Most small site owners think security is something only banks and big companies need to worry about. It isn't. Attackers run automated scans across millions of sites looking for easy targets — a missing header here, an old TLS version there, a CMS that hasn't been patched in two years. A passive security audit checks the same things those scanners look at, so you can fix them first. This walkthrough explains what gets checked, why each one matters and what to fix first.
"Passive" means the audit only looks at information your site already shows to every visitor — response headers, the TLS handshake when you connect over HTTPS, your DNS records and the page source. It does not try to break in, send malicious data, or scan ports. It is completely safe to run on your own site or any site you have permission to scan, and it will not trigger your security alerts.
Two reasons. First, the checks find the exact problems automated attackers look for in their first five minutes of reconnaissance. If you fail those checks, you are visible to thousands of bots scanning the web every day. Second, modern browsers, mobile app stores and even some search rankings reward sites with strong security signals. Fixing your audit findings improves user trust, regulatory compliance and SEO at the same time.
Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy. Most sites are missing at least three of these. Adding them is usually a one-line change in your web server config.https://yoursite.com, their browser does a handshake with your server. The audit opens that handshake and checks three things: your certificate is valid and signed by a real authority, it isn't expiring in the next 30 days, and your server is using a modern protocol (TLS 1.2 or 1.3 — never the old TLS 1.0 or 1.1 which have known weaknesses). If you use Let's Encrypt or a managed hosting provider, this should already be fine.Secure (only sent over HTTPS), HttpOnly (not readable from JavaScript, so an XSS attack can't steal it) and SameSite (defence against cross-site request forgery). If your site doesn't set cookies, this check passes automatically.http:// images, scripts or iframes, the browser warns the user or blocks the content entirely. This is one of the most common holdovers from sites that migrated to HTTPS years ago but missed a few hardcoded URLs. The audit scans the homepage and lists any offenders.Server: nginx/1.18.0 or X-Powered-By: PHP/7.4.0. That makes an attacker's job trivial. The audit checks both headers and flags any that leak version info. Fix: server_tokens off in nginx, ServerTokens Prod in Apache, expose_php = Off in php.ini.<meta name="generator"> tag to every page advertising its version. Attackers scan the web for outdated WordPress installs — exposing the version is like leaving your unlocked car running outside. The audit detects all three CMSes and flags any that expose their version./robots.txt tells crawlers what they can access (most sites already have one). /.well-known/security.txt tells security researchers how to reach you if they find a bug — a 30-second fix that signals you take security seriously.Secure; HttpOnly; SameSite=Lax to every onehttp:// resource URLs and change them to https://server_tokens off in nginx, ServerTokens Prod in Apache)remove_action('wp_head', 'wp_generator')/.well-known/security.txt with a contact email and expiry dateThis tutorial covers the basics. For full implementation details, including the exact config snippets for nginx and Apache, see the complete Security Audit Guide. To see what a perfect score looks like, view the example audit report.
Run a free passive security audit on your domain. See which of the 23 checks you pass and get fix instructions for any that fail.
Run free audit →