How to check if a website is secure?

The quick manual checks anyone can do

Before diving into automated tools, there are a few things you can check right now in your browser:

• Look for the padlock — Click the padlock icon next to the URL in your browser's address bar. It should show that the connection is secure and the certificate is valid. If there's no padlock, or it shows a warning, the site isn't using HTTPS properly.
• Check the URL starts with https:// — The "s" stands for secure. If your site loads on http:// (without the s), visitors' data is transmitted in plain text that anyone on the same network can read.
• Try loading without www — Type your website address both with and without "www". Both should redirect to the same HTTPS address. If one version doesn't load securely, you have a configuration issue.

These basic checks tell you if a site has SSL working, but they only scratch the surface. SSL alone doesn't make a website secure — it just encrypts the connection. A properly secured site needs much more.

What automated scanning checks

An automated security scan goes far beyond what you can see in a browser. Here's what it tests:

SSL certificate health

The scanner doesn't just check whether SSL is present — it verifies the certificate chain is complete, the certificate hasn't expired, it covers the right domain names, and the server isn't using outdated encryption protocols like TLS 1.0 or 1.1. It also checks for common configuration errors like mixed content (loading some resources over HTTP on an HTTPS page).

HTTP security headers

Security headers are instructions your server sends to browsers telling them how to behave. A scanner checks for six key headers: Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Most websites are missing at least three of these. Learn more in our guide to what HTTP security headers are.

Open ports

Your server runs services on numbered ports — port 443 for HTTPS, port 80 for HTTP. But other ports may also be open, exposing databases (3306), admin panels (8080), file transfer (21), or remote access (22). A port scan reveals what's exposed to the internet. Anything that doesn't need to be publicly accessible should be closed or firewalled.

Cookie compliance

Under UK PECR and GDPR, non-essential cookies (analytics, tracking, advertising) must not be set until the visitor has given informed consent. A scanner loads your site and checks whether any tracking cookies appear before any consent banner is clicked. Many websites fail this check because their cookie banner loads too slowly or certain scripts fire before consent is captured.

Email authentication (SPF, DKIM, DMARC)

These DNS records prove that emails sent from your domain are genuinely from you. Without them, scammers can send phishing emails that appear to come from your business. A scanner checks whether these records exist, are correctly formatted, and are using recommended settings. For example, a DMARC policy of "p=none" provides no actual protection — it just monitors — yet many businesses stop there.

How to interpret your results

Once you've run a scan, you'll typically see findings ranked by severity:

• Critical — Issues that could lead to an immediate breach, such as exposed admin panels or known vulnerabilities in your software version.
• High — Significant weaknesses like missing HSTS or expired SSL certificates.
• Medium — Important but less urgent issues, like missing Content-Security-Policy headers.
• Low — Minor improvements such as missing Referrer-Policy or informational findings.

Don't ignore medium and low findings. They're graded lower because they're harder to exploit, not because they don't matter. A determined attacker can chain several medium issues together to gain access.

Manual testing vs automated scanning

Manual penetration testing by a qualified security professional is more thorough than any automated scan. A human can find logic flaws, business process vulnerabilities, and complex attack chains that scanners miss. However, manual testing typically costs thousands of pounds and takes days or weeks.

Automated scanning catches the most common and most exploited issues for a fraction of the cost and time. For most small businesses, it's the most practical starting point. You can always commission a manual pen test later if your scan results show concerns that need deeper investigation.

To understand what a scanner actually looks for under the hood, see our guide on what website security scanning is. For a deeper dive into the individual checks, read about HTTP security headers explained.