HAAM Website Security Check

See what your website exposes before someone else does.

Inspect the public security posture of a website without logging in or attempting exploitation. The scan reviews transport, browser defenses, cookies, page-level risks, technology disclosure, and vulnerability reporting policy.

Method

Public evidence, clear boundaries, useful fixes.

The scanner reads the same public response a browser receives. It avoids authenticated areas, private networks, exploit attempts, broad crawling, and invasive probing.

  1. 01

    Validate transport

    Inspect redirects, HTTPS, certificate trust, expiry, protocol, and cipher information.

  2. 02

    Inspect browser defenses

    Review HSTS, CSP, framing restrictions, MIME handling, referrer controls, and feature permissions.

  3. 03

    Review state and content

    Check response cookies, mixed content, form destinations, third-party scripts, and visible technology banners.

  4. 04

    Prioritise fixes

    Turn public evidence into ranked findings with consequences and concrete remediation directions.

Passive by design

No exploit attempts

The tool requests a public page and related policy files. It does not brute-force, inject payloads, scan ports, or test credentials.

Visible evidence

Every issue shows its basis

Findings include the observed response, why the weakness matters, and a practical direction for remediation.

Scope limit

This is not a penetration test

Use code review, dependency scanning, authenticated testing, and professional penetration testing for deeper assurance.

Related case study

When a Website Loses Its Memory

Cointelegraph's missing legacy articles, front-end compromise, and search collapse show why website security must also protect scripts, URLs, discoverability, and institutional memory.

Read the investigation

Help improve this website?

Optional Google Analytics and Microsoft Clarity measure content performance and usability. They load only if you allow them. Form values, email addresses, and chat messages are never included in analytics events.