Security Checks

Skavio runs 49+ passive checks across 8 categories. All checks are read-only — we never send attack payloads or modify anything on your server.

Security Headers

Analyzes HTTP response headers that protect against common browser-based attacks.

  • Content-Security-Policy (CSP) — presence and policy strength
  • Strict-Transport-Security (HSTS) — max-age and includeSubDomains
  • X-Frame-Options — clickjacking protection
  • X-Content-Type-Options — MIME sniffing prevention
  • Referrer-Policy — referrer data leakage
  • Permissions-Policy — browser feature restrictions
  • Cross-Origin-Opener-Policy (COOP)
  • Cross-Origin-Embedder-Policy (COEP)
  • Cross-Origin-Resource-Policy (CORP)

SSL / TLS

Verifies your HTTPS configuration and certificate health.

  • SSL certificate validity and expiry date
  • HTTP → HTTPS redirect enforcement
  • HSTS preload eligibility
  • Mixed content detection (HTTP resources on HTTPS pages)
  • TLS version compatibility

Exposed Secrets

Scans HTML and JavaScript bundles for accidentally leaked credentials.

  • Stripe live and test API keys
  • Google API keys
  • AWS access key IDs (AKIA...)
  • GitHub personal access tokens (ghp_, ghs_)
  • Supabase JWT secrets
  • Firebase configuration objects
  • Generic api_key and password patterns in source
  • Scans up to 5 JS bundle files per site

CORS Configuration

Identifies overly permissive cross-origin resource sharing policies.

  • Access-Control-Allow-Origin: * (wildcard) detection
  • Credentials allowed with wildcard origin
  • Overly broad allowed methods
  • Exposed sensitive headers

Cookie Security

Checks session and tracking cookies for missing security flags.

  • HttpOnly flag — prevents JS access to cookies
  • Secure flag — cookies only sent over HTTPS
  • SameSite attribute — CSRF protection
  • Session cookie exposure over HTTP

Information Disclosure

Probes for sensitive files and paths that should not be publicly accessible.

  • .env file exposure
  • .git/config and git repository exposure
  • phpinfo() output pages
  • server-status and server-info pages
  • wp-config.php (WordPress)
  • Web server version leakage in headers
  • X-Powered-By header disclosure
  • security.txt presence (good practice check)

Email Security

Validates DNS records that prevent email spoofing and phishing.

  • SPF record presence and policy strength
  • DMARC record presence, policy, and enforcement level
  • DKIM selector detection
  • MTA-STS policy
  • BIMI record

Infrastructure & DNS

Discovers subdomains and checks for misconfigurations at the DNS level.

  • Subdomain enumeration via Certificate Transparency logs (crt.sh)
  • Subdomain takeover risk detection (dangling CNAME to deprovisioned services)
  • CAA records — certificate authority restrictions
  • DNSSEC validation
  • IPv6 (AAAA record) presence
  • Wildcard DNS detection

Ready to scan your site?

Free · No account required · Results in 30 seconds

Start a free scan →