What's actually wrong
with your website?
Most scanners only check what your server says it does. We open your site in a real browser and watch what actually happens. JavaScript errors. Broken hydration. CSP violations. Mixed-content. Network failures. Plus all the usual hardening checks. One 0-100 score. Plain-English fixes.
Free preview — top 3 issues plus your Health Score. No signup, no install.
What we look for
We don't just check what your server claims. We open your site in a real Chromium and watch what actually breaks.
Live JavaScript errors
Why it matters: Your visitors see a half-loaded page. Search and forms silently break. Static probes can't see this — only a real browser can.
What we check: Uncaught page errors, unhandled promise rejections, console.error spam during initial load.
Hydration mismatches
Why it matters: React/Next.js/Vue/Nuxt sites can render server HTML that doesn't match the client tree. Users see flicker or a blank UI for seconds before interactivity arrives.
What we check: Console output captured by a real Chromium for hydration / SSR-mismatch / minified React error markers.
Broken or blocked network resources
Why it matters: A 404 on a critical script kills features silently. A blocked CDN call breaks search or checkout. Real users feel it; uptime monitors don't.
What we check: Every script, image, font, stylesheet, and fetch() call that fires during page load — fail status or DNS / refused / timeout reasons.
Content Security Policy violations
Why it matters: A live browser blocked your own scripts or third-party assets. Either your CSP is too strict for your own code, or an analytics provider is breaking.
What we check: Every CSP report-uri-style violation reported during the page session.
Mixed content (HTTPS+HTTP)
Why it matters: Modern browsers refuse to load HTTP assets from an HTTPS page. Images vanish, scripts fail, the lock icon disappears.
What we check: Every HTTP asset URL embedded in your HTTPS page.
Security headers missing
Why it matters: Modern browsers stop XSS, clickjacking, and cookie theft — but only if your site asks them to. Most don't.
What we check: CSP, X-Frame-Options, HSTS, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.
HTTPS / TLS misconfiguration
Why it matters: Wrong cert, expired cert, weak protocol — browsers show a warning page and visitors bounce immediately.
What we check: Cert chain validity, modern TLS support, mixed-content surface, HSTS preload eligibility.
Cookie hardening missing
Why it matters: Session cookies without Secure / HttpOnly / SameSite are a session-takeover vector for any XSS or CSRF that lands.
What we check: Every Set-Cookie header captured during the scan — flagged for missing protections.
Cluster-first, noise-last
A typical site scan returns 800-1000 raw findings — mostly the same root cause repeated across pages. We collapse them into ~20 root-cause clusters ranked highest-signal first, score the site 0-100, and tell you the three things that move the needle most. The other 977 findings are the same fix repeated — you shouldn't pay (in attention or money) for noise.
Honest pricing
Pay per scan. No subscription required for the one-shot.
Free Preview
- Top 3 highest-signal issues
- Health Score (0-100) + letter grade
- Plain-English summary
- Best for: deciding whether to dig deeper
Quick Scan
- Full scan — every clustered issue
- Per-cluster fix instructions
- Live browser runtime capture
- Health Score + per-rule deductions
- Best for: post-deploy, post-redesign, quarterly audits
Continuous
- Scan on every push (if GitHub-connected)
- Weekly scheduled scan
- Email alert on score regression
- Best for: production sites with real revenue
Ready when you are.
Scan my siteSame engine as the developer GateTest CLI — 90+ static checks plus live headless-browser runtime capture. WordPress owner? WordPress-specific scan here.