Passive by design
No exploit attempts
The tool requests a public page and related policy files. It does not brute-force, inject payloads, scan ports, or test credentials.
HAAM Website Security Check
Inspect the public security posture of a website without logging in or attempting exploitation. The scan reviews transport, browser defenses, cookies, page-level risks, technology disclosure, and vulnerability reporting policy.
Method
The scanner reads the same public response a browser receives. It avoids authenticated areas, private networks, exploit attempts, broad crawling, and invasive probing.
Inspect redirects, HTTPS, certificate trust, expiry, protocol, and cipher information.
Review HSTS, CSP, framing restrictions, MIME handling, referrer controls, and feature permissions.
Check response cookies, mixed content, form destinations, third-party scripts, and visible technology banners.
Turn public evidence into ranked findings with consequences and concrete remediation directions.
Passive by design
The tool requests a public page and related policy files. It does not brute-force, inject payloads, scan ports, or test credentials.
Visible evidence
Findings include the observed response, why the weakness matters, and a practical direction for remediation.
Scope limit
Use code review, dependency scanning, authenticated testing, and professional penetration testing for deeper assurance.
Related case study
Cointelegraph's missing legacy articles, front-end compromise, and search collapse show why website security must also protect scripts, URLs, discoverability, and institutional memory.
Optional Google Analytics and Microsoft Clarity measure content performance and usability. They load only if you allow them. Form values, email addresses, and chat messages are never included in analytics events.