What does a free website security scan check?

Our SVAR scan checks 16 dimensions across four categories: transport security (TLS, HTTPS, security headers, software versions), email security (SPF, DKIM, DMARC), privacy and compliance (cookie consent, pre-consent tracking, privacy policy, data jurisdiction, third-party requests), and operational security (security.txt, DNS configuration, attack surface, PDF metadata).

How long does a website security scan take?

The SVAR scan runs all 16 tests in under two minutes. No software to install, no account required. You enter your domain and receive a detailed report with a letter grade from A+ to F, including prioritized findings and remediation guidance.

Is the website security scan really free?

Yes, the scan is completely free with no strings attached. You get a full 16-test security and compliance report including an executive summary, detailed findings with technical evidence, and a remediation guide with step-by-step instructions to fix each issue.

What is a good website security score?

Scores of 90-100 earn an A grade indicating excellent security posture. 75-89 is a B grade meaning good with some gaps. 50-74 is C/D indicating significant risks. Below 50 is an F with critical exposure. For context, the average score across 597 scanned Swedish law firms was just 59.1 out of 100.

← Back to Insights

Free Tool 5 min read

16 security tests. 2 minutes. Zero signup.

Drop your domain below and find out what your website exposes to the internet. We check TLS, email auth, GDPR compliance, data jurisdiction, and 12 more things most scanners skip entirely.

Tom Isgren

March 15, 2026

Request your free scan

Enter your work email and domain. We'll run the scan and send you the full report as a PDF.

Most businesses don't know what their website exposes. Not because they don't care, but because security scanning has always been either expensive, slow, or impossible to understand without a dedicated security person on staff (which, if you're a 15-person company, you don't have).

We built SVAR to fix that. It runs 16 independent security and compliance tests in a single pass and gives you one score, one grade, and a report that actually tells you what to fix first. No jargon soup. No 200-page PDF that nobody reads.

We've already scanned over 597 Swedish law firms for our industry report. The average score was 59.1 out of 100. Not a single firm got an A. Now the same scanner is available to anyone.

security & compliance tests

597

law firms scanned so far

59.1

average score (out of 100)

What we actually test

Each scan runs 16 independent tests across four categories. Every test produces a pass, warning, or fail. Most free scanners check maybe 3 of these (usually just TLS and headers). We check everything, including the compliance stuff that triggers actual GDPR enforcement from IMY.

Transport Security

TLS Configuration

Protocol version, cipher suites, cert validity

HTTPS Enforcement

Redirects, HSTS, mixed content

Security Headers

CSP, X-Frame-Options, X-Content-Type-Options

Software Versions

Exposed server versions, outdated frameworks

Email Security

SPF Record

Sender Policy Framework config

DKIM Signing

DomainKeys Identified Mail

DMARC Policy

Authentication, reporting, enforcement

Privacy & Compliance

IMY focus

Cookie Consent

Banner, opt-in, reject option

Pre-Consent Tracking

Scripts firing before user consent

Presence, GDPR mandatory elements

Data Jurisdiction

Where visitor data is processed

Third-Party Requests

External domains on page load

Operational Security

security.txt

Vulnerability disclosure contact (RFC 9116)

DNS Configuration

DNSSEC, CAA records, zone security

Attack Surface

Open ports, exposed services, info leaks

PDF Metadata

Hidden data in public documents

How the scoring works

Each test is weighted by security impact. Missing TLS or pre-consent tracking hits harder than a missing security.txt. Your total maps to a letter grade:

90-100

Excellent posture

75-89

Good with gaps

C/D

50-74

Significant risks

Below 50

Critical exposure

For context: 597 Swedish law firms, average score 59.1. Not a single firm got an A. The most common failures were pre-consent tracking, data jurisdiction violations, and incomplete privacy policies. These aren't obscure technical nitpicks, they're the things IMY actually fines people for.

What you get back

Not a vague "you have issues" email. An actual report with three sections, each useful to a different person in your org.

Executive Summary

Your overall grade, score by category, and the top 3 things to fix. Designed to forward to whoever makes decisions. No technical jargon, just "here's where we stand and here's what matters most."

Detailed Findings

All 16 tests with pass/warn/fail, what was found, why it matters, and technical evidence. Specific header values, DNS records, script URLs. Your IT person (or the person who Googles things when something breaks) can verify every finding.

Remediation Guide

Step-by-step fix instructions for every failed test, prioritized by severity and effort. Most critical issues take hours to fix, not weeks. We tell you which three to do this week, not which 300 things are theoretically imperfect.

Why this isn't just another SSL checker

There are other free scanners. SSL Labs checks your TLS. SecurityHeaders.com checks headers. Both are useful. But you end up running five different tools and piecing results together yourself, which nobody actually does.

SVAR checks all 16 dimensions in a single pass. More importantly, it checks the things most scanners ignore entirely: pre-consent tracking (scripts that fire before a user clicks "accept"), data jurisdiction (is your visitor data routing through US servers?), privacy policy completeness, and PDF metadata leakage. These are the compliance issues that actually trigger GDPR enforcement from IMY.

Built for Swedish businesses. Our tests are calibrated against IMY enforcement priorities and Swedish legal requirements. We don't just check generic best practices. We check what Swedish regulators actually look for. If you need deeper testing beyond automated scanning, here's our breakdown of what a full security audit costs in 2026.

Find out where you stand

16 tests, 2 minutes, full PDF report delivered to your inbox.