Website security audits
your team can act on.
SurfaceAudit scans your public-facing site for TLS, headers, DNS, cookies, exposed paths, and CSP — then turns the results into a clear grade, prioritized fixes, and change alerts.
Enter a URL. No install, DNS change, or credit card required.
175+
security checks per scan
A–F
scored and graded
6
check categories
Free
to start, no card
Deploys, DNS updates, certificate renewals, header changes, and CSP edits can weaken your security posture without anyone noticing. SurfaceAudit gives your team a baseline, explains what needs attention, and keeps watching for regressions.
$ surfaceaudit scan \
--url yourdomain.com
✓ resolving host...
✓ TLS handshake ok
✓ fetching headers
RUNNING 175+ CHECKS
✓ TLS handshake ok
✓ DMARC enforced
✗ CSP: missing default-src
✗ CAA record missing
~ HSTS: max-age below 1yr
✓ Cert valid · 87d remain
61/100 · grade C · 3 FAIL · 4 WARN
report ready
C
61 / 100
yourdomain.com · scanned just now
3 failing
4 warnings
89 passing
HSTS header missing
HIGH
WHY IT MATTERS
Browsers may connect over insecure HTTP before upgrading.
HOW TO FIX
Add Strict-Transport-Security with max-age=31536000.
CSP: missing default-src
HIGH
WHY IT MATTERS
Without a fallback, CSP provides no protection against injected scripts.
HOW TO FIX
Add default-src 'self' as your CSP baseline.
scans sites built on
Next.js
WordPress
Vercel
AWS
Shopify
Cloudflare
HOW IT WORKS
Start with a URL. Get a security baseline in minutes.
No install. No DNS change. No agent to maintain.
01
Enter your URL
Paste any public-facing domain. No agent, install, or DNS change required. We start scanning immediately.
Any public-facing domain
Production or staging URLs
Multiple sites per account
No DNS change required
No agent to install
Scan starts immediately
02
SurfaceAudit scans your site
175+ security checks across TLS, security headers, DNS records, cookies, exposed paths, and CSP — on demand or on your schedule.
TLS & certificate checks
HTTP security headers
DNS record validation
Cookie security flags
Exposed paths & files
Content Security Policy
03
Review prioritized findings
Every finding includes severity, plain-English context, and remediation guidance. Work top-to-bottom — no security background needed.
Severity-ranked — worst issues first
Plain-English explanation per finding
Exact remediation steps provided
Re-scan anytime to verify fixes
A–F grade updates as you fix
Export findings as a PDF report
04
Keep watching for changes
Get alerted when your security posture changes across deploys or configuration updates. Know before your customers do.
Cert expiring in 12d · alert sent
HSTS header disappeared · 2h ago
Grade improved: C → B
Weekly digest every Monday
Slack & email alert channels
DNS record changed · flagged
WHAT EVERY SCAN CHECKS
Six categories. Automatic coverage, no config required.
Every scan runs all checks. Nothing is optional, nothing is missed.
TLS & Certificates
20+ checks
Certificate validity & expiry
TLS 1.0 / 1.1 exposure
HSTS preload status
Weak cipher detection
Security Headers
15+ checks
HSTS max-age & subdomains
X-Frame-Options
Referrer-Policy
Permissions-Policy
DNS Records
8+ checks
SPF record presence & validity
DMARC policy enforcement
CAA record configuration
Zone transfer exposure
Cookies
3+ checks
Secure flag on session cookies
HttpOnly enforcement
SameSite attribute
Exposed Paths
35+ checks
Admin panel reachability
.env & config file exposure
Directory listing enabled
Backup file detection
Content Security Policy
35+ checks
CSP header presence
Risky directives (unsafe-inline)
Missing default-src fallback
Improvement recommendations
Clear findings, not raw scanner noise.
Every scan produces a full report with everything you need to understand and improve your security posture.
01
A security grade
See your current posture at a glance with a letter grade and score. Track improvement over time as you work through findings.
02
Severity-ranked issues
Work from the highest-impact findings first. No guessing what to fix: critical issues surface at the top.
03
Plain-English remediation
Every finding explains what is wrong, why it matters, and exactly how to fix it. No security background required.
04
Change history & alerts
See exactly when something that was passing starts failing. Get alerted before your customers notice, across deploys, DNS changes, and certificate events.
05
Shareable reports
Export a clean PDF snapshot for clients, stakeholders, or your own team. White-label with your own branding on agency plans.
Know where you stand.
Fix what matters.
One URL. No install. Results in under a minute.
No credit card required.