GuardPad - Security Scanner

Scan any URL and get an instant A+ to F security grade with actionable fixes for your web server.

GuardPad analyzes 11 HTTP security headers, SSL/TLS certificates, cookies, email security (SPF/DMARC/DKIM), DNSSEC, CAA records, and redirect chains — then adapts your grade to your site type. A blog isn't held to the same standard as a banking app.

NEW: DNS-only fallback — when a web server is unreachable, GuardPad automatically analyzes DNS records and delivers a partial security grade. Mail-only domains, temporarily down sites, and non-HTTP services all get useful results instead of a dead-end error.

Context-sensitive grading, email authentication analysis, OWASP Top 10:2025 compliance mapping, Trusted Types CSP detection, cookie analysis, CSP depth scoring, cross-origin isolation grading, and smart recommendations ordered by relevance to your site type.

Try every feature free for 3 days. No account required. No data collected.

FREE FEATURES:
• DNS-only fallback — get security grades even when web servers are unreachable
• Context-sensitive grading — grades tuned to 5 site types (static, SPA, API, CMS, generic)
• Grade explanations — see exactly why your site type got that score
• Analyze 11 security headers (HSTS, CSP, COOP, COEP, CORP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, X-XSS-Protection, Server)
• Email security analysis — SPF, DMARC, and DKIM graded with detailed findings
• Cookie security analysis (Secure, HttpOnly, SameSite, __Host- prefix)
• MX record quality analysis with null MX and bare IP detection
• CSP depth analysis (nonce, strict-dynamic, Trusted Types detection, Report-Only flagging)
• SSL/TLS certificate inspection with cipher suite details
• Redirect chain visualization with quality grading
• OWASP Top 10:2025 compliance mapping
• Report-To and NEL (Network Error Logging) detection
• Deprecated header detection (HPKP, Expect-CT, Feature-Policy)
• security.txt (RFC 9116) detection
• Quick Fix mode — see your highest-impact issues first
• Instant A+ to F grade with weighted score breakdown
• Actionable WHAT/WHY/FIX diagnostics for every finding
• Domain-grouped scan history with trend tracking
• Re-scan diff — see exactly what changed since your last scan
• Works offline for reviewing past results

PRO FEATURES (one-time purchase):
• Batch scanning — scan up to 50 URLs at once with aggregate report
• Shareable security grade badge (SVG/PNG) for READMEs and dashboards
• Shareable grade card — amber-themed share image
• iPad side-by-side scan comparison with improvement tracking
• Server-specific fix code snippets for nginx, Apache, Express.js, and Caddy
• Smart recommendations — fix suggestions ordered by relevance to your site type
• CORS configuration tester — verify cross-origin resource sharing settings
• DNS record lookup with DNSSEC validation status and CAA record grading
• Export results as PDF or Markdown
• Full certificate chain inspection

Built for developers who ship secure web applications. Whether you maintain nginx, Apache, Express.js, or Caddy servers, GuardPad gives you the tools to verify your security configuration meets industry standards.

No account required. No data collected. All analysis happens on your device.