Security Intelligence

Find the Bugs
Before Hackers Do

CloviScan detects code vulnerabilities, exposed files, server weaknesses, and security headers — and tells you exactly how to fix them. Free for 3 scans per month.

One platform for your whole attack surface — site security, repository security, SEO, performance and accessibility. Point-solution code scanners only see your source. CloviScan also scans your full git history for secrets that were committed and later removed but are still recoverable.

4 layers site, code, server, fix
8 categories SSL, headers, DNS, code & more
~60 sec per full scan
Free no card required
example.com
SSL Certificate — Valid, expires 2026-09-14 PASS
Missing HSTS Header — browsers not forced to HTTPS MEDIUM
Hardcoded API key found in /config.js — line 23 CRITICAL
phpMyAdmin exposed at /phpmyadmin HIGH
jQuery 2.1.4 — 12 known CVEs in this version MEDIUM
Security Score
3 critical issues need immediate attention
73 /100
C
Grade
4-Layer Intelligence

From Surface to Source Code

Other scanners check what's visible. CloviScan goes four layers deep — analysing your external footprint, your actual source code, your server configuration, and then showing you exactly how to fix everything it finds.

Layer 1

External Website Audit

Your site's public-facing security profile, examined from the outside — exactly as a security researcher or attacker would see it. No access credentials required.

  • SSL/TLS certificate validity, grade, and cipher strength
  • Security headers: CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy
  • DNS health: SPF, DKIM, DMARC, open resolvers
  • Exposed admin files: .env, wp-config.php, .git/config
  • Google Safe Browsing check + IP reputation score
"We check what the internet can already see about you — before someone malicious does."
Website Audit — example.com
SSL Certificate A+ Grade
Content-Security-Policy Missing
HSTS Enabled Pass
.env file exposed Critical
DNS — no DMARC Medium
Safe Browsing Clean
Layer 2 — The Unique One

Static Code Security Analysis

We analyse your actual source files for patterns that indicate future vulnerabilities — not just known CVEs, but the dangerous code habits that create breaches. This is what other scanners skip entirely.

  • Hardcoded API keys and secrets in source files
  • SQL injection patterns in query builders and ORMs
  • XSS-vulnerable input handling (innerHTML, eval, dangerouslySetInnerHTML)
  • Unprotected CSRF routes and missing token validation
  • Outdated dependencies with known CVEs via lockfile analysis
  • Insecure redirects and open redirect vulnerabilities
"We analyse your code like a security researcher would — looking for patterns, not just signatures."
/app/routes/users.js 2 issues
44router.get('/user/:id', async (req, res) => {
45 const id = req.params.id;
46 const result = await
47 db.query(`SELECT * FROM users
WHERE id=${req.params.id}`);
SQL Injection Risk on line 47 — string interpolation in query allows attacker to inject arbitrary SQL. Severity: Critical.
📋 Fix: db.query('SELECT * FROM users WHERE id = ?', [req.params.id])
89const API_KEY = "sk-live-4xZ8...";
Hardcoded API key on line 89 — credential exposed in source file, likely in version control. Severity: Critical.
📋 Fix: Move to environment variable: process.env.API_KEY
Layer 3

Server Hardening Audit

Your server configuration is as important as your code. CloviScan audits the underlying infrastructure — SSH, firewall rules, open ports, and protection services — for dangerous defaults and gaps.

  • SSH hardening: root login status, port exposure, key-only vs password auth
  • Firewall rule coverage and unexpected allow rules
  • Open ports that expose databases, admin panels, or internal tools
  • Outdated software versions: PHP, Node.js, MySQL, nginx, OpenSSH
  • Fail2ban, ModSecurity, and intrusion protection status
"A perfectly written app on a misconfigured server is still a sitting target."
Server Audit — 192.168.1.100
SSH root login enabled Critical
SSH key-only auth Good
Port 3306 open (MySQL) High
PHP 7.4 — EOL Jan 2023 Medium
Fail2ban active Good
phpMyAdmin publicly exposed Critical
Layer 4 — Where Others Stop

AI-Powered Autofix

Finding problems is the easy part. CloviScan goes further — every issue comes with a plain-English explanation, copy-paste code fix, and step-by-step server instructions so your team can resolve it today, not next sprint.

  • Plain-English explanation of every vulnerability found
  • Copy-paste code fix for all code-level issues
  • Step-by-step remediation for server and config issues
  • Auto-apply option for safe, low-risk fixes with one click
  • Priority scoring so you fix critical issues first
  • Re-scan confirmation after each fix is applied
"Not just a scanner — a security engineer in your browser."
Issue #1 — Critical SQL Injection

String interpolation in your database query lets an attacker pass SQL commands instead of an ID. This can expose your entire database with a single request.

