What is required for a scan?

Just a publicly reachable domain. No credentials and no configuration changes are required.

How long does a scan take?

Usually less than a minute. The result is available immediately afterwards.

Does the scan affect the website?

The scan is comparable to a regular page visit and does not create more load than an additional visitor.

Does the scan change our website or data?

No. The scan is performed externally and does not affect your systems or data.

Is the scan legally permissible?

The scan analyzes only publicly reachable content of the provided domain. It works like a regular website request and does not access internal systems.

Do you store any data?

Results are only stored when the full report is purchased. Otherwise, they are automatically deleted after a short time. We do not share data with third parties and comply with GDPR.

What does the free scan include?

The free result shows the number and severity of identified issues, plus a brief assessment of the website’s overall state. Details on individual findings and remediation steps are included in the full report.

What’s included in the report?

The report contains the results of all checks, puts them into context, and lists concrete steps to address them.

How do you ensure that only the domain owner can access the results?

Purchasing the full report requires email verification. The email address must belong to the scanned domain and is verified via a one-time code sent to that inbox.

What types of websites can be scanned?

Any publicly reachable website or web application — including classic websites, modern single-page apps, and APIs.

Do I need code access or admin credentials?

No. RGate scans your publicly accessible website from the outside, exactly as an attacker would. No credentials, no code access, no plugins needed.

Is the scan safe — will anything be changed?

Absolutely safe. RGate performs read-only passive analysis. We detect and report — we never modify data, inject payloads, or run destructive tests.

What BaaS platforms do you check?

We have specialized checks for Supabase (RLS, storage buckets, exposed tables), Firebase (Security Rules, public access), Appwrite, and generic REST APIs. Coverage is continuously expanded.

How is this different from Qualys or Burp Suite?

Qualys and Burp Suite are for security professionals doing comprehensive penetration testing. RGate is for developers at the release gate — a fast, automated check that anyone can run in 60 seconds, no security expertise required.

What's a CVE and how do you match them to my stack?

CVE (Common Vulnerabilities and Exposures) are publicly known security flaws. We detect the libraries and versions in your stack, then cross-reference against the NVD and GitHub Advisory databases to flag known vulnerabilities.

What happens with my scan results and URL?

Your URL is only used for the scan. Results are stored encrypted so you can access your report. You can delete your report at any time. We strictly comply with GDPR.

Does this replace a manual penetration test?

No. RGate catches the most common, detectable misconfigurations quickly. A thorough manual penetration test is still valuable for critical systems — RGate is the first line of defense you run at every deploy.

Security

Security is essential.
Are you secure?

Coding and testing belong together – just like attack and defense. When coding takes the next step, testing has to take the next step. When attackers step up, defense has to step up. Coding is being automated. So we automate testing.

The way we test

Websites come to life in the user's browser – not on the server. The server only delivers the building blocks. How a page actually looks, behaves and performs is determined in the browser. Anyone testing only on the server is checking the plan, not the result. Whether a page truly works becomes visible on the screen where it appears. That's where we look.

What we check

Comprehensive checks for the most common security vulnerabilities.

Tech Stack Detection

Frameworks, BaaS, hosting & libraries automatically identified.

Open Databases & APIs

Supabase RLS, Firebase Rules and open endpoints checked.

Exposed Secrets

API keys, .env files and source maps uncovered.

Security Headers & CORS

HSTS, CSP, X-Frame-Options and CORS configuration.

Misconfigurations

Common security mistakes in modern deployments.

Public Admin Endpoints

Dashboard URLs and admin panels without protection detected.

Layer 1 – Tech Stack Detection

"What technologies are being used?" Analysis of the deployed stack with focus on security-relevant features.

Detection Methods

HTTP Response HeadersServer, Framework, CDN · server: cloudflare

HTML & Script TagsFrontend framework, Tracking · /_next/... → Next.js

JS Bundle AnalysisLibraries + Versions, Keys · react@18.2.0

API Endpoint FingerprintingBaaS provider · *.supabase.co

DNS/TLS AnalysisHosting, CDN · Vercel, Netlify

Known PathsAdmin panels, Config · /wp-admin, /.env

Detected Categories

FrontendReact, Vue, Svelte, Angular, Next.js, Nuxt, Astro

BackendNode, PHP, Python, Ruby, Go

BaaSSupabase, Firebase, Appwrite, Convex, Nhost

CMSWordPress, Kirby, Strapi, Sanity, Contentful

HostingVercel, Netlify, Render, Railway, Fly.io, Cloudflare

AuthClerk, Auth0, Supabase Auth, Firebase Auth

PaymentsStripe, Paddle, LemonSqueezy

AnalyticsPlausible, PostHog, Google Analytics, Mixpanel

AI BuilderLovable, Bolt, v0, Replit

Example Output

{
  "builder":  { "name": "Lovable",   "confidence": 0.92 },
  "frontend": { "name": "React",     "version": "18.3.1", "latest": "19.1.0", "outdated": true },
  "baas":     { "name": "Supabase",  "project_ref": "zzwy...iqyt", "region": "eu-central-1" },
  "hosting":  { "name": "Vercel",    "confidence": 0.95 },
  "ui":       { "name": "shadcn/ui", "version": "0.8.0" }
}

Layer 2 – Version & Vulnerability Check

"Is it up to date?" – CVE matching via NVD, Snyk & GitHub Advisory DB.

