What we scan

Scanthra runs a friendly, passive check on your website. We never log in, never brute force, never stress your server. Here's exactly what we look at — in plain English.

Passive means safe. Every check below uses standard requests any visitor would make — GET, HEAD, OPTIONS, DNS. Nothing more.

The basics — is your website locked properly?

🔒 Security headers

We check whether your website tells the browser to behave safely: HSTS (force HTTPS), CSP (block injected scripts), X-Frame-Options (prevent clickjacking), X-Content-Type-Options, Referrer-Policy and Permissions-Policy. Missing headers are a common source of small leaks that add up.

🔐 SSL/TLS certificate & encryption

Is your certificate valid, who issued it, when does it expire, and does it support modern TLS? An expired cert kills sales for a day. A weak protocol puts your visitors at risk.

🍪 Cookie flags

We look at your cookies — are they marked Secure, HttpOnly and have a sensible SameSite? Without these, login sessions can leak over public Wi-Fi or be stolen by malicious scripts.

Hidden things you didn't mean to publish

📁 Exposed files

Backup files, .env, .git folders, database dumps, forgotten admin panels — we check a curated list of well-known paths that shouldn't be public.

🚪 Login & admin pages

We note where your admin login lives (/wp-admin, /administrator, etc.) so you can decide whether it should be restricted by IP or moved behind a second factor.

🤖 robots.txt & .well-known

Sometimes robots.txt leaks the names of folders you don't want indexed. Your .well-known directory might reveal more than you think.

What your website is built with

🧱 CMS & versions

If you run WordPress, Joomla, Drupal, Shopify or PrestaShop, we identify it and read its public version markers. Outdated CMS versions are the single biggest cause of hacked small-business websites.

🔍 Tech fingerprinting

We detect server software (nginx, Apache), language (PHP, Node), and common front-end libraries — only from headers and HTML that's already public.

📚 Passive CVE lookup

When we detect a specific version of a known component, we cross-check it against a local copy of the public vulnerability database (NVD). No exploit, no probing — just "hey, that version has a known issue; here's the upgrade you need."

Email security — your domain's reputation

📧 SPF, DKIM & DMARC

If your domain has no SPF/DKIM/DMARC, anyone can spoof emails pretending to be you — your bank, your customer, your supplier. We check whether these DNS records exist and look healthy. Missing DMARC is a top cause of deliverability problems and phishing impersonation.

What we deliberately don't do

No port scanning, no nmap — we never probe what isn't a web page.
No login attempts, no brute force, no password guessing.
No active exploitation, no payload injection, no fuzzing.
No traffic flooding — we send maybe 30 polite requests, total.

In other words: nothing your hosting provider could complain about. A Scanthra scan looks just like a curious visitor reading a few public pages.

Scan your website Why does this matter?