DEEP DIVE
How the Scan Engine Works
Our architecture simulates a sophisticated threat actor's reconnaissance phase, analyzing every layer of your application's defense from the TLS handshake to the DOM.
Transport Security
We negotiate the TLS connection to verify support for HTTP/2 and modern cipher suites. This ensures not only encryption strength but also that your server supports next-generation performance protocols and RSA/ECDSA signatures.
TLS 1.2 / 1.3 Only
HTTP/2 (ALPN)
RSA/ECDSA Signatures
HSTS Preload Ready
Code & Cookies
Static analysis of the rendered DOM. We check for outdated libraries (CVEs), dangerous patterns, and insecure session cookies.
- Vulnerable JS (OSV.dev)Critical
- Cookie Security (HttpOnly)High
- Unsafe LinksMedium
Headers & Defense
We parse your Content-Security-Policy for 'unsafe-inline' and ensure you aren't leaking server versions details.
Deep CSP AuditAnti-FingerprintingHSTSReferrer
Full Audit Specifications
Every single metric our engine evaluates.
01 Transport & Network
TLS Protocol Must support TLS 1.2 or 1.3. TLS 1.0/1.1 fails immediatley.
Cipher Strength No weak CBC, RC4, or NULL ciphers allowed.
DNS Rebinding We pin the resolved IP to prevent rebinding attacks.
Redirect Chain Analyzes hop count (max 10) and HTTPS enforcement.
ALPN Checks for h2 (HTTP/2) protocol negotiation.
02 Server Defense
Deep CSP Audit Parses logic for 'unsafe-inline' and 'unsafe-eval'.
HSTS & Preload Checks max-age (> 1 year), subdomains, and preload.
Modern Headers Checks COOP (Opener) and COEP (Embedder) policies.
Permissions Validates Permissions-Policy (Camera, Mic, Geo).
Referrer Policy Must not leak URLs (no 'unsafe-url').
03 Application Logic
SRI Integrity External scripts must have integrity hashes.
Vulnerable JS Cross-references libraries with OSV.dev CVE database.
CORS Analysis Flags dangerous wildcard origins with credentials.
Cookie Security Requires HttpOnly, Secure, and SameSite attributes.
Meta Tag Audit Checks for Meta-CSP and conflicts.