Skip to main content
dnsverifier.com

Website Vulnerability Scanner — Light

The dnsverifier.com Vulnerability Scanner (Light) performs a passive security check against a website: HTTP security headers, Content-Security-Policy correctness, cookie flags, mixed content, server / tech fingerprinting, sensitive file exposure (.env, .git/config, .DS_Store), OpenAPI / Swagger discovery, robots.txt and security.txt, HTTP TRACE enablement, directory listing, and body-content patterns (PEM keys, stack traces, session tokens in URLs, leaky HTML comments). Results are mapped to CWE and the OWASP Top 10. Results stream live as each probe completes.
Authorized use only. Only scan domains you own or have written permission to test. The scanner refuses RFC 1918, loopback, CGNAT, and cloud-metadata addresses. See the Acceptable Use Policy for the full rules.

Frequently asked questions

What's the difference between Light and Deep scan?
Light scan is passive — it requests a small number of well-known paths (robots.txt, security.txt, sitemap.xml, .env, .git/config), parses the response headers and body, and analyzes them for misconfiguration. It does not inject payloads. Deep scan (not offered here) would actively test for SQL injection, XSS, command injection, LFI/RFI, etc., which requires explicit owner authorization.
Which OWASP Top 10 categories does the Light scan cover?
Primarily A02 (Cryptographic Failures — HTTPS / HSTS / mixed content), A05 (Security Misconfiguration — headers, CSP, cookies, .env exposure, TRACE), A04 (Insecure Design — stack traces), A01 (Broken Access Control hints — directory listing), and A06 / A07 (component disclosure, session-token misuse). SQLi / XSS / RCE require Deep scan with payload injection.
Is this scanner safe to run against my production site?
Yes — the Light scan is request-only and read-only. It sends ~20-30 HTTP GET / HEAD / OPTIONS requests over ~30-60 seconds. Body bodies are capped at 512KB, request timeout is 8 seconds, and at most 5 redirects are followed. No payloads are injected and no parameters are fuzzed.
Why was my target rejected as 'non-routable'?
The scanner refuses to scan private IPs (RFC 1918), loopback, link-local, CGNAT (100.64/10), cloud-metadata addresses (169.254.169.254), and IPv6 ULA / loopback. Each redirect hop is checked too — a public hostname that redirects into private space is also blocked.
How does this compare to Pentest-Tools, Detectify, or Acunetix?
It's a free, smaller-scope cousin of those tools' free scan tier. Commercial scanners run dozens to hundreds of active probes (SQLi/XSS) and require account verification of domain ownership. dnsverifier.com's Light scan does the passive subset that doesn't need active testing — useful for engineers debugging headers, finding misconfigurations, and quick triage before paid scans.
What is CWE and OWASP Top 10?
CWE (Common Weakness Enumeration) is MITRE's catalog of software weakness types — e.g. CWE-693 (Protection Mechanism Failure) for missing security headers. OWASP Top 10 is the Open Worldwide Application Security Project's ranking of the most critical web application risks, updated every few years. Each finding here is mapped to the relevant CWE and OWASP category.