I built a website health scanner that checks for broken assets, SSL issues, missing security headers, and more. Here's what it finds on most sites
"How do I know if my site has issues right now?"
So I built a free scanner that answers that in 20 seconds: getsitewatch.com/scan
Paste any URL. No signup. No email. Just a health report.
I've been running it on random production sites and the findings are... interesting. Here's what keeps showing up.
Broken Assets Are Everywhere
The most common finding. Images returning 404. Scripts that got deleted during a deploy but are still referenced in the HTML. Stylesheets pointing to fonts that moved.
A missing image is cosmetic. A missing JS file can kill your entire page. If your checkout depends on a script that no longer exists, the form never renders — but the server still returns 200 OK.
Found this on roughly 3 out of 10 sites scanned. Most owners had no idea.
SSL Certificates Nobody Is Watching
Certs about to expire. Incomplete chains where Chrome works fine but Safari throws warnings. Certs that don't match the domain after a migration.
The stat that blew my mind: 88% of companies experienced an outage from an expired cert in the past two years (Keyfactor 2024). Microsoft Teams went down for 3 hours because someone forgot to renew one.
The scanner flags certs expiring within 30 days and checks chain completeness.
Mixed Content Hiding in Plain Sight
HTTPS page loading resources over HTTP. Browsers block this silently — no error, no warning. Images just don't render. Fonts fall back to system defaults.
Super common on WordPress sites post-SSL migration. Hardcoded http:// URLs buried in the database. The site looks fine to the owner because their browser has assets cached. First-time visitors see something different.
Security Headers? What Security Headers?
The most universally failed check. Almost every site I scan is missing at least two critical headers.
Quick reality check — run this against your own site:
curl -sI https://yoursite.com | grep -iE "strict-transport|content-security|x-frame|x-content-type|referrer-policy"
If that comes back mostly empty, you're missing basic protections against XSS, clickjacking, and MITM attacks. Takes 15 minutes to fix. Most sites never do because nobody checks.
The scanner tells you exactly which headers are missing and what each one protects against.
SEO Metadata That's Quietly Broken
Missing Open Graph tags — so your links look bare and unprofessional when shared on LinkedIn, Twitter, or Slack. Malformed JSON-LD that kills your rich snippet potential. Wrong canonical URLs splitting your SEO across duplicate pages.
None of this crashes your site. All of it makes your site invisible.
Missing Sitemaps
Especially common on SPA/Jamstack sites. The build pipeline handles the app, nobody remembers the sitemap. Or it exists but returns 404 because the path changed.
Free SEO you're leaving on the table.
The Pattern
Most sites I've scanned look perfectly fine if you just open them in a browser. They load. They render. Nothing is obviously wrong.
But the scanner finds something on almost every one. Usually it's a combination: a few missing security headers, an asset that 404s, an SSL cert that expires in 3 weeks.
The thing is — none of this shows up in a standard uptime check. The server responds. Status 200. Dashboard says green. Meanwhile the site has 4 issues nobody knows about.
How It Works
The scanner:
- Fetches the page and enumerates every subresource (scripts, stylesheets, images)
- Validates each asset actually returns a successful response
- Checks SSL certificate validity, expiry, and chain completeness
- Inspects response headers for security policies
- Validates structured data, OG tags, and canonical URLs
- Checks for robots.txt and sitemap.xml
Results come back as a prioritized report — critical issues first, info-level findings last. Plain-language explanations, not jargon dumps.
Try It
20 seconds. Free. No signup.
Drop your health rating in the comments — curious what people find on their own sites.
What's Next
The scanner is a one-time checkup. If you want continuous monitoring — so you catch these issues the moment they appear, not weeks later — that's what Sitewatch itself does. Checks from multiple regions, alerts before your users notice.
But the scan alone is worth doing. You might be surprised.
Top comments (0)