Vulnerability Scanner (Basic) Free Online Tool 2026

Last updated March 22, 2026

What Does the Basic Vulnerability Scanner Check?

The Basic Vulnerability Scanner performs fundamental security checks on web pages and code: missing security headers, SQL injection patterns, XSS vectors, exposed sensitive information, and HTTPS configuration issues. It generates a prioritized report with remediation steps for each finding.

Security Headers Check

Scan target: https://example.com

Security Headers Analysis:
  Content-Security-Policy:      MISSING ⚠ HIGH
  X-Frame-Options:              MISSING ⚠ MEDIUM
  X-Content-Type-Options:       PRESENT ✓
  Strict-Transport-Security:    PRESENT ✓
  Referrer-Policy:              MISSING ⚠ LOW
  Permissions-Policy:           MISSING ⚠ LOW
  X-XSS-Protection:             PRESENT ✓ (legacy, CSP preferred)

Recommended fixes:

Content-Security-Policy (HIGH):
  Add to server response headers:
  Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{random}'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self' https://api.example.com; frame-ancestors 'none';

X-Frame-Options (MEDIUM):
  X-Frame-Options: DENY
  (prevents clickjacking attacks)

SQL Injection Vulnerability Detection

Scan: Form inputs and URL parameters

VULNERABLE pattern found in /search endpoint:
  URL: /search?q=test' OR '1'='1
  Response: 500 Internal Server Error (database error exposed)

  Risk: HIGH — SQL injection possible
  
  Vulnerable code pattern:
  // BAD — string concatenation
  const query = "SELECT * FROM products WHERE name = '" + userInput + "'";
  
  Fix — use parameterized queries:
  // GOOD — parameterized query
  const query = "SELECT * FROM products WHERE name = ?";
  db.execute(query, [userInput]);
  
  // GOOD — ORM (Sequelize)
  Product.findAll({ where: { name: userInput } });
  
  // GOOD — prepared statement (Java)
  PreparedStatement stmt = conn.prepareStatement(
    "SELECT * FROM products WHERE name = ?"
  );
  stmt.setString(1, userInput);

XSS Vulnerability Detection

Scan: User input reflection points

VULNERABLE pattern found in /comments endpoint:
  Input: <script>alert('XSS')</script>
  Response: Script tag reflected unencoded in HTML

  Risk: HIGH — Stored/Reflected XSS possible

  Vulnerable code:
  // BAD — unencoded output
  document.getElementById('comment').innerHTML = userComment;
  res.send('<p>' + userComment + '</p>');

  Fix — encode output for context:
  // GOOD — HTML context
  element.textContent = userComment;  // browser encodes automatically
  
  // GOOD — server-side (Node.js)
  import { escape } from 'html-escaper';
  res.send('<p>' + escape(userComment) + '</p>');
  
  // GOOD — template engines (auto-escape)
  // Handlebars: {{ userComment }}  (double braces = escaped)
  // Jinja2:     {{ user_comment }}  (auto-escaped by default)

Sensitive Information Exposure

Scan: JavaScript files, HTML source, API responses

FINDING 1 — API key in JavaScript (CRITICAL):
  File: /static/app.js (line 47)
  Found: const API_KEY = "sk-live-abc123def456...";
  
  Risk: CRITICAL — API key exposed to all users
  Fix: Move to server-side environment variable
  // Remove from client-side code entirely
  // Use server-side proxy for API calls

FINDING 2 — Stack trace in error response (MEDIUM):
  Endpoint: /api/users/999
  Response body contains:
    "Error: Cannot read property 'id' of undefined
     at UserController.getUser (/app/controllers/user.js:42:15)
     at Layer.handle [as handle_request] (/app/node_modules/express/...)"
  
  Risk: MEDIUM — reveals file paths and code structure
  Fix: Return generic error messages in production
  // Express error handler
  app.use((err, req, res, next) => {
    console.error(err);  // log internally
    res.status(500).json({ error: 'Internal server error' });  // generic response
  });

FINDING 3 — HTML comment with credentials (HIGH):
  File: /index.html (line 12)
  Found: <!-- TODO: remove test credentials admin/password123 -->
  
  Risk: HIGH — credentials visible in page source
  Fix: Remove all credentials from source code immediately

HTTPS Configuration Check

Scan: HTTPS configuration

Mixed content check:
  HTTPS page loads HTTP resources:
  ⚠ http://cdn.example.com/jquery.min.js  (script — BLOCKED by browsers)
  ⚠ http://images.example.com/logo.png    (image — WARNING in browsers)
  
  Fix: Update all resource URLs to HTTPS:
  <script src="https://cdn.example.com/jquery.min.js"></script>
  <img src="https://images.example.com/logo.png" alt="Logo">

HSTS check:
  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  ✓ Present and correctly configured

Certificate check:
  ✓ Valid certificate
  ✓ Expires: 2025-06-15 (89 days remaining)
  ✓ TLS 1.2 and 1.3 supported
  ⚠ TLS 1.0 and 1.1 still enabled — disable these legacy versions

Quick Security Checklist

• Add Content-Security-Policy header to prevent XSS
• Use parameterized queries — never concatenate SQL strings
• Encode all user input before rendering in HTML
• Never commit API keys, passwords, or tokens to source code
• Return generic error messages in production
• Enforce HTTPS and fix all mixed content warnings
• Add X-Frame-Options: DENY to prevent clickjacking
• Disable TLS 1.0 and 1.1 on your web server

Vulnerability Scan Report
Target: https://example.com
Date: 2024-01-15

CRITICAL (1):
  [CRIT-001] API key exposed in client-side JavaScript
  File: /static/app.js:47
  Action: Remove immediately, rotate the key

HIGH (3):
  [HIGH-001] Missing Content-Security-Policy header
  [HIGH-002] SQL injection in /search endpoint
  [HIGH-003] Credentials in HTML comment

MEDIUM (2):
  [MED-001] Missing X-Frame-Options header
  [MED-002] Stack traces in error responses

LOW (2):
  [LOW-001] Missing Referrer-Policy header
  [LOW-002] TLS 1.0/1.1 still enabled

PASSED (4):
  ✓ HTTPS enforced
  ✓ X-Content-Type-Options present
  ✓ HSTS configured
  ✓ Valid SSL certificate

Overall security score: 42/100 — Needs improvement