Web-Check

All-in-one website intelligence, honestly reviewed. No marketing fluff, just what you get when you run it yourself.

TL;DR

• What it is: Open-source (MIT) OSINT dashboard that pulls 30+ data points on any website — IP info, SSL chains, DNS records, open ports, trackers, headers, cookies, carbon footprint, and more — from a single URL input [1].
• Who it’s for: Security-minded founders who want to audit their own site, developers vetting a vendor’s infrastructure, and anyone running reconnaissance on a domain before a partnership, acquisition, or threat investigation [1].
• Cost savings: Commercial equivalents like Shodan, SecurityTrails, or Pentest-Tools charge $50–$400/mo for similar intelligence. Web-Check is MIT-licensed, self-hostable, and costs nothing beyond your VPS bill.
• Key strength: Breadth-per-click. You paste a URL and get a full-page dashboard covering network layer, security headers, crawler configuration, performance signals, and legal/privacy signals simultaneously — no tab-switching between six different tools [1].
• Key weakness: The project appears to be in a maintenance-mode cadence. No SaaS pricing, no commercial support tier, no changelog prominently featured. You’re running a community project, not a supported product. Third-party review coverage is thin, which itself is a signal about the tool’s niche positioning.

---

What is Web-Check

Web-Check is a single-page web application built by Alicia Sykes (GitHub: lissy93) that runs a battery of passive and semi-active reconnaissance checks against any website you hand it. The GitHub repository describes it as “comprehensive, on-demand open source intelligence for any website” [1].

You type a domain. The dashboard populates with panels covering IP geolocation, SSL certificate chain inspection, DNS records, cookie attributes, HTTP response headers, robots.txt rules, page map, server location, redirect chains, open port scan, traceroute hops, DNSSEC status, performance metrics, third-party trackers, associated hostnames, and carbon footprint estimation [1]. That’s roughly 25–30 distinct data categories from a single input.

The project sits at 32,338 GitHub stars as of this review, which puts it in rarefied air — most genuinely useful security tools top out around 3,000–8,000 stars before plateauing. Something about this tool resonated at scale. The likely explanation: the core use case (paste URL, understand website) requires zero setup, zero CLI knowledge, and zero existing security background. A non-technical founder can use the hosted demo and get real signal.

The tool is MIT-licensed, meaning you can self-host it, embed it in your own products, or build on it commercially without contacting a lawyer [1]. The author maintains a live public demo at web-check.as93.net [1], but the official website (web-check.xyz) currently returns an HTTP 403 on scraping, suggesting the public demo and GitHub repo are where the project’s actual life lives.

---

Why People Choose It

The 32K star count tells the real story. Web-Check fills a gap that security professionals and curious founders hit constantly: the need to quickly understand a website’s technical posture without opening five browser tabs, three paid tools, and a terminal window.

The specific pain it solves: correlation. Tools like SSL Labs tell you about certificates. MxToolbox tells you about DNS. SecurityHeaders.com tells you about headers. ViewDNS tells you about IP history. Shodan tells you about open ports. Each is good at its one thing. The problem is you need to synthesize them all when you’re doing due diligence on a vendor, troubleshooting a security finding, or just auditing your own site before a launch.

Web-Check collapses that into one dashboard. You don’t get the depth of Shodan’s historical data or SecurityTrails’ passive DNS corpus, but you get enough across all of them in under ten seconds. For a non-technical founder, that trade-off is usually the right one.

The GitHub star trajectory also suggests significant developer community adoption. Developers use it to verify security configurations after deployments — confirming headers are set, SSL chains are clean, DNSSEC is configured. The carbon footprint panel (an unusual inclusion for a security tool) hints at a broader audience: founders who want a single-dashboard health check, not just a pentester’s recon tool.

The MIT license is a meaningful differentiator against commercial alternatives. You can embed this in an internal tooling dashboard, white-label it for a client deliverable, or run it air-gapped on a private network where you can’t hit external APIs. Shodan and SecurityTrails don’t let you do any of that.

---

Features

Based on the README and repository documentation [1]:

Network and hosting intelligence:

• IP address resolution and geolocation (ASN, ISP, city, country, coordinates)
• Server location mapping
• Traceroute with hop-by-hop latency
• Open port detection
• Redirect ledger (full chain from initial URL to final destination)
• Associated hostnames (reverse DNS, related subdomains)

Security and certificate inspection:

• SSL/TLS certificate chain: issuer, validity dates, cipher suites, chain completeness
• DNS record enumeration: A, AAAA, MX, TXT, NS, CAA, SOA
• DNSSEC validation status
• HTTP response header analysis with security grading (HSTS, CSP, X-Frame-Options, etc.)
• Cookie attribute inspection (HttpOnly, Secure, SameSite flags, expiry)

Crawler and content intelligence:

• robots.txt parsing and visualization
• Sitemap / page map extraction
• Search engine crawl rules analysis

Privacy and compliance signals:

• Third-party tracker detection (analytics, advertising, session recording scripts)
• Carbon footprint estimate (via hosting region and transfer size)

Deployment modes [1]:

• One-click Netlify deploy (button in README)
• One-click Vercel deploy
• Docker container (official image available, CI pipeline maintains builds)
• From source (Node.js/npm)

What’s notably absent: There’s no saved history, no scheduled monitoring, no alerting when a site’s security posture changes, and no API for programmatic access beyond running the app itself. This is a point-in-time snapshot tool, not a continuous monitoring service.

