01
Security headers
PASSIVE18 HTTP headers checked: CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy, and more. Copy-paste ready fix snippets for nginx, Apache, and Caddy.
Trial
✓
Starter
✓
Agency
✓
Pro
✓
Mythoscan ships eleven scanner modules split across two tiers — passive and active. This page is the exhaustive list, sorted for skimming. What runs without ownership verification, what requires it, and which plan you need for each.
18 HTTP headers checked: CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy, and more. Copy-paste ready fix snippets for nginx, Apache, and Caddy.
Certificate chain, validity, SANs, cipher suites, TLS versions, forward secrecy, HSTS enforcement, and expiry alerts.
A, AAAA, MX, NS, TXT, CNAME, SOA inventory. DNSSEC enforcement check. Misconfiguration detection.
SPF qualifier, DMARC policy strength, DKIM selector discovery, MTA-STS enforcement, TLS-RPT reporting, BIMI. 0–100 score with copy-paste fixes.
Fingerprints over 200 stacks: CMS, frameworks, libraries, CDN, analytics. Version extraction for CVE matching.
crt.sh + AlienVault OTX passive DNS. Optional VirusTotal and SecurityTrails with your own API keys. Surfaces forgotten staging and backup subdomains.
Cookie drops before consent, third-party trackers, missing legal notice / privacy policy, consent banner quality. FR/EU differentiator.
Cross-reference detected technologies with NVD to surface known CVEs with CVSS scores and mitigations.
Common and custom ports with concurrent scan. Service identification and banner grabbing. Requires ownership verification.
Core version, active plugins, active theme. Cross-referenced with wpscan.com vulnerability database. Requires ownership verification.
SSH, HTTP, FTP, SMTP, POP3, IMAP, MySQL service fingerprinting. Version extraction. Requires ownership verification.
◆ Annual billing available with −20% discount · 14-day trial on all paid plans · no credit card
Start on Free or Starter. Upgrade the day your portfolio outgrows the limits. No annual lock-in, no sales call.