A clear methodology page explaining how Swisspector Scanner performs safe website posture checks for HTTPS, security headers, cookies, public files, and exposure signals.
Swisspector Scanner is designed as a defensive website security scanner. The methodology focuses on passive and low-impact checks that help site owners understand public posture without aggressive probing, exploit payloads, or intrusive testing.
The scanner reviews visible configuration such as HTTPS, TLS status, browser security headers, cookie flags, robots.txt, sitemap.xml, security.txt, metadata, and obvious exposure indicators.
The public scanning model avoids destructive checks, bypass attempts, credential guessing, vulnerability exploitation, and high-volume crawling. Stronger checks should require ownership verification and explicit permission.
Findings are organized around severity, evidence, explanation, and next steps so business owners and technical teams can agree on what should be fixed first.
The scanner is intentionally practical. It prioritizes signals that are visible to users, browsers, search engines, and attackers, because those issues often affect trust before deeper penetration testing begins.
| Check area | Purpose | Example evidence |
|---|---|---|
| HTTPS and TLS | Confirm encrypted delivery and certificate health. | Protocol, redirect behavior, certificate validity, mixed content signals. |
| Security headers | Review browser-side protections. | HSTS, CSP, X-Frame-Options, Referrer-Policy, X-Content-Type-Options. |
| Cookies | Identify missing flags on sensitive cookies. | Secure, HttpOnly, SameSite, path, and domain attributes. |
| Public files | Understand crawler and disclosure posture. | robots.txt, sitemap.xml, security.txt, manifest files, and exposed metadata. |
| Information exposure | Flag obvious accidental leakage indicators. | Directory listing signs, debug wording, stack traces, backup-like paths, and unsafe public hints. |
Scanner output should be treated as a first-pass posture review. A clean public scan improves confidence, but it does not replace code review, authenticated testing, dependency review, cloud configuration review, or a formal penetration test when those are required.
Use the scanner before launch, after DNS or hosting changes, after security header updates, and as a recurring check for public-facing company and product sites.
Passive checks can identify posture issues, but they cannot prove that an application is free of business logic flaws, authorization weaknesses, or hidden vulnerabilities.