---

Pricing: SaaS vs Self-Hosted Math

Web-Check: Free. MIT license. No pricing tiers, no usage limits, no commercial restrictions [1].

What you pay to self-host:

• VPS: $4–6/month (1–2GB RAM is sufficient — this is a lightweight Next.js app)
• Domain (optional): $10–15/year if you want your own URL
• Effective monthly cost: ~$5–6

Commercial alternatives for comparison:

SecurityTrails: Free tier gives 50 API calls/month. Basic plan starts around $50/month for 2,000 queries. Enterprise pricing is custom and “contact sales.” You don’t get a dashboard — you get an API.

Shodan: Free account gives very limited results. Membership is $49 one-time for basic access; professional plans run $299–$899/year. Stronger on historical data and IoT scanning, but you’re paying for a data corpus, not just a scan tool.

Pentest-Tools.com: Plans start at $82/month for limited scan credits. Comprehensive but clearly targeted at professional pentesters, not founders.

BuiltWith (for tech stack only): Free tier exists; Pro is $295/month.

Concrete savings example: A founder using SecurityTrails Basic ($50/mo) + SSL Labs (free but manual) + MxToolbox (free tier, limited) for quarterly due diligence on vendor websites could replace the paid tier entirely with a self-hosted Web-Check instance. Annual saving: ~$600. One-time setup cost: an afternoon. Net outcome: unlimited scans, private results, no rate limits.

The caveat: Web-Check doesn’t have SecurityTrails’ historical passive DNS data, which matters if you’re investigating a domain’s ownership history or IP changes over time. For historical intelligence, commercial tools still win. For current-state reconnaissance, Web-Check is genuinely competitive.

---

Deployment Reality Check

The four deployment paths (Netlify, Vercel, Docker, source) are all documented in the README, and the one-click options (Netlify/Vercel) are as close to frictionless as self-hosted tools get [1]. Click a button, authorize your account, and you have a personal instance running in under five minutes — no terminal required.

Docker path (recommended for self-hosting on a VPS):

You need:

• A Linux VPS with 1–2GB RAM
• Docker installed
• A reverse proxy (Caddy is easiest) if you want HTTPS on your own domain

The Docker image is maintained via a CI pipeline (Build + Publish Docker Image workflow in the GitHub Actions setup [1]), so updates are tracked. You’re not pinning to a years-old image.

What can go sideways:

The checks that involve external lookups (IP geolocation, traceroute, port scanning) make outbound network requests from wherever you’re running the app. If your VPS is behind a restrictive firewall or you’re running it on a corporate network with egress filtering, some checks will silently fail or return empty panels.

The port scanning feature in particular — which scans the target site’s open ports — may trigger abuse complaints from hypervisor or hosting providers who flag outbound scan traffic. If you’re on shared hosting or a provider with strict abuse policies, run this on a dedicated VPS you own outright, not on a shared server.

Some API-dependent panels (geolocation, carbon footprint) may call third-party external APIs rather than computing locally. Depending on your privacy requirements, this is worth auditing before running it on sensitive targets. The README doesn’t provide a complete list of external services called per check.

For non-technical founders:

• Vercel one-click deploy is the right path: zero command line, free tier covers hobby usage
• Self-hosted Docker is a 30–60 minute job for anyone who’s deployed a container before
• From source is for developers who want to modify or extend the tool

---

Pros and Cons

Pros

• 32K GitHub stars, MIT license. The adoption signal is real, and the license means no vendor lock-in — you can fork, modify, embed, or redistribute freely [1].
• Breadth per click. Roughly 25–30 intelligence categories from a single URL input, presented simultaneously in one dashboard. The alternative is five separate tools [1].
• Zero barrier for non-technical users. The public demo at web-check.as93.net requires no login, no signup, no API key. Type a URL, read the results.
• Four deployment paths including one-click Netlify and Vercel for founders who’ve never touched a terminal [1].
• Actively maintained CI pipeline. The Docker image build and Netlify/Vercel deploy workflows are tracked in GitHub Actions, which means the deployment artifacts are being kept current [1].
• Private by default when self-hosted. Unlike running checks through commercial SaaS, a self-hosted instance means your reconnaissance targets aren’t logged by a third party.
• Carbon footprint panel. An unusual but genuinely useful signal for founders who include sustainability metrics in vendor evaluations.

