What is required for a scan?

Just a publicly reachable domain. No credentials and no configuration changes are required.

How long does a scan take?

Usually less than a minute. The result is available immediately afterwards.

Does the scan affect the website?

The scan is comparable to a regular page visit and does not create more load than an additional visitor.

Does the scan change our website or data?

No. The scan is performed externally and does not affect your systems or data.

Is the scan legally permissible?

The scan analyzes only publicly reachable content of the provided domain. It works like a regular website request and does not access internal systems.

Do you store any data?

Results are only stored when the full report is purchased. Otherwise, they are automatically deleted after a short time. We do not share data with third parties and comply with GDPR.

What does the free scan include?

The free result shows the number and severity of identified issues, plus a brief assessment of the website’s overall state. Details on individual findings and remediation steps are included in the full report.

What’s included in the report?

The report contains the results of all checks, puts them into context, and lists concrete steps to address them.

How do you ensure that only the domain owner can access the results?

Purchasing the full report requires email verification. The email address must belong to the scanned domain and is verified via a one-time code sent to that inbox.

What types of websites can be scanned?

Any publicly reachable website or web application — including classic websites, modern single-page apps, and APIs.

What We Check

Full transparency: here is every automated check included in an RGate scan. Each finding comes with a risk explanation and step-by-step fix instructions.

119 automated checks across 5 categories

Security

50 checks

TLS / Certificate

Security Headers

CORS Configuration

Exposed Files & Paths

Supabase Configuration

Firebase Configuration

Known Vulnerabilities (CVE)

Legal

12 checks

Cookie Consent

Privacy Policy

Legal Notice (Impressum)

Tech Stack Disclosure

Image Licensing & AI Content

Accessibility (A11y)

14 checks

WCAG Compliance

Images

Document Structure

Touch & Mobile

Search Engine Optimization (SEO)

32 checks

Meta Tags

Robots & Indexing

Mobile Friendliness

URL & Canonicalization

Page Structure

Performance (SEO Impact)

Sustainability

11 checks

What We Check

Security

TLS / Certificate

SSL certificate has expired

SSL certificate expires soon (< 14 days)

SSL certificate expires soon (< 30 days)

Outdated TLS version (TLS 1.0 / 1.1)

TLS 1.2 in use (1.3 recommended)

HSTS max-age is less than 1 year

HSTS does not include subdomains

Mixed content detected

Security Headers

Missing Strict-Transport-Security (HSTS) header

Missing Content-Security-Policy (CSP) header

Weak Content-Security-Policy

CSP allows 'unsafe-inline'

Missing X-Frame-Options header

Missing X-Content-Type-Options header

Missing Referrer-Policy header

Missing Permissions-Policy header

CORS Configuration

CORS reflects any origin with credentials

CORS reflects any origin

CORS wildcard (*) with credentials

CORS allows all origins (wildcard)

Exposed Files & Paths

Exposed .env file

Exposed .git directory

Exposed wp-config.php

Exposed .htpasswd file

Exposed SQL backup

Exposed phpinfo()

Exposed debug log

Exposed docker-compose.yml

Exposed config.json

Source maps exposed

Exposed Apache server-status

Docker environment detected

WordPress admin panel accessible

security.txt found

Supabase Configuration

Supabase OpenAPI schema is publicly accessible

Many database tables exposed via API

Tables allow write operations via API

Sensitive tables exposed

Tables readable without authentication

Sensitive fields exposed in table

Tables allow unauthenticated writes

Supabase API key has expired

Supabase API key expires soon

Public storage bucket(s) found

Firebase Configuration

Firebase Realtime Database is publicly readable

Firestore collection is publicly readable

Firebase Storage allows public file listing

Firebase API key lacks restrictions

Known Vulnerabilities (CVE)

CVE lookup against NVD and OSV.dev

Outdated WordPress version detected

Legal

Cookie Consent

Tracking scripts loaded without cookie consent

Cookies set without visible consent mechanism

Cookie consent mechanism detected

Privacy Policy

No Privacy Policy found

Multiple third-party services require privacy policy updates

Legal Notice (Impressum)

No Impressum / Legal Notice found

Tech Stack Disclosure

Third-party service usage requires disclosure

Image Licensing & AI Content

AI-generated images without visible labeling

AI-edited images detected

Images with stock photo copyright

Images with copyright metadata

C2PA provenance verification

Accessibility (A11y)

WCAG Compliance

Automated WCAG violation checks (axe-core)