Security Audits That Ship

Your site has a grade.
Find out what it is.

RedPen scans your site for security issues in minutes. Free Security Snapshot. No account required. Browse all packages ↓

Free. No account required. Results in under 5 minutes.

Auditing a Solana program? Learn more →

C
How It Works

Scan. Read. Fix.

01

Scan

Enter your URL. We check headers, SSL, email security, exposed paths, and JS bundles - no code access needed.

02

Report

Get a Security Snapshot with a letter grade and prioritized findings. Know exactly what's exposed and how serious it is.

03

Fixed

Opt into Quick Fix or Full Audit. We fix the issues and hand you a professional report with everything documented.

What We Find

Real issues. Real fixes.

These findings are from a real scan run on our own site. Same process we run on yours.

Description

staging.yoursite.com and www.staging.yoursite.com are reachable without authentication. Staging environments often contain debug endpoints, relaxed access controls, and pre-production data.

Impact

An external attacker can interact with pre-production features, potentially discovering vulnerabilities before they are patched or accessing test data.

Recommendation

Restrict staging access via IP allowlist or HTTP basic auth. Never expose staging to the public internet.

Description

No Content-Security-Policy header is present on any response from yoursite.com. CSP is the primary browser-level defense against cross-site scripting (XSS) attacks.

Impact

If an XSS vulnerability exists anywhere in the application, an attacker can execute arbitrary JavaScript in users browsers without CSP blocking it.

Recommendation

Implement a strict CSP header. Start with: Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none';

Description

The X-Frame-Options header is not set. This controls whether the site can be embedded in an iframe on another domain.

Impact

Low risk for most sites. Enables clickjacking attacks where the attacker overlays a transparent iframe of your site over their own content to trick users into unintended clicks.

Recommendation

Add: X-Frame-Options: DENY or use Content-Security-Policy: frame-ancestors 'none'; (CSP equivalent, preferred).

Published with permission. Full report available below.

Sample Report

Here's what you get.

Every Scout scan produces a Security and Performance Snapshot - your grade, findings, and recommended fixes delivered to your inbox. RedPen Triage and Shield include full professional reports with detailed writeups, fix PRs, and developer notes.

View sample report →
Pricing

Start free. Go deeper when you're ready.

FREE

RedPen Scout

External scan with no code access needed. Security and performance audit delivered to your inbox.

  • Security + Performance Snapshot report
  • HTTP headers, SSL, email security
  • Lighthouse performance audit
  • Subdomain discovery
  • JS secret scan

Delivered in under 5 minutes

Most popular$499 - $999

RedPen Triage

We fix the issues Scout found. Choose what to fix.

Security Triage$499Performance Triage$599Complete Triage$999

Requires codebase or hosting access

Scan and Triage

Fast turnaround

From $1,999

RedPen Shield

Full manual review of your codebase. Every vulnerability found, documented, and fixed.

  • Everything in Triage
  • Full manual code review
  • Threat model assessment
  • Professional PDF report
  • Fix PRs on your repo
Get protected

Fast turnaround

Not sure which tier is right? Run the free Scout first. If we find something serious, we'll tell you exactly what fixing it would take.