BEACON Security Audit

A simple, real security audit of your website.

Beacon runs a passive check of your site’s HTTP security posture — HTTPS, HSTS, Content-Security-Policy and the rest of the OWASP security headers, cookie flags and security.txt — then grades it A–F with the exact header found and how to fix each gap.

https://
OWASP security headersCSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy — checked against best practice.
HTTPS & HSTSConfirms HTTPS, http→https redirect and a strong Strict-Transport-Security policy.
A–F gradeA weighted score using the Mozilla Observatory / securityheaders.com methodology.
No version leaksFlags Server / X-Powered-By headers that disclose software versions to attackers.
Cookie & security.txtChecks Secure/HttpOnly/SameSite cookie flags and whether you publish /.well-known/security.txt.
Fix-readyEvery gap shows the real header value and a one-line fix you can add to your action plan.

Passive, honest, no intrusive scanning

Beacon only reads your site’s HTTP response headers — it never probes, brute-forces or attacks. Every result shows the actual header value found (or “not set”), so the report is real and reproducible, never fabricated.

What we check

The audit follows the OWASP Secure Headers Project and Mozilla Observatory.

  • HTTPS served + HTTP → HTTPS redirect
  • Strict-Transport-Security (HSTS)
  • Content-Security-Policy (CSP)
  • X-Content-Type-Options, X-Frame-Options / frame-ancestors
  • Referrer-Policy, Permissions-Policy
  • Cookie flags: Secure, HttpOnly, SameSite
  • Software-version disclosure & /.well-known/security.txt

Not a replacement for a pentest

This is a fast posture check that catches the most common, high-impact misconfigurations. For deep penetration testing, pair it with a dedicated security tool — but most sites can lift their grade in an afternoon with these fixes.

FAQ

Is this safe to run on my site?

Yes. It is a passive check that only reads HTTP response headers — no intrusive scanning, probing or attacks. It is rate-limited and respects standard guards.

How is the grade calculated?

A weighted score across HTTPS/HSTS, the OWASP security headers, cookie flags and security.txt, mapped to A–F — aligned with Mozilla Observatory and securityheaders.com.

Is the result real?

Completely. Each check shows the exact header value found on your live site (or “not set”). Beacon never shows fabricated security results.

Grade your site’s security in seconds

Free, passive, and real — with exact fixes.

Start free Run a free check