Skip to content
How it works

From URL to evidence-backed report

One security scan coordinates independent modules: base results appear first, deeper results follow, and each supported finding includes evidence and a fix path. Here is exactly what happens and why you can trust the result.

Three steps, about a minute

1. Paste a URL

No signup, no agent, no code changes. We scan your live site from the outside — exactly the way an attacker sees it.

2. Scanners stream results

7 fast base modules report first. 13 extended base modules cover bundle secrets, Supabase/Firebase, injection, XSS, subdomains, WAF, ports, privacy/legal signals, client-side threats, live CVEs and reputation. 3 verified-owner engines continue independently when eligible.

3. Get a graded report

One A++ to F score when enough surface can be assessed; otherwise it is marked provisional. Findings are ranked by severity, with evidence and a concrete fix whenever the scanner can support them.

Results stream progressively: the basic report is ready in seconds, deep results follow. Heavy engines (Nuclei, OWASP ZAP, our own Medusa code verifier) run hardened and are documented in the methodology.

Findings you can trust. Enforced by code, not by promise.

Most scanners inflate severity to look useful. We hard-coded the opposite.

No proof, no alarm

Any critical or high finding that lacks captured evidence is automatically downgraded to medium — and the downgrade is disclosed in the report. This rule is enforced in the scanner code, not in a policy document.

Honest scores

If we could not assess enough of your surface, the score is marked provisional instead of being quietly padded. Categories we could not check are listed as withheld, never silently dropped.

Standards, cited

Every finding links to the standard that defines it: OWASP, CWE, the relevant RFC, MDN. You can verify every claim we make.

Your data stays yours

Cookie values are not stored. Uploaded scan artifacts are reduced to SHA-256 hashes. Scans are bounded, rate-limited and configured for non-destructive checks; blocked or unavailable modules are reported.

An honest score, documented publicly

Your Security Score is a weighted aggregate across scanner categories, graded A++ (100) to F (below 40). Any confirmed critical finding caps the score at 30 — a site with perfect headers and an exposed database is not a B. AI-built apps also get a Boring Score, weighted for how vibe-coded apps actually fail: leaked keys first. Every weight, cap and rule is public in the docs.

From finding to fix, without leaving your tool

Every finding ships with step-by-step remediation and an AI fix prompt tailored to Cursor, Lovable, Bolt, Claude Code, Replit, v0 or Windsurf. Mechanical fixes come as deterministic autofix templates. And generated workspace rules (.cursorrules, AGENTS.md) teach your assistant to stop introducing the same class of bug. On paid plans, the MCP server runs the whole loop inside your editor.

Where BoringSec fits

vs free single-purpose checkers

SSL Labs grades TLS. securityheaders.com grades headers. Both are excellent — at one thing. BoringSec publishes 20 base URL modules plus 3 verified-owner background engines, including checks free tools cannot do: secrets in your shipped JavaScript, live Supabase/Firebase rule verification, subdomain takeover fingerprints, and client-side skimmer detection.

vs enterprise platforms

Wiz, Rapid7 and Qualys are built for security teams with budgets and onboarding calls. BoringSec is self-serve: results in about a minute, pricing a solo founder can expense without a procurement cycle, and fixes written for the person who will actually ship them.

What only BoringSec does

Built for AI-built apps: a Boring Score weighted for how vibe-coded apps actually fail, fix prompts for Cursor, Lovable, Bolt, Claude Code, Replit, v0 and Windsurf, generated workspace security rules, and an MCP server that puts the whole loop inside your editor.

Tool-by-tool details: all comparisons · why BoringSec · see a sample report

See it on your own site

The fastest way to understand how it works is to run it. Free, no account, about a minute.

Scan your site free