Cons

• Point-in-time only. No monitoring, no alerts, no historical comparison. If a site’s SSL cert expires or a security header disappears after your scan, you won’t know unless you scan again manually.
• No API surface for programmatic use. You can’t integrate Web-Check results into your own tooling pipeline without modifying the source code. Data doesn’t come out in a machine-readable format.
• External API calls in some panels. Geolocation and certain other checks may hit third-party APIs from your server. The full dependency list isn’t documented prominently, which is a transparency gap for security-sensitive deployments.
• Thin third-party review coverage. For a tool with 32K stars, there’s remarkably little independent written coverage. This suggests the user base is mostly developers using it without publishing reviews — useful for gauging adoption, less useful for getting second opinions.
• Port scanning may cause hosting friction. Outbound scan traffic from your VPS can trigger abuse flags with some providers. Worth checking your VPS ToS before running at scale.
• No commercial support. There’s no support tier, no SaaS offering with an SLA, no professional services option. If something breaks in your self-hosted instance, you’re in the GitHub issues queue.
• Website 403. The official website (web-check.xyz) was unreachable during this review. The project’s official presence is effectively the GitHub repository and the public demo. That’s not a dealbreaker, but it’s a maintenance signal.

---

Who Should Use This / Who Shouldn’t

Use Web-Check if:

• You’re doing vendor due diligence on a SaaS company and want to quickly assess their technical security hygiene (SSL config, headers, DNS setup) before signing a contract.
• You want to audit your own site after a deployment — confirming security headers are set, SSL chain is clean, no unintended trackers slipped in.
• You’re a non-technical founder who wants to understand what your website exposes to the public internet without hiring a consultant for a two-hour engagement.
• You want a free, MIT-licensed foundation to build internal security tooling on top of.
• The Vercel one-click deploy sounds more appealing than a DigitalOcean terminal session.

Skip it if:

• You need historical DNS data or IP ownership history — SecurityTrails or PassiveTotal are the right tools for that.
• You want continuous monitoring with alerts when something changes — this isn’t a monitoring product.
• You’re doing professional penetration testing at scale and need programmatic output, custom scan profiles, and report generation.
• Your threat model requires knowing that zero external APIs were called during reconnaissance — the external dependency list isn’t fully transparent.
• You need commercial support with an SLA.

---

Alternatives Worth Considering

For specific checks:

• SSL Labs (ssllabs.com/ssltest): Deeper SSL/TLS analysis than Web-Check, industry-standard grading. Free. Use when the cert chain is your primary concern.
• SecurityHeaders.com: Dedicated HTTP header analysis with clear grading. More detailed header coverage than Web-Check’s header panel.
• MxToolbox: DNS and mail server diagnostics with historical context. Free tier is generous.
• Shodan: Historical data, IoT device coverage, API access. Paid beyond basic. Use when you need a record of what a server exposed over time, not just right now.

For broader OSINT:

• SecurityTrails: Passive DNS, subdomain enumeration, historical IP data. Paid. Use when you’re investigating domain history or mapping an organization’s full attack surface.
• Censys: Similar scope to Shodan, academic origins, API-first. Paid beyond free tier.
• theHarvester: CLI tool for email, subdomain, and host enumeration. Free, open source, no dashboard. Use if you’re comfortable in a terminal and want scriptable output.

For monitoring (not recon):

• Uptime Kuma: Self-hosted uptime and SSL expiry monitoring with alerting. Fills the “alert me when something changes” gap that Web-Check doesn’t address.
• Netdata: Self-hosted performance and infrastructure monitoring if you need the server-side view to complement Web-Check’s external view.

For a non-technical founder who just wants to understand their own site or do quick vendor checks, the realistic comparison is Web-Check’s free public demo vs. nothing. The tool fills a gap that most founders paper over with ignorance.

---

Bottom Line

Web-Check earns its 32,000 GitHub stars by doing one thing well: collapsing a full-stack website reconnaissance workflow into a single URL input. It doesn’t have the historical depth of SecurityTrails, the IoT coverage of Shodan, or the professional polish of Pentest-Tools. What it has is comprehensiveness per click, an MIT license that puts no commercial restrictions on how you use or extend it, and four deployment paths including one-click options that a non-technical founder can handle without a terminal. For periodic due diligence, pre-launch audits, and vendor security checks, it’s a genuinely useful free tool. The gaps — no monitoring, no API output, thin support story — matter more as use cases get more sophisticated. But for the founder who currently does zero website security hygiene because the tooling feels too technical, Web-Check is the right starting point. Run the public demo on your own domain today. If you want a private instance that doesn’t route your reconnaissance targets through someone else’s server, a $5 VPS and a Vercel account are both paths in under an hour.

---

Sources

1. Alicia Sykes (lissy93) — Web-Check GitHub Repository (32,338 stars, MIT license). README, feature list, deployment options, project description. https://github.com/lissy93/web-check

2. Web-Check Official Website (HTTP 403 at time of review — live demo referenced from README). https://web-check.xyz

3. Web-Check Live Demo — public hosted instance maintained by the author. https://web-check.as93.net