URL Scanner

Comprehensive security, performance, and compliance analysis for any public URL.

  • url-scanner
  • security-headers
  • tls
  • lighthouse
  • llm

The Sentinelayer URL Scanner performs deep analysis of any public URL across security, performance, and compliance dimensions. Results feed directly into Prompt Builder for automated remediation specs.

How it works

  1. Submit any public URL at [/scan](/scan) or via the Prompt Builder
  2. The scanner runs 10+ deterministic check categories in parallel
  3. An LLM synthesizes findings into a prioritized narrative
  4. Results are available as structured JSON, markdown artifact, and in-app UI

Check Categories

Security Headers (15+ checks)

Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy, Cross-Origin-Resource-Policy, X-XSS-Protection (deprecated check), Cache-Control, X-Permitted-Cross-Domain-Policies, Content-Security-Policy-Report-Only, and more.

TLS / Certificate

Certificate validity, expiration window, protocol version (TLS 1.2+), cipher strength, certificate chain completeness, and HSTS preload eligibility.

Cookie Security

HttpOnly, Secure, SameSite attributes, `__Host-` / `__Secure-` prefix compliance, expiration policy, and third-party cookie exposure.

Secrets & Credential Exposure

Scans page source and linked resources for API keys, tokens, private keys, AWS credentials, database connection strings, and other sensitive patterns.

Exposed Files & Paths

Probes for common sensitive paths: `.env`, `.git/config`, `wp-config.php`, `/debug`, `/admin`, `/api/docs`, `/swagger`, backup files, and directory listings.

Open Redirect Detection

Tests for unvalidated redirect parameters (`?url=`, `?redirect=`, `?next=`) that could be exploited for phishing.

Mixed Content

Detects HTTP resources loaded on HTTPS pages — scripts, stylesheets, images, iframes — that weaken transport security.

PageSpeed / Lighthouse (Core Web Vitals)

Runs Google PageSpeed Insights API for both mobile and desktop strategies. Reports Largest Contentful Paint (LCP), Cumulative Layout Shift (CLS), Time to Interactive (TTI), Speed Index, First Contentful Paint (FCP), and Total Blocking Time (TBT). Includes performance, accessibility, best practices, and SEO scores.

LLM Synthesis

Claude or GPT synthesizes all deterministic findings into a prioritized executive summary with severity classification, remediation guidance, and CI/CD integration recommendations.

Severity Classification

  • **Critical**: Immediate exploit risk (exposed credentials, open redirects to malicious targets)
  • **High**: Significant security gap (missing HSTS, no CSP, expired certificate)
  • **Medium**: Best-practice violation (missing Referrer-Policy, weak cookie attributes)
  • **Low**: Informational or optimization (deprecated headers, minor Lighthouse warnings)

Tiers

  • **Free**: Full scan with all check categories, rate-limited
  • **Authenticated**: Higher rate limits, scan history, claim scans to dashboard
  • **Pro**: Unlimited scans, priority queue, API access

Integration with Prompt Builder

After a scan completes, click "Generate Spec from Findings" to automatically create a security hardening spec with Omar Gate configuration. The Prompt Builder pre-fills with scan findings and produces remediation-ready artifacts.

Structured Answers

What does the Sentinelayer URL Scanner check?

It checks security headers (15+), TLS/certificate, cookies, secrets exposure, exposed files, open redirects, mixed content, PageSpeed/Lighthouse (Core Web Vitals), and synthesizes findings with an LLM.

Is the URL Scanner free?

Yes. The free tier includes full scans with all check categories. Authenticated users get higher rate limits and scan history.

Can I generate a spec from URL scan findings?

Yes. After a scan completes, the Prompt Builder can auto-generate a security hardening spec with Omar Gate configuration based on findings.