SecurityScorecard

See what your app hands to strangers.

Enter a domain to get a graded security report for your Laravel app, including leaked files, exposed dashboards, missing security headers, and step-by-step fixes.

What we request

  • /.env

    Your app key, database password and third-party secrets.

  • /.git/HEAD

    Your full source history, clonable by anyone.

  • /composer.lock

    The exact version of every dependency you run.

  • /storage/logs/laravel.log

    Stack traces, SQL queries and request data.

  • /_ignition/execute-solution

    The debug endpoint behind CVE-2021-3129.

  • /telescope/requests

    Every request, query, job and mail you handle.

  • /horizon/api/stats

    Your queue workload, and control of its workers.

  • /pulse

    Slow queries, exceptions and app internals.

  • /storage/ /vendor/ /assets/ /uploads/

    Browsable file listings of your web root.

What your homepage answers

  • Whether plain HTTP is redirected up to HTTPS.
  • Whether the session cookie is Secure, HttpOnly and SameSite.
  • Banners naming the exact version of your server software.
  • Security headers: HSTS, CSP, frame and content-type options.

How we scan

Security Scorecard only requests pages your server already serves to the public.
It sends no payloads, submits no forms, exploits nothing, and reports a problem only when the response body proves it.