The weak spots we find most often
These are the security, email, accessibility and SEO issues we look for and find most across public websites. The same checks a pentester runs first. Your site probably has a few of them. Find out for free.
No account needed. We only scan your public homepage · see everything we check
recurring issue types on this page, from a leaking version banner to a missing anti-spoofing record.
Straight from our real check catalogue.
The issues almost every site gets wrong.
Ranked by how often we see them. Most are a one-line fix, and each one is a door left ajar until it is closed.
-
Security serious
Missing HSTS header
Strict-Transport-Security forces browsers to always reach the site over HTTPS, which protects against downgrade attacks.
-
Security moderate
Missing Content-Security-Policy
A CSP is an important defence layer against cross-site scripting (XSS).
-
Security minor
Missing Referrer-Policy
A Referrer-Policy limits which URL information leaks to other sites when visitors follow links.
-
Security minor
Missing Permissions-Policy
A Permissions-Policy limits which browser features (camera, microphone, geolocation) the page and embedded frames may use.
-
Email security moderate
Weak DMARC policy
With p=none spoofed mail is reported but not blocked.
-
Security minor
Version in Server header
A Server header with a version number makes it easier for attackers to look up known vulnerabilities.
-
Accessibility moderate
Images without alt text
Images need an alt attribute so blind and low-vision visitors get the content (WCAG 1.1.1). An empty alt="" is fine for decoration.
-
SEO moderate
Missing meta description
The meta description is the snippet under your link in search results; without one the search engine picks its own.
The ones worth fixing this week.
Higher-impact findings: an expired or invalid certificate, no HTTPS, or a domain anyone can spoof email from. These are the ones an attacker looks for first.
-
Security serious
No HTTPS
Without HTTPS all traffic is readable and modifiable in transit.
-
Security critical
Invalid TLS certificate
A certificate that is expired, self-signed or issued for a different hostname makes browsers block the site with a security warning.
-
Security serious
TLS certificate expiring soon
An expired certificate makes browsers show a full-page security warning and blocks every visitor until it is renewed.
-
Email security serious
Missing SPF record
SPF tells receiving mail servers which servers may send on behalf of your domain; without SPF anyone can spoof your domain.
-
Email security serious
Missing DMARC record
DMARC decides what receivers do with mail that fails SPF/DKIM, and gives you reports about abuse.
-
Security serious
Missing HSTS header
Strict-Transport-Security forces browsers to always reach the site over HTTPS, which protects against downgrade attacks.
Aggregate, anonymized, never a single site named.
Counts only, no sites
We only ever count how many scans raised a given check. No site, URL or scan result is ever shown here, and a finding is only listed once it appears across enough different sites to stay anonymous.
Your data stays put
All scan results live on our own private server in the Netherlands. No third-party analytics, no tracking, and we never sell data. See our privacy & data page.
The same checks you get
Every issue above is a real check from our catalogue, described exactly as it would appear in your own report. See every check we run →
See which of these are on your site.
A free scan checks your homepage against this whole catalogue in under a minute. No account needed. Verify your domains and Radar keeps watching them every month.