SUGGESTED FIX — Copy & Paste
db.query(
  'SELECT * FROM users WHERE id = ?',
  [req.params.id]
);
Why It Matters

A Bug Today is a Breach Tomorrow

Every major breach starts as a small, overlooked code issue. Here's how a hardcoded API key becomes a catastrophic security event — and how CloviScan breaks the chain.

1

The Hidden Bug

A developer hardcodes an API key directly in a config file. It looks harmless. The test suite passes. The code ships to production.

const key = "sk-live-4xZ8mN...";
2

The Crawler Finds It

An automated bot scans GitHub repositories and public websites for exposed secrets around the clock. Within hours of your deploy, your API key is being actively tested on the dark web.

Credential detected — 14h ago
3

The Breach

Attackers use your exposed key to spin up compute instances, exfiltrate your customer database, or send thousands of spam messages — all billed to your account.

Unexpected charge: $14,870 — AWS

CloviScan catches this at Step 1 — before the crawler ever runs.

Scan Your Code Now
By the Numbers

One Scan, Whole-Site Coverage

Every scan runs the full check library across your site, code, and server — and returns a graded report in under a minute.

0+
security checks
A+
top SSL grade detected
<0s
average full scan
0k+
sites scanned
73 /100
Scan report — example.com
C 5 findings · 1 critical · scanned in 47s
SSL/TLS certificate valid — strong ciphers A+
Safe Browsing & reputation — clean PASS
Missing HSTS header — HTTPS not enforced MEDIUM
No DMARC record — domain spoofable MEDIUM
.env file exposed — credentials readable CRITICAL
Live Demo

See What’s Hiding in Your Site

Enter any website URL and watch CloviScan run through 6 security categories in real time. No account required.

Enter a domain above and click Scan Now — animated results appear in seconds
Scanning
63 /100
6 checks · 4 findings · scanned just now
B+
SSL — valid, TLS 1.3, expires 2027-03 PASS
Security headers — 3 missing (CSP, Permissions-Policy, COEP) MEDIUM
Open ports — minimal exposure, only 80 and 443 visible PASS
SEO — missing meta description, page title too long (68 chars) FAIL
Performance — First Contentful Paint 2.8 s (target <1.8 s) SLOW
Scan your real site — free

Sample output illustrating what a CloviScan report looks like.

Silent vs Caught

The Cost of Finding Out Too Late

Most vulnerabilities sit in production for weeks before a customer finds them. Here is what that timeline looks like — and how CloviScan collapses it to minutes.

Without CloviScan
Day 1 — Vulnerability ships

A missing CSP header or exposed path goes live with a routine deploy. No one notices.

Day 3–14 — Crawler finds it

Automated bots scan exposed endpoints around the clock. Your domain ends up on a target list.

Week 3–6 — Customer reports it

A user posts publicly. A 1-star review mentions “security concerns.” Now it is a reputation problem too.

Month 2+ — Emergency remediation

All-hands fire drill, sprint disruption, possible breach disclosure.

Average time-to-discovery: 3–5 weeks
With CloviScan
Day 1 — Vulnerability ships

Same deploy, same issue. But a CloviScan scheduled scan runs within 24 hours of the change.

Day 1 (hours later) — Alert fires

You get an email: “New finding — missing Content-Security-Policy. Severity: medium.” With the fix attached.

Day 2 — Fixed in next deploy

Developer applies the copy-paste nginx config. CloviScan re-scans and confirms clean. No customer saw the issue.

Ongoing — clean baseline

Scheduled scans maintain a security baseline. New issues surface within hours, not weeks.

Time-to-discovery: same day
Set up scheduled scans — free
The Detonation Moat

Real Rendering.
No Theater.

Static scanners read your HTML like a document. They miss everything that happens after the page loads — scripts that run, beacons that fire, resources injected at runtime.

CloviScan’s Detonate feature spins up an isolated browser session, loads the target URL exactly like a real visitor, and captures what actually executes — including runtime-injected malware, hidden trackers, and fingerprinting scripts that never appear in your source.

