What is website security scanning?

What does a security scanner actually check?

Think of a website security scanner like an MOT for your website. Just as a mechanic systematically checks your car's brakes, tyres, lights, and emissions, a security scanner systematically probes your website for known weaknesses. The goal is to find problems before criminals do.

A thorough scan typically covers these areas:

• HTTP security headers — Checks for missing or misconfigured headers like HSTS, Content-Security-Policy, and X-Frame-Options that tell browsers how to handle your site safely. Missing headers are one of the most common findings.
• SSL/TLS certificates — Verifies your certificate is valid, not expired, issued by a trusted authority, and using modern encryption protocols. A faulty certificate means browsers will warn visitors away.
• Open ports — Scans for services running on your server that shouldn't be exposed to the internet, such as database ports, admin panels, or file transfer services.
• Cookie compliance — Detects tracking cookies being set before a visitor has given consent, which is a PECR requirement in the UK that many businesses miss.
• Email authentication — Checks SPF, DKIM, and DMARC records that prevent scammers from sending emails that look like they come from your domain.
• Known vulnerabilities — Tests for common attack vectors like SQL injection, cross-site scripting (XSS), and directory traversal that could let attackers access your data.

How does automated scanning work?

Security scanners work by sending carefully crafted requests to your website and analysing the responses. They don't try to break in — they look for the digital equivalent of unlocked doors and open windows. The process takes minutes rather than the days a manual penetration test would require.

Most scanners operate in three phases:

1. Discovery — The scanner identifies what technology your site runs, what services are available, and how it's configured.
2. Testing — Each area is tested against a database of known issues. For example, it will check every expected security header and flag any that are missing.
3. Reporting — Findings are compiled into a prioritised report showing what's wrong, how serious each issue is, and what to do about it.

This is fundamentally different from manual penetration testing, where a human security professional actively tries to find complex, chain-together vulnerabilities. Automated scanning catches the basics — and the basics account for the vast majority of real-world breaches.

Why small businesses need security scanning

There's a common misconception that hackers only target large corporations. In reality, the National Cyber Security Centre (NCSC) reports that nearly half of all UK businesses experienced a cyber attack in the past year. Small businesses are attractive targets precisely because they tend to have weaker security.

Most attacks against small websites are automated. Bots continuously scan the internet looking for sites with missing headers, expired certificates, or known vulnerabilities. If your site has these issues, you will be found — it's not a question of if, but when.

A security scan gives you a clear picture of where you stand. Most small business websites have between 5 and 15 identifiable issues, and the majority take under an hour to fix once you know about them.

What does a typical security report include?

A good security report should be written in plain language, not technical jargon. It should tell you:

• What issues were found, ranked by severity (critical, high, medium, low)
• What each issue means in practical terms — what could happen if it's not fixed
• Specific steps to remediate each finding
• An overall security score or grade

If you've never had your website scanned before, the results can be eye-opening. Most business owners are surprised to learn their site is missing basic protections like HSTS or that their SSL certificate has a configuration error. The good news is that once you know, fixing these issues is usually straightforward.

Ready to see where your website stands? Learn how to check your website security or find out what a website security check actually looks for in our detailed guides.