ShieldCORE New Scan
Engine Ready

Web App Security Scanner

Enter a URL, paste rendered HTML from your browser's DevTools, or bulk-scan multiple endpoints.

Up to 10 URLs per batch. Each scan runs independently with full finding capture.
100% client-side. Pasted content never leaves your browser. Use this for authenticated content without risking credential exposure.
Try a demo:
Scanning... 0%
Rendered HTML
Findings 0
Run a scan to see findings here.

Dashboard

Overview of your most recent scan session.

No scans in this session yet. Run your first scan to populate the dashboard.

Secret Scanner

API keys, tokens, and credentials detected in scanned content.

No scans run yet. Start a scan to detect secrets.

Security Headers

HTTP response headers that protect against XSS, clickjacking, downgrade attacks, and more.

Run a URL scan to audit security headers.

Exposed Endpoints

Probes for publicly accessible admin panels, config files, backups, and source-control artifacts.

Run a URL scan to probe for exposed endpoints.

Dangerous Code Patterns

Risky DOM and JavaScript patterns that commonly enable XSS, prototype pollution, or data leakage.

Run a scan to detect dangerous code patterns.

Storage & Cookies

localStorage, sessionStorage, and Cookie flag audit.

Run a scan to audit client-side storage.

Third-Party Scripts

External JavaScript loaded by the target — each one is a supply-chain trust decision.

Run a scan to inventory third-party scripts.

Tech Stack

Detected frameworks, CMSs, and disclosed versions.

Run a scan to fingerprint the target's stack.

Scan History

Previous scans in this browser session. Cleared when you close the tab.

No scans yet.

About ShieldCORE

What it does, what it doesn't, and how it fits into your security workflow.

How the scanner works

ShieldCORE inspects the public surface of a web application — rendered HTML, linked JavaScript bundles, response headers, and commonly-exposed paths — and matches the content against a database of secret patterns, dangerous code patterns, and security misconfigurations. Every detection maps to a severity, a category, and a specific remediation.

Three scan modes

URL mode — enter a public URL. The backend fetches the HTML, inspects headers, probes common paths, and runs the full finding engine.

Bulk mode — scan up to 10 URLs at once. Useful for auditing staging, production, and admin subdomains in a single pass.

Paste mode — drop rendered HTML or a JS bundle from DevTools. This is the only safe way to scan authenticated content: the data never leaves your browser.

What we don't do

ShieldCORE does not log into your SaaS apps. It does not accept credentials. It does not fuzz for injection vulnerabilities, brute-force logins, or send exploit payloads. It is a read-only static analyzer over surfaces you already control or have permission to inspect.

From finding to fix

Every finding includes a concrete remediation path. For keys, that means the rotation URL. For headers, the exact config directive. For dangerous code, the safer alternative. Your job is to act; our job is to make acting obvious.

Ready for continuous monitoring? SiteCORE runs ShieldCORE automatically across your portfolio, alerts you the second a regression appears, and ships white-label reports to your clients. Learn more →