What Does a Website Security Scan Actually Check?
Security scans produce lists of findings, grades, and scores — but what do they actually check, and why does each check matter? This guide walks through every category a web security scanner examines: SSL/TLS, security headers, HTTPS enforcement, and certificate validity. No jargon, just practical explanations.
SSL/TLS Configuration
SSL (now properly called TLS) is the encryption layer that makes HTTPS work. A scanner checks not just whether HTTPS is enabled, but whether it's configured securely.
Protocol version
TLS comes in versions: TLS 1.0 (1999), TLS 1.1 (2006), TLS 1.2 (2008), TLS 1.3 (2018). Older versions have known vulnerabilities (POODLE, BEAST, DROWN). A properly configured server should only accept TLS 1.2 and TLS 1.3.
# Check which TLS versions a server accepts openssl s_client -connect yoursite.nl:443 -tls1 # should fail on secure servers openssl s_client -connect yoursite.nl:443 -tls1_2 # should succeed openssl s_client -connect yoursite.nl:443 -tls1_3 # should succeed
Cipher suites
Even with TLS 1.2, weak cipher suites can make the encryption breakable. Scanners flag ciphers using RC4 (broken), DES/3DES (deprecated), or export-grade encryption (deliberately weakened for 1990s US export laws, now exploitable via FREAK and LOGJAM attacks).
Certificate validity
A scanner checks:
- Expiry date — certificates expire. Many outages and security incidents happen because an expired certificate wasn't noticed. Scanners warn you 30–60 days before expiry.
- Certificate authority trust — is the cert issued by a trusted CA, or self-signed?
- Domain match — does the certificate cover the domain you're visiting? A certificate for
www.example.nldoesn't covershop.example.nlunless it's a wildcard or multi-domain cert. - Chain completeness — the certificate chain must include intermediate certificates. A missing intermediate causes browser warnings even if the cert itself is valid.
Security Headers
HTTP response headers are instructions your server sends to browsers. Security headers tell browsers how to behave when displaying your site — they're a layer of protection against cross-site scripting (XSS), clickjacking, and data injection attacks.
They're delivered in the HTTP response and take about five minutes to add to your web server config. Yet most websites are missing several of them.
| Header | What it does | Why it matters |
|---|---|---|
| Strict-Transport-Security | Forces browser to always use HTTPS for this domain | Prevents SSL stripping attacks — an attacker intercepting your traffic can't downgrade you to HTTP |
| Content-Security-Policy | Whitelists which scripts, styles, and resources are allowed to load | Prevents XSS — even if an attacker injects malicious script, CSP blocks it from executing |
| X-Frame-Options | Prevents your site being embedded in an iframe | Blocks clickjacking — attacker embeds your login page invisibly over their page to steal credentials |
| X-Content-Type-Options | Tells browser not to guess the MIME type of a response | Prevents MIME sniffing attacks where a browser misinterprets a file as executable |
| Referrer-Policy | Controls what URL is sent in the Referrer header | Prevents leaking sensitive URL parameters (tokens, user IDs) to third-party sites |
| Permissions-Policy | Controls browser API access (camera, microphone, geolocation) | Limits the blast radius if your site is compromised — malicious code can't silently access hardware |
How to add security headers
For nginx:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
For Apache:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" Header always set X-Frame-Options "SAMEORIGIN" Header always set X-Content-Type-Options "nosniff" Header always set Referrer-Policy "strict-origin-when-cross-origin"
CSP is the hard one. A Content Security Policy needs to be tuned to your site — too restrictive and it breaks your own scripts. Start with a report-only policy (Content-Security-Policy-Report-Only), collect violations for a week, then tighten it.
HTTPS Enforcement
Having HTTPS available isn't enough — your server needs to actively redirect HTTP to HTTPS. A scanner checks:
- HTTP → HTTPS redirect — does
http://yoursite.nlredirect tohttps://yoursite.nl? - Redirect chain length — more than one redirect slows page load and can create security gaps
- HSTS preloading — beyond the header, you can submit your domain to the browser HSTS preload list so browsers never attempt HTTP at all
- Mixed content — does your HTTPS page load any resources (images, scripts, fonts) over HTTP? Mixed content downgrades your security and triggers browser warnings
# Test HTTP redirect manually curl -I http://yoursite.nl # Should return: HTTP/1.1 301 Moved Permanently Location: https://yoursite.nl/
Information Disclosure
Scanners also look for things your server accidentally reveals that it shouldn't:
- Server header —
Server: Apache/2.4.41 (Ubuntu)tells attackers exactly what to Google for CVEs - X-Powered-By header —
X-Powered-By: PHP/7.4.3reveals your runtime and version - Directory listing — if your web server shows a list of files in directories without an index page, that's information disclosure
- Error page detail — stack traces and database errors in production expose internal architecture
# Suppress server version in nginx server_tokens off; # Suppress in Apache ServerTokens Prod ServerSignature Off
How scores are calculated
Most security scanners (including masoSec) assign a numeric score based on the findings. Critical issues (missing HSTS, expired certificate, TLS 1.0 enabled) have high point impact. Medium issues (missing X-Frame-Options, server version disclosure) reduce the score less. Informational findings don't affect the score at all.
A score of 90+ means your site is well-configured with no significant issues. 70–89 means there are improvements to make but no critical exposure. Below 70 means you have findings an attacker would likely exploit.
A high score doesn't mean you're unhackable. Security scanners check configuration — they don't test your application logic, SQL injection, authentication, or business logic flaws. A 95 score means your infrastructure is configured correctly. Your application code is a separate concern.
Check your site right now
Use masoSec's free scanner to check your domain's SSL configuration, security headers, and HTTPS enforcement. No account needed.
Free website security scan
Check SSL, security headers, and HTTPS configuration. Results in under 30 seconds.
Scan your website →