web-check

Web-Check is an open-source OSINT platform that gives security professionals, sysadmins, and developers deep technical visibility into any website. Instead of switching between a dozen command-line tools, Web-Check aggregates over 30 distinct data sources — from IP geolocation and SSL certificate chains to DNS DNSSEC validation, HTTP security headers, open ports, tech stack fingerprinting, and carbon footprint estimation — into a single, interactive dashboard.

The architecture separates a Node.js/Express backend of self-registering API modules from a React + Astro frontend. Each API module is an independent JavaScript file that is auto-discovered and mounted at runtime, so adding a new data source is as simple as dropping a new file into the api/ directory. The client side drives all 30+ jobs concurrently, streaming results into card components as they arrive, with per-job retry and per-job abort capabilities.

Web-Check is designed for genuine self-hosting. A single Docker image bundles the Express API server, the Astro SSR layer, and a Chromium binary for screenshot capture. The same codebase deploys equally well to Netlify or Vercel as serverless functions, making it practical for both personal lab use and organizational deployment at scale. Configurable rate limiting, CORS controls, and environment-variable-driven feature flags mean operators can tailor it for public or private use.

Beyond passive reconnaissance, Web-Check includes an advisory engine: a set of pure analyzer functions that evaluate fetched data against security best practices and surface findings categorized as critical, issue, warning, or pass. This transforms raw data collection into actionable intelligence, letting users know not just what a site exposes but whether those exposures represent risks.

What You Get

• SSL Chain Analysis - Fetches the full certificate chain using Node’s native TLS module, exposing issuer, validity window, subject alt names, and authorization errors to identify expired or misconfigured certs at a glance.
• DNS Records Suite - Resolves A, AAAA, MX, NS, CNAME, TXT, SOA, SRV, and PTR records concurrently via the dns/promises API, giving a complete picture of a domain’s email, nameserver, and delegation setup.
• HTTP Security Headers Audit - Evaluates response headers against a checklist of critical (CSP, HSTS, X-Content-Type-Options, X-Frame-Options) and recommended (Referrer-Policy, Permissions-Policy, CORP, COOP) directives, flagging gaps.
• Open Ports Scanner - Probes common TCP ports and maps reachable services to identify exposed attack surfaces such as SSH, FTP, or database ports that should not be publicly accessible.
• Tech Stack Fingerprinting - Uses Wappalyzer to identify frameworks, CMS platforms, analytics tools, CDNs, and JavaScript libraries running on the target site.
• TLS Security Audit - Runs multi-level TLS checks including cipher suite support, client compatibility simulation, and protocol version analysis to surface weaknesses in the transport layer.
• Security Advisory Engine - Applies pure analyzer functions to each job’s results and categorizes findings as critical, issue, warning, or pass, turning raw data into prioritized actionable security recommendations.
• Cookies Analysis - Inspects HTTP cookies for missing security attributes (HttpOnly, Secure, SameSite) that could enable session hijacking or cross-site request forgery.
• Subdomain & Hostname Discovery - Enumerates associated hostnames through reverse DNS, certificate transparency logs, and WHOIS data to map the broader infrastructure of a target.
• Carbon Footprint Estimation - Calculates the estimated CO2 impact of page loads based on data transfer volume and server energy mix, useful for sustainability audits.
• Screenshot Capture - Uses Puppeteer with a bundled Chromium binary to capture a rendered screenshot of the target page for visual verification and archiving.
• Redirect Chain Tracing - Follows HTTP redirects and logs each hop with status codes to detect unwanted intermediaries, mixed-scheme redirects, or redirect loops.

Common Use Cases

• Pre-engagement reconnaissance - A penetration tester points Web-Check at a client’s domain before starting a formal audit to instantly gather IP, DNS, open ports, and SSL data, compressing hours of manual tool-hopping into a two-minute scan.
• SSL expiry monitoring - A sysadmin embeds Web-Check’s API endpoint in a cron job to periodically check certificate validity and receive alerts when a cert is within 30 days of expiry, preventing unexpected HTTPS outages.
• Phishing site investigation - A SOC analyst uses Web-Check to trace the IP, hosting provider, SSL issuer, and WHOIS registration of a suspicious link reported by a user, quickly determining whether it shares infrastructure with known malicious domains.
• Security header compliance review - A web developer runs Web-Check against a newly deployed site to verify that Content-Security-Policy, HSTS, and X-Frame-Options headers are correctly configured before the site goes live.
• Competitive tech stack analysis - A product manager inspects a competitor’s domain to identify their CDN, analytics platform, CMS, and JavaScript frameworks using the Wappalyzer-powered tech stack fingerprinting module.
• Self-hosted internal tooling - A security team deploys Web-Check on their private network via Docker to scan internal domains and staging environments without sending reconnaissance data through a third-party public service.