Check	Method	Severity
Frontend library versionsHigh	JS Bundle & Source Maps	High
Server softwareHigh	Header analysis	High
BaaS SDK versionMedium	x-client-info header	Medium
TLS configurationMedium	TLS Handshake analysis	Medium
Known vulnerable pathsCritical	.env, .git/config, debug.log	Critical

Layer 3 – Configuration Audit

Our differentiator – we test what most scanners ignore.

Supabase-specific

RLS active?Critical

Checks if Row Level Security is active on all tables

Tables exposed?High

Number of publicly accessible tables via OpenAPI Schema

Write access open?Critical

POST with empty body tests if RLS is enforced

Sensitive tables?Critical

Pattern matching on users, admin, passwords, payments

Storage buckets public?High

Checks if storage buckets are accessible without auth

General Checks

CORS PolicyHigh

Tests with evil.com Origin

Security HeadersMedium

HSTS, CSP, X-Frame-Options

.env / .git exposed?Critical

Probing known paths

Source MapsMedium

*.js.map availability

Rate LimitingMedium

50 requests in 5 seconds burst

Cookie SecurityMedium

Secure, HttpOnly, SameSite flags

GDPR Quick CheckInfo

Legal notice, privacy policy, cookie banner

Layer 4 – Beyond Security

We don't just check security. Every scan also analyzes SEO, accessibility, legal compliance and sustainability.

SEO

Meta tags, headings, Open Graph, robots.txt, sitemap, canonical URLs, mobile-friendliness.

Accessibility

ARIA attributes, form labels, document language, heading hierarchy, image alt text, color contrast.

Legal & GDPR

Sustainability

Page weight, HTTP compression, image optimization, request count, green hosting indicators.

Reporting, Assessment & Recommendations

Every scan produces a comprehensive report with a clear release readiness verdict and actionable recommendations.

Release Readiness

Instead of abstract scores, you get a plain-language assessment of whether your site is ready to go live – or what needs to happen first. Each finding comes with a risk explanation and step-by-step fix instructions.

Release Ready

No blocking issues found. Your site is ready to go live.

Continuous Testing

RGate helps you to stay safe. Re-scan after every deploy to catch regressions early and maintain a strong security posture over time.

Conditional – Action Required

New issues detected after deploy. Review recommended.

What we check

Security

50 automated checks

TLS / Certificate

Security Headers

CORS Configuration

Exposed Files & Paths

Supabase Configuration

Firebase Configuration

Known Vulnerabilities (CVE)

See all 50 security checks in detail →

Security FAQ

Common questions about automated security testing.

The way we test

What we check

Tech Stack Detection

Open Databases & APIs

Exposed Secrets

Security Headers & CORS

Misconfigurations

Public Admin Endpoints

Layer 1 – Tech Stack Detection

Detection Methods

Detected Categories

Example Output

Layer 2 – Version & Vulnerability Check

Layer 3 – Configuration Audit

Supabase-specific

General Checks

Layer 4 – Beyond Security

SEO

Accessibility

Legal & GDPR

Sustainability

Reporting, Assessment & Recommendations

Release Readiness

Continuous Testing

Security

1.SSL certificate has expired

2.SSL certificate expires soon (< 14 days)

3.SSL certificate expires soon (< 30 days)

4.Outdated TLS version (TLS 1.0 / 1.1)

5.TLS 1.2 in use (1.3 recommended)

6.HSTS max-age is less than 1 year

7.HSTS does not include subdomains

8.Mixed content detected

9.Missing Strict-Transport-Security (HSTS) header

10.Missing Content-Security-Policy (CSP) header

11.Weak Content-Security-Policy

12.CSP allows 'unsafe-inline'

13.Missing X-Frame-Options header

14.Missing X-Content-Type-Options header

15.Missing Referrer-Policy header

16.Missing Permissions-Policy header

17.CORS reflects any origin with credentials

18.CORS reflects any origin

19.CORS wildcard (*) with credentials

20.CORS allows all origins (wildcard)

21.Exposed .env file

22.Exposed .git directory

23.Exposed wp-config.php

24.Exposed .htpasswd file

25.Exposed SQL backup

26.Exposed phpinfo()

27.Exposed debug log

28.Exposed docker-compose.yml

29.Exposed config.json

30.Source maps exposed

31.Exposed Apache server-status

32.Docker environment detected

33.WordPress admin panel accessible

34.security.txt found

35.Supabase OpenAPI schema is publicly accessible

36.Many database tables exposed via API

37.Tables allow write operations via API

38.Sensitive tables exposed

39.Tables readable without authentication

40.Sensitive fields exposed in table

41.Tables allow unauthenticated writes

42.Supabase API key has expired

43.Supabase API key expires soon

44.Public storage bucket(s) found

45.Firebase Realtime Database is publicly readable

46.Firestore collection is publicly readable

47.Firebase Storage allows public file listing

48.Firebase API key lacks restrictions

49.CVE lookup against NVD and OSV.dev

50.Outdated WordPress version detected

Security FAQ

Do I need code access or admin credentials?

Is the scan safe — will anything be changed?

What BaaS platforms do you check?

How is this different from Qualys or Burp Suite?