Enter your address and get a free PDF report of the flaws and risks on your site — completely free. And if you want, we’re developers and can fix what we find.
Scan your website
scanning…A passive security check, then a downloadable PDF report of the flaws and risks we find.
~10s · your grade shows first · no email to view it
Yes. The scan is passive and read-only — it reads only what your server already shows any browser (HTTP headers, TLS certificate, public HTML, DNS). We never log in, never attack, never change anything, and it’s invisible to your visitors.
Open DevTools → Network and scan. The instant check runs entirely in your browser — the only requests it fires are DNS-over-HTTPS lookups to public resolvers (dns.google / cloudflare-dns.com). Your address never reaches a Kalenfy server until you choose to send it for the full PDF.
Your report is ready
Enter your email and we'll send you the full PDF report.
Free, no paywall · one email, no list, no spam · GDPR — how we handle it.
Your PDF is built right here in your browser. The email is only how we deliver it — and how we follow up with the deeper full-surface findings (TLS, security headers, exposed files) that the instant scan can't read. One email, no list, no drip.
Sent.
01 // what we fix
Your free report doesn't just flag issues — it tells you how to fix each one. And if you'd rather not, we're developers and can close every hole we find for you.
Outdated CMS, plugins and libraries with known CVEs — updated and hardened without breaking your site.
We install & force HTTPS, fix expired or broken certificates, and kill the "Not secure" warning for good.
HSTS, CSP, X-Frame-Options, Referrer-Policy — configured properly so attackers can't hijack your pages.
Hacked or flagged by Google? We clean the infection and get your domain off blacklists.
SPF, DKIM and DMARC set up so scammers can't send fake emails in your name — and your mail stops hitting spam.
Firewall rules, locked-down logins, backups and optional ongoing monitoring so problems don't come back.
A public .env, .git folder or an API key left in your page source — found and locked down before anyone else does.
DNSSEC and CAA records set so nobody can forge where your domain points or issue a certificate in your name.
02 // methodology
The free scan is passive and read-only — it reads only what your server already shows any browser. No black box, no hidden probing. Your instant scan covers the DNS & email checks below right away; the rest of this surface (TLS, headers, exposed files, CMS) runs for your deeper report.
What the scan reads — public info
Whether HTTPS is served and forced, and if the certificate is valid and not expiring.
CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.
Missing Secure, HttpOnly or SameSite on the cookies your server sets.
Whether your DNS records let scammers send mail in your name (incl. SPF limits, DMARC policy & external-report authorization, DKIM & BIMI).
DNSSEC signing, CAA issuance control, MX & inbound mail-TLS (MTA-STS / TLS-RPT), and wildcard / catch-all DNS exposure.
.env / .gitTwo fixed paths, verified by file signature — never a wordlist or fuzzing.
Hardcoded live API keys (Stripe, AWS, GitHub, etc.) left in your page source.
A CMS or server runtime past security support, from the version it advertises.
Resources loaded over plain HTTP on an otherwise secure page.
What it can't see — and we won't fake
We don't authenticate, so we can't see member-only or admin areas.
We read public responses only — never your source or data.
These need hands-on testing, not a passive read.
We never attack, inject, brute-force or try to break in.
Deeper testing is opt-in and authorised, never automatic.
Deeper, active testing is Level 2 — only on sites we're authorised to test, by hand.
How the grade works
Every site starts at 100. We subtract only for real issues found — critical −45, high −22, medium −9, low −4. A clean public surface keeps its A+; we never inflate the score to scare you into a fix.
// field guide
Short, honest answers to what site owners actually ask. The free scan above already checks many of these for you.
Start with what anyone can verify: does the site load over HTTPS with a valid certificate (a padlock, no “Not secure”)? Are the common security headers present (HSTS, CSP, X-Frame-Options)? Is email authentication set up (SPF, DMARC)? Are config files like .env or .git reachable in public? Kalenfy’s free scan reads exactly these public signals and grades them — no login or attack needed.
Watch for: a browser malware or “deceptive site” warning; pages redirecting to spam or unknown domains; Google flagging you in search results; strange new pages, admin users or files you didn’t create; or your host suspending the account. If you see these, take the site offline and restore a known-clean backup before you investigate further.
Enforced HTTPS with HSTS; a sensible Content-Security-Policy plus the other security headers; cookies marked Secure, HttpOnly and SameSite; up-to-date CMS, plugins and libraries; SPF, DKIM and DMARC so your domain can’t be spoofed; no secrets or config files left in public; and DNSSEC and CAA on your domain. No single setting is enough — security is the whole stack kept current.
Run the free scan above to see which of these your site already passes.
03 // how it works
Enter your URL — we run a passive security check. Free, nothing intrusive.
A free PDF of every flaw and risk, in plain English, with exactly how to fix each one.
Use the report yourself — or, if you want, we're developers and can close the holes for you.
Keep your report and re-scan anytime. We only reach out if you ask us to.
04 // the deal
We tell you what's broken and let the facts speak — the scan and the report are always free, and we never hold a problem hostage. If you'd like a hand fixing it, we're developers and can do the work. Entirely up to you.
We do the work
We implement the fixes. You get a secure site, not homework.
Plain English
No jargon. You know what was wrong and what we changed.
We're developers
Real engineers fix your site carefully — not a faceless agency or a bot.
Our ethics & disclosure policy
What we never do
What you always get
05 // the fix
The scan and the report are free — yours to keep and act on however you like. And if you'd rather not deal with it, we're developers and we can fix what we find for you. Just reply when your report lands — no pressure, no hard sell.
Built by developers — real engineers, not an agency or a bot.
A clear PDF of every issue with plain-English fixes — use it yourself or hand it to your own developer.
We're developers. If you want, we close the holes for you — backed up, careful, and explained in plain English.
The report is free and yours with no strings. We only reach out if you ask us to.
06 // faq
You get a free PDF report of the security flaws and risks we find on your site — free, no obligation. If you'd like them fixed, we're developers and can help; just ask.
Not at all. You enter your site (or just your email) and we do everything. We explain what was wrong and what we changed in plain English — no jargon.
No. We back up first, harden carefully and verify the site works exactly as before — just secure. If anything looks off, we put it right.
Yes — the scan and the PDF report are free, with no card and no catch. If you'd like us to fix what we find, we're developers and can help; just reply and we'll take it from there.
Instantly, in your browser: SPF, DKIM, DMARC (including external-report authorization), DNSSEC, CAA, MX, MTA-STS/TLS-RPT, BIMI and wildcard/catch-all DNS — your email-spoofing and domain integrity. The full passive surface — HTTPS/TLS, security headers, cookie flags, exposed .env/.git, secrets in public code, end-of-life CMS and mixed content — runs for your deeper report. All from public information, nothing intrusive; what it can't see is in our methodology section above.
It's an automated check of the security signals your site exposes publicly — HTTPS/TLS, security headers, cookie flags, SPF/DKIM/DMARC, exposed files, outdated software. Ours is passive and read-only (it never logs in or attacks anything), and you get the results as a free PDF report.
Common signs: a "Not secure" or malware warning in the browser, your site redirecting to spam, Google flagging it in results, strange new pages or files, or your host suspending the account. Our free scan catches the public red flags — exposed files, missing HTTPS, email spoofing, end-of-life software. A confirmed compromise usually needs a deeper, authorised look, but the free scan is the place to start.
// start here
Scan your site and get your security report — free. And if you want, we're developers and can fix what we find.
Scan my site