How to scan a website for issues

Whether it's about security, privacy, performance or other things, 
I have a few things listed to cover all your needs!

Some of you might want to scan your own website to improve security, privacy and performance and others might simply be interested in knowing how secure other websites are. There are both ethical and capitalistic reasons to improve security: On the ethical side, you want your users and yourself to be protected, on the capitalistic side, having security, privacy and performance increases your search engine ranking and reputation.

All the following tools are used directly in the browser, and no software needs to be installed.

Scanning HTTP headers and its security implications

I can recommend https://webbkoll.dataskydd.net/en to start with. It will tell you what kind of HTTP headers are set and which are not. It also explains the security implications and how to implement and improve your setup. Webbkoll scans for things like HSTS, CSP, XSS, referrer policy and more!

Scanning your TLS (SSL) setup

Qualys provides a free scanner, known as “SSL Labs” that you can use to quickly be graded from A+ down to F and get a break down on what was scanned and how you can improve things. If you see anything in bold red saying “INSECURE” then you need to act as soon as possible. You really want to achieve at least an A, but an A+ is not hard to reach when following best practices. The scanner can be found at https://www.ssllabs.com/ssltest/. Note that you can opt-out of having your site and its result being listed publicly.

Scanning for performance (page speed)

If you want to have a good ranking on Google, your site needs to perform well (load fast). This not just achieved by having a fast server or internet connection, but rather how the page is built and how content is loaded. There are many ways to improve your page speed, just like there are many ways to cripple it. Google’s “PageSpeed Insights” will quickly give you a score and point out issues and help you to solve them to improve your overall score. The scanner can be found at https://developers.google.com/speed/pagespeed/insights/.

Scanning for HSTS preload in browsers

This scanner lets you quickly check if your site’s HSTS is being preloaded in browsers, and lets you even submit it for inclusion! The scanner can be found at https://hstspreload.org/. If you only serve your site through HTTPS and have HSTS set up, consider including it for preload!

Scanning for cookies (GDPR)

A big warning beforehand: This is not enough to make sure your site is GDPR compliant and it should only be used to help find common mistakes that you might have overlooked. On a second warning, this scanner stores the results publicly and should therefore not be used for private sites and possibly not without consent of the website owner. The scanner can be found at https://2gdpr.com/.

Scanning a Nextcloud instance

Nextcloud provides a scanner to quickly get a grade on any publicly accessible Nextcloud instance. It scans things like the version number an instance is running on, and its HTTP headers. While this is not a complete scan that you can rest on, it will point out common issues that you should fix as soon as possible. You really want to get an A+ here. The scanner can be found at https://scan.nextcloud.com/. Note that the result remains cached on their server and you might have to trigger a re-scan manually.

Mozilla Observatory

An additional scanner, which does a bit of everything is the Mozilla Observatory. While I don’t like this one as much as the individual scanners, one thing it does which the others don’t, is the scanning of SSH! The scanner can be found at https://observatory.mozilla.org/.

Conclusion

There are many aspects on how to improve your website security, privacy and performance and there are many scanners to help you get started. I hope this guide showed you something new and helped you out! Have a good day and go check your websites! 😀

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.