Safeguard
Security

How to Check a Website for Vulnerabilities: A Practical Guide

A hands-on walkthrough of how to check a website for vulnerabilities, from passive header checks to authenticated dynamic scanning, and how to read the results.

Karan Patel
Platform Engineer
5 min read

To check a website for vulnerabilities, layer three kinds of inspection: passive configuration checks you can run in minutes, dependency scanning of the code behind the site, and dynamic testing that probes the running application for exploitable flaws. No single tool covers all three, and the common mistake is running one scanner, seeing a green result, and assuming the site is secure. A thorough check looks at the transport layer, the application code, and the live behavior, because a weakness in any one of them is enough.

Before anything else: only scan sites you own or have written permission to test. Active scanning of a site you do not control can be illegal and can cause outages. Everything below assumes your own property.

Start with passive configuration checks

The fastest wins come from inspecting what the server already tells you. You do not need to send a single malicious request.

Check security headers. A missing Content-Security-Policy, Strict-Transport-Security, or X-Content-Type-Options header is a common, easily fixed gap:

curl -sI https://example.com | grep -i -E "content-security|strict-transport|x-content-type"

Check the TLS configuration for weak protocols and expiring certificates. Public services from Qualys SSL Labs and Mozilla Observatory grade this without touching your application logic. Check that the server is not leaking its exact software version in the Server header, which hands attackers a shortcut to matching known exploits.

These checks are safe to run against production because they are read-only.

Scan the dependencies behind the site

Most modern sites are mostly other people's code. The framework, the npm or PyPI packages, the container base image, all of it carries a history of disclosed vulnerabilities. Checking the site's exposed surface will never reveal a vulnerable library that has not been triggered yet, so you have to inspect the supply chain directly.

Run software composition analysis against the project's lockfiles. For a Node.js site:

npm audit --production

That is a starting point, but npm audit only sees direct npm advisories. A dedicated SCA product resolves the full transitive tree across ecosystems and container layers, which matters because the vulnerable package is usually three levels down from anything you chose deliberately. This step catches the class of problem, an outdated framework with a known remote-code-execution CVE, that dynamic scanning often misses because the vulnerable path is not reachable from the pages a crawler finds.

Run a dynamic scan against the live site

Dynamic application security testing (DAST) is the part most people mean when they say "check a website for vulnerabilities." A DAST scanner crawls the running application and sends benign test inputs to see how it responds, looking for injection, cross-site scripting, broken authentication, and misconfiguration.

The open-source OWASP ZAP is the standard entry point. Its baseline scan is passive and safe to run first:

docker run -t ghcr.io/zaproxy/zaptool zap-baseline.py -t https://example.com

The baseline scan crawls and reports without active attacks. When you are ready for active testing, do it against a staging copy, not production, because active scans send real (if benign) probes that can create records, send emails, or trip rate limits. Our DAST product covers how to run authenticated scans that reach the pages behind a login, which is where the interesting vulnerabilities usually live.

Cover the authenticated surface

A scan that only sees the public pages misses most of the application. Log in, capture a session token, and configure the scanner to use it so the crawler reaches account settings, admin panels, and API endpoints. Test authorization deliberately: request another user's resource with your own session and confirm you get a 403, not their data. Broken access control is consistently one of the most common serious findings, and no automated scanner catches all of it because the tool cannot always tell which resources should be off-limits to you.

Read the results without drowning

A first scan produces a long list, and most teams either fix everything in a panic or ignore all of it. Neither works. Triage by two questions: is the finding exploitable in this deployment, and what does it expose if it is? A reflected XSS on an authenticated admin page and a missing header on a static marketing page are not the same priority even if a scanner scores them similarly.

De-duplicate across tools, because the header checker, the SCA scan, and the DAST run will each report overlapping issues in different words. The Safeguard Academy has a module on turning a raw scan report into a ranked, actionable backlog.

FAQ

What is the fastest way to check a website for vulnerabilities?

Start with passive configuration checks: inspect security headers with curl, grade the TLS setup with SSL Labs, and confirm the server is not leaking version details. These take minutes, are safe on production, and surface the most common easy fixes.

Can I scan any website for vulnerabilities?

Only sites you own or have explicit written authorization to test. Active scanning of third-party sites can be illegal and can cause outages. All active testing described here assumes your own property or a permissioned engagement.

Does dynamic scanning find every vulnerability?

No. DAST finds issues reachable through the running application, but it misses unreachable-but-vulnerable dependencies and much of broken access control. Combine it with dependency scanning and manual authorization testing for real coverage.

Should I scan production or staging?

Run passive, read-only checks on production. Run active scans against a staging copy, because active probes can create data, send notifications, or trip rate limits even when the payloads are benign.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.