DEV.co
Open-Source Security · lissy93

web-check

Web-Check is an open-source OSINT dashboard that analyzes websites to uncover technical details, security configurations, and infrastructure information. It provides insights into IP addresses, SSL certificates, DNS records, cookies, headers, server location, trackers, and performance metrics through a web interface or self-hosted deployment.

Source: GitHub — github.com/lissy93/web-check
34.1k
GitHub stars
2.8k
Forks
TypeScript
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorylissy93/web-check
Ownerlissy93
Primary languageTypeScript
LicenseMIT — OSI-approved
Stars34.1k
Forks2.8k
Open issues80
Latest release2.1.0 (2026-05-07)
Last updated2026-06-28
Sourcehttps://github.com/lissy93/web-check

What web-check is

TypeScript-based web application that performs reconnaissance on target domains by querying DNS, SSL certificate chains, HTTP headers, and third-party APIs to aggregate OSINT data. Supports multiple deployment options (Netlify, Vercel, Docker, source) and exposes findings through an interactive dashboard.

Quickstart

Get the web-check source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/lissy93/web-check.gitcd web-check# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Security Auditing & Vulnerability Assessment

Organizations can audit their own websites to identify exposed information, misconfigurations in headers, weak SSL chains, or unintended open ports before attackers do. Also useful for third-party website analysis during due diligence or threat assessments.

Infrastructure & Hosting Discovery

Map target domain infrastructure by collecting IP addresses, associated hostnames, nameserver configurations, redirect chains, and server locations. Valuable for understanding vendor dependencies, multi-region deployments, or identifying shadow infrastructure.

Privacy & Tracking Analysis

Identify third-party trackers, analytics services, cookies, and external API calls embedded in websites. Useful for privacy assessments, compliance validation (GDPR, CCPA), or understanding data exposure vectors.

Implementation considerations

  • Audit upstream API dependencies (IP geolocation, SSL/DNS lookup services) for rate limits, cost, data retention, and Terms of Service compliance before production deployment.
  • Plan API key management for third-party integrations; store securely (environment variables, secrets management) and rotate regularly.
  • Consider network egress filtering if deployed in restricted environments; tool makes outbound queries to public DNS, SSL, and WHOIS services.
  • Implement access controls (authentication, RBAC) if exposing to multiple users; tool currently shows all scan results without built-in per-user data isolation.
  • Monitor logs for abuse patterns (excessive scanning, targeted reconnaissance of specific domains) if publicly accessible; consider IP rate limiting or request throttling.

When to avoid it — and what to weigh

  • Automated Mass Scanning Without Authorization — Tool is designed for targeted analysis. Bulk scanning arbitrary domains may violate terms of service on upstream APIs, trigger rate limits, or constitute unauthorized access depending on jurisdiction and intent.
  • Real-Time Threat Detection Platform — Web-Check is a snapshot analysis tool, not a continuous monitoring solution. It lacks alerting, baselining, or integration with SOAR platforms required for enterprise security operations centers.
  • Sensitive Internal Network Reconnaissance — Designed for public-facing domain analysis. Do not expose the instance to untrusted users if scanning internal networks or confidential infrastructure; generated reports may leak sensitive topology details.
  • Compliance-Grade Security Reporting — Output is informational only. Reports lack formal audit trails, tamper-evidence, signed attestations, or compliance certifications (SOC 2, ISO 27001) required for regulated security assessments.

License & commercial use

MIT License permits unrestricted use, modification, and distribution (including commercial) provided original copyright and license text are included. No liability or warranty.

MIT License permits commercial use, but verify upstream third-party API terms, data usage rights, and SaaS/resale restrictions. No explicit commercial support or warranty provided by the project; community-driven maintenance.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Tool queries public records and third-party APIs; no cryptographic attestation of data integrity. Self-hosted instances inherit network risks (exposed endpoint, API key theft, log leakage). No published security policy, CVE tracking, or responsible disclosure process documented. Validate upstream API providers' security posture. User-supplied domains are queried directly; implement input validation to prevent SSRF or abuse. No built-in audit logging or data retention controls for compliance frameworks.

Alternatives to consider

Shodan

Commercial platform with deeper port scanning, banner grabbing, and historical data. Requires API key/subscription; less open, more curated, enterprise support available.

SecurityTrails (via Rapid7)

Proprietary OSINT platform with extensive historical DNS, SSL, and whois records, plus threat intelligence correlation. Paid service with SLAs; closed-source, less transparent.

Censys

Free open-source scanner for certificates, IPv4, and IPv6; stronger emphasis on cryptographic data. Less visual dashboard; different data sources than Web-Check.

Software development agency

Build on web-check with DEV.co software developers

Assess whether Web-Check fits your OSINT, infrastructure audit, or privacy analysis needs. Review deployment options, API dependencies, and access controls with your team before production use.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

web-check FAQ

Can I use Web-Check to scan my own website for security issues?
Yes. Deploy Web-Check to your own infrastructure or use the public instance (web-check.xyz) to analyze your domains. Results help identify exposed headers, weak SSL, trackers, and other configuration issues. Not a replacement for penetration testing or vulnerability scanning tools.
What are the licensing restrictions for commercial SaaS use?
MIT License permits you to build a commercial product; however, you must retain the original copyright and license notice. Check terms of upstream APIs you integrate; some may restrict commercial use or require separate licensing.
Is there a way to automate scans or integrate with CI/CD?
Not clearly stated in documentation. Web-Check is UI-driven; no public REST API or CLI tool documented. Custom integration would require modifying source or building a wrapper around the hosted instance.
Does Web-Check store scan results or logs?
Unknown. Depends on deployment. Self-hosted instances may log requests; the public instance (web-check.xyz) retention policy is not documented. Verify data handling practices if scanning sensitive domains.

Custom software development services

DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If web-check is part of your open-source security roadmap, our team can implement, customize, migrate, and maintain it.

Evaluate Web-Check for Your Security Workflow

Assess whether Web-Check fits your OSINT, infrastructure audit, or privacy analysis needs. Review deployment options, API dependencies, and access controls with your team before production use.