Under The Hood

Architecture Web-Check uses a clean two-tier architecture: a Node.js/Express backend that auto-discovers and mounts API handlers at startup by scanning the api/ directory for .js files, and a React + Astro frontend that drives all fetches concurrently via a useJobs hook backed by a reducer. The backend exposes each analysis module as an independent GET endpoint and provides a single aggregate /api route that fans out to all handlers in parallel using Promise.race against a configurable timeout. The frontend’s job registry maps logical card identifiers to fetcher functions and result-card components, allowing the Results view to render incrementally as individual jobs resolve. A separate analysis registry applies pure stateless analyzer functions to each job’s data, producing severity-tagged findings without coupling display logic to evaluation logic. This separation means new data sources require only a new api/ module and a new card component — no central wiring is needed.

Tech Stack The project is a full-stack TypeScript monorepo built on Astro 6 for SSR, with React 19 and Svelte 5 components coexisting inside the same Astro build. The backend is Express 5 with express-rate-limit, running on Node.js 22. DNS operations use Node’s built-in dns/promises API; TLS inspection uses the native tls module. Screenshot capture relies on Puppeteer with @sparticuz/chromium for serverless environments and the chromium package for Docker. Tech stack detection is powered by Wappalyzer. Data visualization uses Recharts and react-simple-maps, with animations via Framer Motion and @emotion/styled for CSS-in-JS. The project deploys to Docker, Netlify, Vercel, Fly.io, and Cloudflare via platform-specific Astro adapters, all driven from the same source.

Code Quality The codebase demonstrates solid structural discipline: ESLint, Prettier, and Astro’s type-checker run in CI on every PR, with a Docker smoke test that boots the container and validates HTTP responses. The analysis layer is well-typed — Analyzer functions accept typed inputs and return Finding arrays with strict severity enums. The API handlers use a shared middleware abstraction that normalizes URL parsing, CORS, rate limiting, and timeout handling across all 30+ modules without repetition. However, the result-processor utilities and several card components rely on broad any types for incoming API payloads, which limits the type-safety benefit in the rendering layer. No dedicated unit or integration test suite exists; correctness is validated through CI build success and Docker smoke testing rather than assertion-based tests.

What Makes It Unique Web-Check’s defining design choice is its filesystem-driven plugin architecture for API handlers: the server scans the api/ directory at startup and mounts every .js file as a route, so adding a new reconnaissance module requires zero changes to routing code. On the client side, a parallel job-runner with per-job abort, retry, and timeout controls drives all 30+ checks simultaneously, streaming results into card components as they arrive rather than waiting for a full batch. The embedded advisory engine — a set of pure analyzer functions that evaluate raw job data against security best practices and emit severity-tagged findings — elevates the tool beyond a data aggregator into an actionable security scanner. Combined with multi-platform deployment (Docker, Netlify, Vercel, Fly.io, Cloudflare) from a single codebase, Web-Check achieves a level of operational flexibility rare in open-source OSINT tools.

Self-Hosting

Web-Check is released under the MIT License, which grants full freedom to use, modify, distribute, and even sell the software commercially with no copyleft obligations. You are not required to open-source derivative works, and there are no restrictions on deploying it within internal tooling, embedding it in a commercial product, or offering it as part of a paid service. The only requirement is preserving the copyright notice in any distributed copy.

Running Web-Check yourself requires a Node.js 22 environment and, optionally, a Chromium binary for screenshot capture. The simplest self-hosted path is Docker: the provided image bundles the Express API server, the compiled Astro SSR handler, and Chromium into a single container you can start with a single docker run command. Infrastructure overhead is minimal — a single low-cost VPS or cloud instance handles the API load for personal and small-team use, though public-facing deployments benefit from configuring the built-in rate limiter (API_ENABLE_RATE_LIMIT=true) to prevent abuse. You own all reconnaissance data, all uptime responsibility, and all upgrade decisions. The project does not phone home, and there is no license server or telemetry.

Compared to the hosted instance at web-check.xyz, self-hosting gives you full control over rate limits, API timeout thresholds, CORS policy, and which endpoints are exposed. The public hosted instance applies tighter timeouts and rate limits to manage running costs, meaning some checks will time out on slower targets that a private instance with a higher PUBLIC_API_TIMEOUT_LIMIT would handle cleanly. There is no commercial SaaS tier or enterprise support offering — the project is community-maintained, and the primary support channel is GitHub Issues. For teams that need SLAs, managed upgrades, or dedicated support, Web-Check is not the right fit in its current form; for teams comfortable operating their own infrastructure and contributing upstream, it is a capable and fully ownable tool.