Passive by design
The scanner avoids exploitation, brute force and aggressive probing. It focuses on public configuration signals that website owners can safely review.
Website security audit
Passive website risk scanning for teams that need clear, fixable findings.
OsintNET Website Risk Scanner checks the public security posture of websites you own: HTTPS, TLS, browser security headers, cookies, CORS, mail authentication, sensitive file exposure and CMS risk signals.
Designed for analysts who need clear signals, not scattered tabs.
Clear remediation
Every finding explains what was observed, why it matters and what should be changed in practical language.
Browser security posture
Review missing or weak headers that affect XSS impact, clickjacking, MIME sniffing, feature permissions and referrer leakage.
Exposure mistakes
Detect common public files that should never be reachable from the web root, including environment files, backup archives and database dumps.
Mail and DNS security
Check SPF, DMARC, CAA, MX and DNSSEC signals so domain owners can reduce spoofing and certificate issuance risk.
Evidence-ready reporting
Export a polished PDF-style report for management or institutions, Markdown for AI review and JSON for automation.
Common questions
What is a website security audit?
A website security audit reviews public website configuration such as HTTPS, TLS certificates, security headers, cookies, CORS, DNS mail security and accidental exposure of sensitive files.
Is OsintNET Website Risk Scanner a penetration testing tool?
No. It is a passive and low-risk audit tool. It does not exploit vulnerabilities, brute-force credentials, attack login forms or run aggressive port scans.
Which findings should be fixed first?
Start with critical and high findings such as missing HTTPS, exposed .env or database backup files, permissive CORS with credentials, weak mail authentication and missing core browser security headers.
Can I use it for client or company websites?
Use it only for websites you own or are authorized to assess. The scanner blocks localhost, internal hosts, private IP ranges and non-standard web ports for safety.
Start investigation
Use OsintNET to convert public signals into structured evidence.
Pick the module that matches your target and keep each clue connected to its source, confidence and investigation context.