web-check
Web-Check is an open-source OSINT dashboard that analyzes websites to uncover technical details, security configurations, and infrastructure information. It provides insights into IP addresses, SSL certificates, DNS records, cookies, headers, server location, trackers, and performance metrics through a web interface or self-hosted deployment.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | lissy93/web-check |
| Owner | lissy93 |
| Primary language | TypeScript |
| License | MIT — OSI-approved |
| Stars | 34.1k |
| Forks | 2.8k |
| Open issues | 80 |
| Latest release | 2.1.0 (2026-05-07) |
| Last updated | 2026-06-28 |
| Source | https://github.com/lissy93/web-check |
What web-check is
TypeScript-based web application that performs reconnaissance on target domains by querying DNS, SSL certificate chains, HTTP headers, and third-party APIs to aggregate OSINT data. Supports multiple deployment options (Netlify, Vercel, Docker, source) and exposes findings through an interactive dashboard.
Get the web-check source
Clone the repository and explore it locally.
git clone https://github.com/lissy93/web-check.gitcd web-check# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Audit upstream API dependencies (IP geolocation, SSL/DNS lookup services) for rate limits, cost, data retention, and Terms of Service compliance before production deployment.
- Plan API key management for third-party integrations; store securely (environment variables, secrets management) and rotate regularly.
- Consider network egress filtering if deployed in restricted environments; tool makes outbound queries to public DNS, SSL, and WHOIS services.
- Implement access controls (authentication, RBAC) if exposing to multiple users; tool currently shows all scan results without built-in per-user data isolation.
- Monitor logs for abuse patterns (excessive scanning, targeted reconnaissance of specific domains) if publicly accessible; consider IP rate limiting or request throttling.
When to avoid it — and what to weigh
- Automated Mass Scanning Without Authorization — Tool is designed for targeted analysis. Bulk scanning arbitrary domains may violate terms of service on upstream APIs, trigger rate limits, or constitute unauthorized access depending on jurisdiction and intent.
- Real-Time Threat Detection Platform — Web-Check is a snapshot analysis tool, not a continuous monitoring solution. It lacks alerting, baselining, or integration with SOAR platforms required for enterprise security operations centers.
- Sensitive Internal Network Reconnaissance — Designed for public-facing domain analysis. Do not expose the instance to untrusted users if scanning internal networks or confidential infrastructure; generated reports may leak sensitive topology details.
- Compliance-Grade Security Reporting — Output is informational only. Reports lack formal audit trails, tamper-evidence, signed attestations, or compliance certifications (SOC 2, ISO 27001) required for regulated security assessments.
License & commercial use
MIT License permits unrestricted use, modification, and distribution (including commercial) provided original copyright and license text are included. No liability or warranty.
MIT License permits commercial use, but verify upstream third-party API terms, data usage rights, and SaaS/resale restrictions. No explicit commercial support or warranty provided by the project; community-driven maintenance.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
Tool queries public records and third-party APIs; no cryptographic attestation of data integrity. Self-hosted instances inherit network risks (exposed endpoint, API key theft, log leakage). No published security policy, CVE tracking, or responsible disclosure process documented. Validate upstream API providers' security posture. User-supplied domains are queried directly; implement input validation to prevent SSRF or abuse. No built-in audit logging or data retention controls for compliance frameworks.
Alternatives to consider
Shodan
Commercial platform with deeper port scanning, banner grabbing, and historical data. Requires API key/subscription; less open, more curated, enterprise support available.
SecurityTrails (via Rapid7)
Proprietary OSINT platform with extensive historical DNS, SSL, and whois records, plus threat intelligence correlation. Paid service with SLAs; closed-source, less transparent.
Censys
Free open-source scanner for certificates, IPv4, and IPv6; stronger emphasis on cryptographic data. Less visual dashboard; different data sources than Web-Check.
Build on web-check with DEV.co software developers
Assess whether Web-Check fits your OSINT, infrastructure audit, or privacy analysis needs. Review deployment options, API dependencies, and access controls with your team before production use.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
web-check FAQ
Can I use Web-Check to scan my own website for security issues?
What are the licensing restrictions for commercial SaaS use?
Is there a way to automate scans or integrate with CI/CD?
Does Web-Check store scan results or logs?
Custom software development services
DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If web-check is part of your open-source security roadmap, our team can implement, customize, migrate, and maintain it.
Evaluate Web-Check for Your Security Workflow
Assess whether Web-Check fits your OSINT, infrastructure audit, or privacy analysis needs. Review deployment options, API dependencies, and access controls with your team before production use.