Web-Check is an open-source OSINT (Open Source Intelligence) tool designed for security analysts, sysadmins, and penetration testers to rapidly assess the technical surface of any website. It aggregates critical infrastructure data — including IP details, SSL chains, DNS records, HTTP headers, cookies, and server location — into a unified dashboard, eliminating the need to manually run multiple CLI tools. Built with TypeScript and deployed via Netlify, Vercel, or Docker, it integrates with modern web standards and provides real-time, actionable insights for security audits and reconnaissance.
The tool leverages public DNS, SSL, and HTTP APIs to extract and visualize infrastructure data without requiring authentication or API keys. It supports both web-based and self-hosted deployments, making it accessible for individual researchers and enterprise teams. Its modular architecture allows for easy extension with new analysis modules, and it is actively maintained with CI/CD pipelines for automated testing and deployment.
What You Get
- IP Info - Discovers the server’s IP address, associated ASN, geolocation, and hosting provider to map network infrastructure and identify co-hosted domains.
- SSL Chain Analysis - Extracts full certificate chains, issuer details, validity periods, and public keys to verify authenticity and detect misconfigurations or expired certs.
- DNS Records Lookup - Retrieves A, AAAA, MX, NS, CNAME, and TXT records to uncover email servers, subdomains, and hidden configuration data like SPF or DKIM policies.
- HTTP Cookies Analysis - Identifies session, tracking, and security cookies with attributes like HttpOnly, Secure, and SameSite to assess user tracking and session risks.
- Robots.txt Crawl Rules - Parses robots.txt to reveal disallowed paths, potentially exposing hidden admin panels, staging environments, or sensitive directories.
- HTTP Headers Inspection - Analyzes response headers including Server, X-Powered-By, Content-Security-Policy, HSTS, and CORS to detect outdated software and security misconfigurations.
- Server Location & Traceroute - Determines physical server location via IP geolocation and traces network hops to identify latency points or unusual routing.
- Open Ports & Traceroute - Scans for open TCP ports and maps network paths to detect exposed services like SSH, FTP, or databases.
- Associated Hostnames - Discovers subdomains and related domains through reverse DNS and certificate transparency logs.
- Site Performance Metrics - Measures load time, resource size, and request count to evaluate optimization and potential attack surface expansion.
- Tracker Detection - Identifies third-party analytics, advertising, and social tracking scripts embedded in the page.
- Carbon Footprint Estimation - Calculates estimated CO2 emissions from page load based on data transfer and server energy use.
Common Use Cases
- Security Auditing a Client Website - A penetration tester uses Web-Check to quickly gather IP, DNS, and header data before starting a manual audit, reducing reconnaissance time by 70%.
- Monitoring a Competitor’s Tech Stack - A marketing analyst checks a rival’s site to identify their CDN, hosting provider, and tracking tools for competitive intelligence.
- Securing a New Corporate Site - A sysadmin runs Web-Check on their company’s new domain to verify SSL validity, detect misconfigured headers, and ensure robots.txt doesn’t leak internal paths.
- Investigating a Phishing Site - A SOC analyst uses Web-Check to trace the IP and SSL certificate of a suspicious link to confirm it’s hosted on a known malicious IP or uses a fake cert.
Under The Hood
Architecture
- Express-based server dynamically registers API routes by scanning the /api directory using modular imports, with rate-limiting middleware applied uniformly across endpoints
- Clear separation between backend API logic and frontend UI, with Astro enabling server-side rendering of React components and seamless data flow to cards like DomainLookupCard and ServerLocationCard
- ErrorBoundary implements robust React error boundaries with state-driven recovery, isolating UI failures and improving user experience
- Modular asset resolution via TypeScript path aliases and Astro’s component system ensures clean, maintainable imports across layouts and utilities
- Dependency injection is handled implicitly through module imports, with environment variables driving behavior across server and client layers
Tech Stack
- Full-stack TypeScript architecture with Astro as the primary SSR framework, supporting React and Svelte components alongside API routes
- Node.js backend powered by Express with middleware for SPA routing and rate limiting, complemented by Puppeteer and chrome-aws-lambda for headless browser automation
- Multi-platform deployment support via Docker, Netlify, Vercel, and Fly.io, enabling flexible scaling and serverless execution
- Comprehensive tooling including Axios, Cheerio, Recharts, and Framer Motion for HTTP requests, DOM parsing, and data visualization, orchestrated through Yarn and npm scripts
- Chromium installed system-wide for consistent headless browser behavior across development and production environments
Code Quality
- Limited testing practices with no meaningful assertions, leaving critical functionality unverified
- Inconsistent code organization across frameworks and unclear module boundaries create maintenance challenges
- Error handling is superficial, relying on generic try/catch blocks without structured logging or contextual error reporting
- Type safety is inconsistently enforced, with frequent use of
any in performance-critical areas like TLS analysis and rendering
- Naming conventions vary widely, and linting or code quality tooling is absent, leading to unstructured JSX and untyped DOM manipulations
What Makes It Unique
- Dynamically auto-registers API handlers from filesystem modules, enabling plugin-style extensibility without hardcoded routes
- Integrates Mozilla’s TLS Observatory and Wayback Machine APIs into a unified, serverless diagnostic platform with seamless endpoint discovery
- Implements an interactive canvas-based particle system as a non-intrusive visual background that responds to browser state, enhancing engagement in a technical tool
- Unifies server-side rendering and API development within a single Astro monorepo, blurring traditional boundaries between UI and backend
- Introduces a reusable card-based result system with dynamic field parsing and expandable sections, standardizing the display of complex web diagnostics data