See what your app hands to strangers.
Enter a domain to get a graded security report for your Laravel app, including leaked files, exposed dashboards, missing security headers, and step-by-step fixes.
What we request
-
/.env
Your app key, database password and third-party secrets.
-
/.git/HEAD
Your full source history, clonable by anyone.
-
/composer.lock
The exact version of every dependency you run.
-
/storage/logs/laravel.log
Stack traces, SQL queries and request data.
-
/_ignition/execute-solution
The debug endpoint behind CVE-2021-3129.
-
/telescope/requests
Every request, query, job and mail you handle.
-
/horizon/api/stats
Your queue workload, and control of its workers.
-
/pulse
Slow queries, exceptions and app internals.
-
/storage/ /vendor/ /assets/ /uploads/
Browsable file listings of your web root.
What your homepage answers
- Whether plain HTTP is redirected up to HTTPS.
- Whether the session cookie is Secure, HttpOnly and SameSite.
- Banners naming the exact version of your server software.
- Security headers: HSTS, CSP, frame and content-type options.
How we scan
Security Scorecard only requests pages your server
already serves to the public.
It sends no payloads, submits no forms, exploits nothing, and reports a problem only
when the response body proves it.