Free tools
Security testing tools, free and passive.
TLS, headers, CORS, cookies, email auth, DNS, network exposure and 30+ more. Results in 60 seconds. No signup required, no payloads sent.
Tool catalog
Pick the check closest to your question.
Complete Security Scan
Complete website security analysis with comprehensive vulnerability detection
Pre-Pentest Security Scan
Passive scan that catches the misconfigurations a pentester finds first. Use it before a manual engagement to clear the easy issues.
Security Compliance Checker
Check compliance with PCI DSS, HIPAA, SOC 2, ISO 27001, and GDPR. Get compliance readiness reports.
WAF Checker
Detect Web Application Firewall presence through passive header analysis. Identify WAF/CDN providers.
Security Headers Test
Check your website's HTTP security headers configuration
TLS/SSL Security Checker
Validate your SSL/TLS configuration and certificate setup
Content Security Policy (CSP) Checker
Analyze your CSP for unsafe directives and strengthen your policy with best practices.
CORS Policy Checker
Validate Access-Control headers, credentials safety, and simulate preflight requests.
Cookie Security Checker
Audit HttpOnly, Secure, SameSite and Partitioned cookie attributes for safety.
Email Security Test
Verify your email domain security configuration
Network Security Test
Scan for open ports, subdomain takeover risks, and DNS security
HTTPS & HSTS Checker
Verify HTTPS redirects, HSTS policy and readiness for preload.
XSS Protection Checker
Check X-Content-Type-Options, CSP against XSS, and Trusted Types readiness.
Clickjacking Protection Checker
Test X-Frame-Options and CSP frame-ancestors to prevent UI redress attacks.
Certificate Expiry Checker
Check SSL/TLS certificate expiry and chain validity to avoid outages.
DNS Security Check
Evaluate DNSSEC, CAA records, wildcard configuration and common DNS risks.
Subdomain Takeover Checker
Identify orphaned DNS records and provider fingerprints that allow takeovers.
Referrer Policy Checker
Validate Referrer-Policy and apply privacy-preserving safe defaults.
Permissions-Policy Checker
Review Permissions-Policy to control powerful web features and reduce risk.
Server Information Disclosure Checker
Detect exposed Server and X-Powered-By headers leaking technology versions.
Open Ports Scan
Run a passive, non-intrusive scan for common open ports on your domain.
Mixed Content Checker
Detect HTTP resources on HTTPS pages and validate browser compatibility.
COOP Header Checker
Check Cross-Origin-Opener-Policy for cross-window isolation and security.
COEP Header Checker
Validate Cross-Origin-Embedder-Policy configuration and embedding rules.
Cross-Origin Isolation Checker
Test COOP/COEP/CORP alignment and readiness for cross-origin isolation.
X-Content-Type-Options Checker
Detect nosniff protection and prevent dangerous MIME type sniffing.
CSRF Protection Checker
Check presence of anti-CSRF tokens and complementary SameSite strategy.
Vulnerable JavaScript Libraries Scanner
Scan for known vulnerable JS libraries and versions.
Frame Security Policy Checker
Validate frame-ancestors and embedding restrictions to prevent clickjacking.
X-XSS-Protection Header Checker
Identify deprecated X-XSS-Protection usage and adopt modern mitigations.
Content-Type Header Checker
Validate Content-Type header presence, charset, and correct MIME usage.
OCSP Stapling Checker
Validate OCSP stapling configuration for optimal SSL/TLS performance
CAA Records Checker
Validate Certificate Authority Authorization records for domain security
Cipher Suite Analysis
Analyze SSL/TLS cipher suite configuration and strength
Want all of these against your live app, continuously?
A free Barrion account runs the same checks on a schedule, tracks the score over time, and exports audit-ready PDFs.