CheckIfSecure discovers all subdomains of a given domain, then checks each one for: dangling DNS records (subdomain takeover risk), leaked secrets and credentials in JavaScript and HTML (50+ types including AWS keys, Stripe keys, database URLs, private keys), vulnerable JavaScript libraries with known CVEs (via RetireJS), origin IP exposure behind CDN/WAF services like Cloudflare (CloakQuest3r-style check), and exposed Supabase JWT tokens with full database enumeration.
We use the DNSDumpster API to perform DNS reconnaissance and discover all publicly visible subdomains of your target domain. The root domain and any specific subdomain you pass are always scanned first, followed by all discovered subdomains.
When a subdomain has a CNAME record pointing to a cloud service (AWS S3, Heroku, GitHub Pages, Netlify, etc.) but the underlying resource has been deleted, an attacker can claim that resource and serve content on your subdomain. We check CNAME targets against 40+ known cloud services and verify if the resource still exists.
Our TruffleHog-style scanner checks for 50+ credential types: AWS access keys, Stripe secret keys, GitHub tokens, GitLab tokens, Slack tokens, database connection strings, private keys, OpenAI/Anthropic API keys, SendGrid keys, Twilio keys, Firebase keys, and many more. All values are redacted in results.
We fetch the official RetireJS vulnerability database from GitHub and check every JavaScript file loaded by each subdomain. Libraries are detected by filename, URL pattern, and file content signatures, then matched against known CVEs and vulnerability ranges.
Inspired by CloakQuest3r, this check detects whether a website is behind a CDN/WAF like Cloudflare, AWS CloudFront, Fastly, Akamai, or others. It then resolves the IP addresses of each subdomain and checks whether any resolve to non-CDN IPs, which could reveal the origin server's real IP address. If the root domain is behind Cloudflare but a subdomain like mail.example.com resolves to a direct IP, that IP is likely the origin server — a significant security finding.
Yes. The web scanner and API are free to use. There are no rate limits currently enforced, but please be responsible with scanning frequency.
Yes. The easiest way is a GET request to /scan/url/https://target.com. You can also POST to /scan with a JSON body, or use the query parameter /scan?url=https://target.com. See the interactive API docs or llms.txt for details.
No. CheckIfSecure only performs passive checks — it reads publicly accessible DNS records, fetches publicly served JavaScript and HTML, and analyses content. It never attempts to claim resources, modify DNS, or exploit any vulnerability.