pursecure security scan check?

Over 12 passive checks on what your site shows publicly: HTTPS/SSL, HTTP headers (CSP, HSTS), cookies, CORS, open redirects, and exposed files or configuration.

What kind of sites is it for?

Anything with a public URL: businesses, online stores, landing pages, blogs, WordPress, Shopify, Wix, and web apps. It doesn't matter what it's built with.

Do I need to be technical or install anything?

No. You paste your site's link and that's it; nothing to install and no code to touch. We explain every issue in plain words.

How do I fix the issues it finds?

Every finding comes with clear instructions. And if you work with AI (Claude, Cursor, ChatGPT), we give you the prompt ready to paste.

Does it help with data protection?

Yes. Your site's security is the foundation of compliance. On the blog we explain each country's laws (LGPD, CCPA, Law 21.719, and more) and your report documents the measures you took.

How much does it cost, and is there a free plan?

Yes. The Free plan scans with no card. Paid plans range from USD 29/mo to USD 199/mo.

Cargando…

Find out what your website is exposing — in 30 seconds

Paste your URL and get a 0-to-100 score with everything that's going wrong, sorted by severity. We tell you exactly how to fix each issue — you, your team, or your AI.

Confirmo que soy dueño de este sitio o tengo autorización para escanearlo. Ver términos.

No card · nothing to install · we check your public surface, not a deep audit · we don't store your code.

# Finding: Content-Security-Policy header missing # Detected framework: Next.js 15 I need you to fix this security issue in my Next.js application. Root cause: - /_next/static and /api don't emit a CSP, so any injected script runs without restrictions. Suggested change: 1. Define the CSP in `middleware.ts` with per-request nonces. 2. Allow 'self', your CDN, and your Supabase domain. 3. Add `upgrade-insecure-requests`. Test: - Curl / → Content-Security-Policy present and with nonce. - Playwright: block inline script without nonce. Why it matters: without a CSP, an injected script can steal your users' data or hijack their session.

Frequently asked questions

What does the Pursecure security scan check?

Over 12 passive checks on what your site shows publicly: HTTPS/SSL, HTTP headers (CSP, HSTS), cookies, CORS, open redirects, and exposed files or configuration.

What kind of sites is it for?

Anything with a public URL: businesses, online stores, landing pages, blogs, WordPress, Shopify, Wix, and web apps. It doesn't matter what it's built with.

Do I need to be technical or install anything?

No. You paste your site's link and that's it; nothing to install and no code to touch. We explain every issue in plain words.

How do I fix the issues it finds?

Every finding comes with clear instructions. And if you work with AI (Claude, Cursor, ChatGPT), we give you the prompt ready to paste.

Does it help with data protection?

Yes. Your site's security is the foundation of compliance. On the blog we explain each country's laws (LGPD, CCPA, Law 21.719, and more) and your report documents the measures you took.

How much does it cost, and is there a free plan?

Yes. The Free plan scans with no card. Paid plans range from USD 29/mo to USD 199/mo.