What do these free security tools check?

The three tools run passive, non-destructive checks: the Security Headers Checker fetches your URL and inspects the HTTP response headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) returning an A–F grade. The SSL/TLS Certificate Checker opens a TLS handshake and reads the certificate expiry, chain, and cipher. The Email Spoofing Test queries DNS for your SPF, DKIM, and DMARC records and returns a plain SPOOFABLE / NOT SPOOFABLE verdict.

Are these tools destructive or intrusive?

No. All three tools are passive by design. The headers check makes a single HEAD or GET request (the same request any browser makes). The SSL check opens a TLS connection and reads the certificate without exchanging any application data. The email spoofing check queries public DNS — it does not contact your mail server. Nothing is written to your target, no payloads are sent, and there are no rate-limit concerns for normal use.

How do these free checks compare to a full pentes.io scan?

These tools check one thing at a time against a single domain or URL, with no account required. A full pentes.io scan runs nuclei vulnerability detection, testssl.sh TLS analysis, OWASP ZAP passive web scanning, and file-disclosure probes across your entire verified attack surface — with LLM triage, severity scoring, and a downloadable report. The free tools are a quick first look; a pentes.io scan is a comprehensive assessment. See how it works .

Free Security Tools — Headers, SSL, Email Spoofing Checker

pentes.io's free security tools give you an immediate, no-account check on the most commonly misconfigured parts of a domain. Each tool is passive — it reads public information the same way a browser or DNS resolver would. Nothing is written to your target.

Available tools

HTTP Security Headers Checker
Enter any URL to check which security headers it returns — CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Returns an A–F grade with per-header detail. No signup, instant results.

Check your headers →
SSL/TLS Certificate Checker
Enter a hostname to inspect its TLS certificate — expiry date, days remaining, certificate authority, Subject Alternative Names, protocol version, and cipher suite. Grades A through F based on validity and expiry window.

Check your SSL certificate →
Email Spoofing Test
Enter a domain to check its SPF, DKIM, and DMARC records. Returns a plain SPOOFABLE / NOT SPOOFABLE verdict with the exact DNS TXT records to publish if your domain is exposed. Checks MTA-STS too.

Test email spoofing →

What passive scanning means

Every check on this page is passive — it reads information that is already publicly observable, the same way a browser, a DNS resolver, or an attacker in reconnaissance mode would. No payloads are sent, no authentication is tested, no state is changed on your server. This is the same principle that governs a full pentes.io scan: non-destructive by design, safe to run against production.

For a deeper assessment — nuclei templates, testssl.sh TLS analysis, OWASP ZAP passive scanning, exposed-file probes, and LLM triage across all findings — create a free account and run a full scan against a domain you have proven you own.

Available tools

What passive scanning means

Scan your asset — safe by design