Enter a URL: Orilyt tests the public security signals — HTTPS, SSL certificate, protection headers, exposed WordPress version. Instant result, no sign-up.
Non-intrusive analysis: no intrusion testing, only publicly observable signals.
Nearly 1 in 2 European websites sends no HSTS header, and almost 3 in 4 have no Content-Security-Policy — Orilyt 2026 Barometer, 19,901 websites measured.
This tool gives an instant overview of a site's security hygiene, based on signals any browser can observe — without ever attacking the site or attempting an intrusion:
Strict-Transport-Security (enforces HTTPS), Content-Security-Policy (anti-injection), X-Frame-Options (anti-clickjacking), X-Content-Type-Options (anti MIME-sniffing), Referrer-Policy (data leakage).It's a starting point, not a full audit. A real diagnosis also checks outdated components and dependencies, exposed entry points and admin interfaces, accessible sensitive files, the IP address's reputation, and dozens of other points.
No. A pentest simulates real attacks (SQL injections, XSS…) and requires the site owner's authorization. This tool only reads public signals — it's instant, free, and risk-free for the site being analyzed.
Headers and the certificate are only the surface. Most compromises come through an outdated component, an admin interface open to brute-force attacks, an exposed configuration file or an enumerable admin account — all invisible from the homepage.
Orilyt goes further: more than 80 checkpoints covering security, performance, SEO, accessibility and compliance, in a clear, actionable report. The first audit is free.
Is the tool really free and sign-up free?
Yes. The security snapshot is free and instant. The full audit (80+ checkpoints) is also free for a first try.
Is it legal to analyze a site I don't own?
Yes: the tool only consults public information (HTTP headers, certificate, homepage), exactly like a browser. It performs no intrusion or offensive testing.
Does a good result mean my site is secure?
No — it's a necessary condition, not a sufficient one. Correct headers don't prevent a vulnerable plugin or a weak password. For a real assessment, run the full audit.
Why the focus on WordPress?
WordPress powers more than 4 in 10 websites and concentrates most web attacks. Orilyt analyzes it in depth, while also auditing non-WordPress sites.