  • Isolated browser — your real IP is never exposed
  • Captures network requests made by JavaScript at runtime
  • Detects supply-chain attacks injected via third-party scripts
  • Safe detonation — suspicious URLs never run on your infrastructure
“Static scanners check what your code says it does. Detonation checks what it actually does.”
CloviScan — Isolated Browser Session
// Static scan result (what basic scanners see)
<script src="/analytics.js"></script>
↳ Looks fine. No findings.
// Detonation result (what actually runs)
Network request captured:
POST https://exfil.data-harvest.net/collect
Payload: { "cookies": "...", "localStorage": "..." }
FINDING: Runtime script exfiltrating session data to unknown third-party domain. Severity: Critical.

Illustrative example of what Detonation catches vs static-only scanning

Comparison

How CloviScan Compares

Honest, feature-by-feature — no asterisks. Generic security tools go deep on infrastructure but ignore SEO and performance. SEO audit tools check rankings but skip security entirely. CloviScan covers full site health in one scan.

Capability CloviScan Generic security tools SEO audit tools
SSL/TLS grade + expiry alerts
Security headers audit
Runtime detonation scanningEnterprise only
SEO audit (meta, crawlability)
Performance metrics (FCP, LCP)Some tools
Plain-English findings + copy-paste fixesTechnical output onlyPartial
Scheduled re-scans + change alerts
Free tier availableLimitedLimited
AI-suggested remediation steps
FAQ

Common Questions

CloviScan performs passive, read-only checks — it does not send exploit payloads or attempt to modify your server. The scan examines publicly visible responses (headers, DNS records, SSL configuration, page content) exactly as a browser would. Your server sees it as normal web traffic. Findings are labeled by severity so you can prioritize and verify before acting.
Detonation loads the target URL in a fully isolated, ephemeral browser session separate from CloviScan’s main infrastructure. Network traffic, script execution, and DOM mutations are recorded, then the session is destroyed — nothing persists. This catches runtime-injected content, third-party supply-chain attacks, and tracking scripts that never appear in your HTML source. Your real IP address is never used during a detonation session.
For most sites a daily or weekly scheduled scan is sufficient. CloviScan sends an alert only when a new finding appears or an existing finding changes severity — you will not receive repeated alerts for known, accepted issues. If you deploy frequently, a post-deploy scan catches regressions immediately. SSL expiry alerts fire 30 days before expiry regardless of your scan schedule.
You may scan any publicly accessible URL. Scanning sites you do not own is permitted for security research (checking headers, SSL, publicly visible content), but you are responsible for complying with the target site’s terms. For internal staging environments behind a VPN, the scan only reaches what is publicly exposed — it cannot inspect private network resources unless you whitelist CloviScan’s outbound IP ranges.
Scan results are private to your account by default. We do not share findings, domain names, or scan history across tenants, and we do not use your findings to train models without explicit consent. Detonation session data is discarded after the session ends and is never written to disk. You can delete your full scan history at any time from account settings.
Ecosystem

Security Embedded Across Your Stack

CloviScan feeds its findings into the tools you already use — so security stays on the radar everywhere, not just in a quarterly audit report.

CloviSEO
Security score surfaces inside your SEO audit — HTTPS and headers affect rankings
CloviAble
Security findings appear alongside accessibility issues in the unified site audit
CloviFlow
Auto-alerts and remediation workflows trigger on new critical findings
aaPanel
Server hardening audit pulls live data from your panel — no manual SSH needed
Debug Agent
Code autofix agent applies suggested patches from scan results automatically
Pricing

Start Free, Scale as You Grow

No credit card required to start. All plans include AI-powered remediation advice — not just a list of problems.

Free
For individuals and hobbyists
$0
forever, no card required
  • Instant scan, no card
  • Website audit (SSL, headers, DNS)
  • Google Safe Browsing check
  • Email-gated deep report
  • Plain-English findings
  • Continuous monitoring
  • DMARC / DKIM / SPF audit
  • PDF reports
  • Email alerts
Run a Free Scan
Pro
Unlimited sites, API + white-label
$99
per month, billed monthly
  • Unlimited domains
  • Real-time monitoring
  • All Starter features
  • REST API access
  • White-label PDF reports
  • Custom scan schedules
  • 10 team seats
  • Priority SLA
Get Pro

Also available: Lite $19/mo for solo sites and Agency $299/mo for multi-site client pools. See all plans →

One Ecosystem

Pairs With the Rest of Your Site Toolkit

Security is one layer of site health. CloviScan shares findings with sibling tools for performance, accessibility, SEO, and automation — one login, one dashboard.

Get Started Today

Your First Scan is Free

No credit card. No installation. Paste your domain and get a full security report in under 60 seconds.

Scan My Site Free See Sample Report

Free forever plan · No installation · Results in 60 seconds