A passive website scanner built for real-world monitoring.
WebHound checks your website for security weaknesses, risky scripts, exposed paths, weak browser protections, cookie issues, TLS/DNS problems, and suspicious changes — without exploit attempts or destructive testing.
Choose the right scan for the job
From quick pre-deploy checks to fully scheduled WADE monitoring — every scan is passive and safe.
Fast sanity check before a deploy or after a change.
Full site scan for most use cases. Best balance of coverage and speed.
All engines active. Covers navigation links, forms, scripts, and assets.
Pre-launch or quarterly security review. Maximum crawl depth.
Scheduled recurring scans that compare against a behavioral baseline.
12 engines. Every scan.
Each engine runs in parallel, analyzing a specific slice of your site's security posture.
Security Headers
Analyzes HTTP response headers for browser-enforced security controls.
Detects: Missing HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.
CSP Analysis
Deep inspection of Content-Security-Policy directives for unsafe patterns.
Detects: unsafe-inline, unsafe-eval, wildcard sources, missing directives, report-uri misconfig.
TLS Checker
Validates your site's certificate, cipher configuration, and HTTPS enforcement.
Detects: Expired certs, weak ciphers, missing HSTS, non-HTTPS redirect chains.
DNS Checker
Checks email authentication and DNS security records for your domain.
Detects: Missing or invalid SPF, DKIM, DMARC, DNSSEC, and dangling DNS entries.
Cookie Scanner
Audits every cookie set by your site and flags missing security attributes.
Detects: Cookies without Secure, HttpOnly, or SameSite. Session cookies accessible to JavaScript.
JavaScript Analyzer
Inspects inline scripts and loaded files for risky patterns without executing code.
Detects: eval(), document.write, obfuscation, hardcoded credentials, dangerous DOM sinks.
Third-Party Domains
Maps every external source your site contacts and categorizes what they are.
Detects: Unknown script domains, cross-domain iframes, external form actions, fetch/XHR destinations.
Sensitive Paths
Probes common paths that are frequently left publicly accessible by accident.
Detects: .env, admin panels, phpinfo(), backup files, git metadata, debug endpoints.
Secret Scanner
Scans page source and loaded scripts for credential patterns that shouldn't be public.
Detects: API keys, AWS credentials, JWT tokens, private keys, and common secret formats.
Form Risk
Audits HTML forms for security issues including insecure submission targets.
Detects: HTTP form actions, cross-domain POST targets, missing CSRF indicators.
Technology Detection
Identifies frameworks, CMS platforms, and libraries in use on the page.
Detects: Known outdated versions, exposed version strings, CMS-specific vulnerability indicators.
WADE Baseline
Compares the current scan against the established behavioral baseline.
Detects: New external domains, new scripts, DOM structure shifts, new form targets, anomaly score.
What we do — and what we never do
WebHound's scanner is designed to be safe on any live site at any time.
- Reads publicly accessible page content — exactly as a browser would
- Checks response headers, certificates, and DNS records
- Scans static HTML and loaded script files for patterns
- Safe to run continuously against live production sites
- Does not exploit vulnerabilities or probe for attack vectors
- Does not brute-force credentials or login endpoints
- Does not submit forms or execute JavaScript on your site
- Does not run load tests, fuzzing, or destructive operations
By using WebHound you confirm you own or are authorized to scan every target you add. Unauthorized scanning is a violation of our terms and may be illegal.
From URL to report in minutes
No configuration, no agents, no infrastructure changes.
Add your website
Enter the URL. No DNS records, no server config, no agent installation needed.
Choose a scan profile
Quick for fast checks, Standard for full coverage, Deep for audits, Monitor for WADE recurring scans.
Scanner crawls safely
WebHound fetches linked pages and resources — read-only, never modifying anything it touches.
Engines analyze the evidence
All 12 engines run in parallel against the collected artifacts — headers, scripts, forms, cookies, DNS.
Findings are grouped
Results are organized by engine, severity, and fix priority. Every finding includes context and guidance.
Reports and monitoring are generated
Download SARIF, CSV, or Markdown. If WADE has a baseline, anomaly scores are computed automatically.
What you see after a scan
Every scan produces structured, actionable results — not a wall of raw data.
Risk Score
Medium Risk
Some gaps found. Worth fixing.
Findings by Severity
Engine Status
External Domains
Recommended Fixes
Export Report
Download your full scan report in any format for your team, clients, or auditors.
Run your first passive website scan.
No credit card. No installation. Scan only sites you own or are authorized to test.