Skip to content
Open BetaFree during open beta — no credit card required
ScriptPatrol
Get Started
Free security scan

Scan your website’s security — free

Check your security headers, TLS, and every third-party script running on your page — then get a single A+ to F Security Score. No account, no credit card, results in about a minute.

  • Headers, TLS & scripts
  • Works behind Cloudflare
  • No code on your site
scriptpatrol.com · free scan
Live scan

Scan your site free

See your Security Score and every third-party script running on your page — in about a minute.

Your report includes
  • An A+ to F grade for the page — and why
  • Every third-party script, identified
  • The risks that matter, worst first
Read-only scan — we never add code to your site.

Free · no account · no card. We'll email your report and security tips — unsubscribe anytime.

No black box

How we grade your site

The Security Score is a single A+ to F letter built from three independent dimensions. Each is measured directly — no guesswork, no black box.

HTTP security headers

We read the response headers your server returns and check the ones that protect a browser session — Content-Security-Policy, HSTS, X-Frame-Options, cookie flags, Referrer-Policy and X-Content-Type-Options. Strong, correctly configured headers raise this part of the grade; missing or weak ones lower it.

TLS configuration

We inspect how your site negotiates a secure connection — the protocol in use and the certificate, including how soon it expires. A modern configuration with a healthy certificate scores well; outdated settings or a certificate nearing expiry pull the grade down.

Third-party script integrity

We load the page the way a visitor’s browser does and capture every script that runs — external and inline. Each is identified by vendor where we recognize it, and anything unrecognized or impersonating a known provider is flagged. This is the part a header-only checker cannot see.

The scale

A+ABCDF

A grade reflects what we can verify on the page right now. It is a starting point, not a verdict — the value compounds when you track it over time and get told when a scan detects a change.

Free scan vs full monitoring

One page today, or every page every day

The free scan grades the page you point it at, right now. Full monitoring discovers every critical page on your site — then watches them all, every day, and tells you the moment a scan detects a change.

Free scan

No account

A complete snapshot of one page — yours in about a minute.

  • A+ to F Security Score
  • Every third-party script, identified
  • Where the page sends data
  • Works behind Cloudflare
What a snapshot can’t do
  • Only the one page you enter
  • A snapshot — no alert when it later changes

Full monitoring

Free during beta

Every critical page, watched continuously.

Automatic Discovery

Finds every critical page for you — checkout, cart, login, account, admin and password-reset — across languages, then monitors them all. No page list to build or maintain.

  • Daily re-scans of every page, automatically
  • Change alerts with context — email and Slack the moment a scan detects a changed script or header, each with a risk score and a plain-language explanation of what changed
  • No alert fatigue — routine vendor updates are recognized and filtered out, so an alert always means something worth a look
  • Baseline integrity — catches a trusted script being silently swapped out
  • Threat intelligence — flags scripts loading from known-malware hosts, known-vulnerable library versions, and look-alike domains
  • Change history and your Security Score trend over time
  • Audit-ready evidence — full script inventory, a timestamped approval trail and PDF reports that map to PCI DSS 6.4.3 and 11.6.1, where they apply
  • Everything in the free scan, on every page
Set up continuous monitoring

Free during open beta · no credit card · no code on your site

The free scan is the perfect first look. Monitoring is how it stays true after today.

Common questions

Free security scan FAQ

What does the free security scan check?
The scan grades three things on the page you submit: (1) your HTTP security headers — Content-Security-Policy, HSTS, X-Frame-Options, cookie flags, Referrer-Policy and X-Content-Type-Options; (2) your TLS configuration — protocol and certificate, including expiry; and (3) the third-party JavaScript running on the page — every external and inline script, identified by vendor where recognized, with anything unrecognized flagged for review. It returns an A+ to F Security Score plus a per-dimension breakdown and a list of the scripts we found.
Is it really free?
Yes. The scan is free, there is no account to create and no credit card required. You enter your site and an email address, we run the scan, and we send the full report to that address. ScriptPatrol itself is free during open beta if you decide to set up continuous monitoring afterwards.
Do you store my data?
We scan the public page you submit — the same content any visitor’s browser would load — and email the report to the address you provide so you can use it as security tips and product updates, which you can unsubscribe from at any time. We do not collect credentials, and we do not modify your site in any way. See our Privacy Policy for the full detail.
What if my site is behind Cloudflare or another firewall?
It still works. We monitor sites behind Cloudflare and other firewalls every day. If a site’s protection blocks an anonymous deep scan, that is a good sign — it is doing its job against strangers — and we report what we can confirm from the outside and detect challenge pages so we never mistake them for your real site. For ongoing monitoring, one optional allow-list step gives a clean, complete scan, with no code added to your site.
How is this different from a one-time scanner?
A one-time scan is a snapshot: it tells you the state of your headers, TLS and scripts at this moment. The real client-side risk is change over time — a trusted third-party script being silently swapped, or a new script appearing on your checkout after a compromise. Continuous monitoring re-scans automatically, compares each result against an approved baseline of SHA-256 script hashes, and alerts you as soon as a scan detects a change. The free scan shows you today’s picture; monitoring keeps it true.
Why does the scan need to load my page in a browser?
Security headers and TLS can be read from the response, but the scripts that actually execute — including ones injected by other scripts at runtime — only appear when the page is rendered the way a real visitor’s browser renders it. We load the page from a trusted source, capture every script that runs, and hash each one so the inventory reflects what your users truly receive, not just what the raw HTML declares.

Run your free scan

See your Security Score and every third-party script on your page in about a minute — then keep it monitored continuously, all free during open beta.

Scan my siteHow ScriptPatrol works

No account required. Create a free account to monitor your site continuously.