Security categories
Browse security checks by topic.
Every check Barrion runs, grouped by what it's protecting. Pick a topic, run the tool free, get the fix. Default scans are production-safe and never touch state-changing routes.
Transport security
TLS, HTTPS, and certificates.
TLS/SSL Security Checker
Validate your SSL/TLS configuration and certificate setup
HTTPS & HSTS Checker
Verify HTTPS redirects, HSTS policy and readiness for preload.
Certificate Expiry Checker
Check SSL/TLS certificate expiry and chain validity to avoid outages.
Cipher Suite Analysis
Analyze SSL/TLS cipher suite configuration and strength
OCSP Stapling Checker
Validate OCSP stapling configuration for optimal SSL/TLS performance
CAA Records Checker
Validate Certificate Authority Authorization records for domain security
HTTP response headers
Security headers and disclosure.
Security Headers Test
Check your website's HTTP security headers configuration
X-Content-Type-Options Checker
Detect nosniff protection and prevent dangerous MIME type sniffing.
Referrer Policy Checker
Validate Referrer-Policy and apply privacy-preserving safe defaults.
Permissions-Policy Checker
Review Permissions-Policy to control powerful web features and reduce risk.
Content-Type Header Checker
Validate Content-Type header presence, charset, and correct MIME usage.
Server Information Disclosure Checker
Detect exposed Server and X-Powered-By headers leaking technology versions.
Content Security Policy
CSP and frame protection.
Content Security Policy (CSP) Checker
Analyze your CSP for unsafe directives and strengthen your policy with best practices.
Clickjacking Protection Checker
Test X-Frame-Options and CSP frame-ancestors so your pages can't be framed.
Frame Security Policy Checker
Validate frame-ancestors and embedding restrictions to prevent clickjacking.
Cookies
Cookie flags that hold up.
Cross-origin
CORS, COOP, COEP, CORP.
CORS Policy Checker
Validate Access-Control headers, credentials safety, and simulate preflight requests.
COOP Header Checker
Check Cross-Origin-Opener-Policy for cross-window isolation and security.
COEP Header Checker
Validate Cross-Origin-Embedder-Policy configuration and embedding rules.
Cross-Origin Isolation Checker
Test COOP/COEP/CORP alignment and readiness for cross-origin isolation.
DNS & email auth
SPF, DKIM, DMARC, DNSSEC, CAA.
Network exposure
Ports, subdomains, server leaks.
Application vulnerabilities
XSS, CSRF, vulnerable libs.
Vulnerable JavaScript Libraries Scanner
Scan for known vulnerable JS libraries and versions.
CSRF Protection Checker
Check presence of anti-CSRF tokens and complementary SameSite strategy.
XSS Protection Checker
Check X-Content-Type-Options, CSP against XSS, and Trusted Types readiness.
X-XSS-Protection Header Checker
Identify deprecated X-XSS-Protection usage and adopt modern mitigations.
Mixed Content Checker
Detect HTTP resources on HTTPS pages and validate browser compatibility.
Overall posture
One-click sweeps and compliance views.
Complete Security Scan
Complete website security analysis with comprehensive vulnerability detection
Pre-Pentest Security Scan
Passive scan that catches the misconfigurations a pentester finds first. Use it before a manual engagement to clear the easy issues.
vulnerability-scanner
security-audit
Security Compliance Checker
Check compliance with PCI DSS, HIPAA, SOC 2, ISO 27001, and GDPR. Get compliance readiness reports.
WAF Checker
Detect Web Application Firewall presence through passive header analysis. Identify WAF/CDN providers.
FAQ
Security categories, answered.
What's the difference between /tools and /security-categories?
The /tools page is a flat catalog of every check Barrion runs. /security-categories groups those same checks by topic, so you can find them by what you're trying to protect. TLS, headers, CSP, cookies, CORS, DNS, email auth, network exposure, application vulnerabilities, and compliance overlays. Both reach the same underlying scanners.
Do I need to run every category?
No. Most teams start with the Complete Security Scan, which sweeps all categories at once and ranks the findings by severity. From there you'll know which categories have gaps worth fixing. The category pages exist for cases where you already know what you're auditing, for example a CSP rollout, a new TLS certificate, or an upcoming SPF/DKIM/DMARC change.
Are the checks safe to run against a production site?
Yes. Every default scan is read-only and production-safe. We don't submit forms, hit state-changing routes, or generate meaningful load. The same engine runs on the free tier and on the paid plans, so you can validate it against your own production app before signing up.
How do these categories map to compliance frameworks?
TLS, headers, and DNS controls map to PCI DSS, SOC 2 Common Criteria, ISO 27001 Annex A, and NIS2 technical measures. The Security Audit and Compliance Checker tools assemble category findings into framework-shaped reports you can hand to an auditor or share in a customer security review.
Where do the underlying checks come from?
Barrion runs a Barrion-built scanner stack on top of open-source tooling we credit openly. The scoring, deduplication against scan history, remediation copy, PDF exports, and continuous monitoring are the parts we operate around them. If you'd rather wire those engines together yourself, you can. If not, that's exactly what Barrion is for.
One scan covers every category.
Run the Complete Security Scan once. It exercises every category and ranks the findings by severity. Free, no signup needed to see the score.