Your site is up. But is it healthy?
We just shipped a free website health scanner at getsitewatch.com/scan. No signup. No email. Just paste a URL and get a full report in about 20 seconds.
We built it because we kept running into the same problem: developers and site owners had no quick way to check if their site was actually working — beyond just loading the page in a browser and eyeballing it.
Here's what the scanner checks, why each issue matters, and what we typically find when people scan their production sites.
1. Broken Assets (Images, Scripts, Stylesheets)
What we check: Every image, script, and stylesheet referenced in your HTML. Does it actually load? Or does it return a 404, 403, or 500?
What we typically find: This is the most common issue. Roughly 3 out of 10 sites we've scanned have at least one broken asset. Usually it's an image that was moved or renamed, a script that was deleted during a deploy, or a stylesheet that references a font file that no longer exists.
Why it matters: A missing image is cosmetic. A missing JavaScript file can break your entire page. If your checkout depends on a script that returns 404, your checkout is dead — but your server still returns 200 OK and your uptime monitor says everything is fine.
Quick manual check:
# Find broken images on any page
curl -s https://yoursite.com | grep -oP 'src="[^"]*"' | while read -r src; do
url=$(echo "$src" | tr -d '"' | sed 's/src=//')
[[ "$url" != http* ]] && url="https://yoursite.com$url"
status=$(curl -o /dev/null -s -w "%{http_code}" "$url")
[[ "$status" != "200" ]] && echo "BROKEN ($status): $url"
done
Or just paste your URL at getsitewatch.com/scan — it does this automatically for every asset type.
2. Mixed Content
What we check: Does your HTTPS page load any resources over plain HTTP?
What we typically find: Common on sites that migrated to HTTPS but still have hardcoded http:// URLs in the database, templates, or third-party embeds. WordPress sites are particularly prone to this after an SSL migration.
Why it matters: Modern browsers silently block mixed content. No error. No warning to the user. Images just don't render. Scripts don't execute. Fonts fall back to system defaults. Your site looks broken, but only to your visitors — not to you in your browser with cached assets.
Quick manual check:
curl -s https://yoursite.com | grep -oP '(src|href)="http://[^"]*"'
If this returns anything on an HTTPS site, those resources are being blocked.
3. SSL Certificate Issues
What we check: Is your certificate valid? When does it expire? Is the chain complete? Does it match the domain?
What we typically find: Certificates expiring within 30 days without auto-renewal configured. Incomplete chains where the intermediate CA is missing — site works in Chrome but throws warnings in Safari and on mobile. Certs that don't match the domain after a server migration.
Why it matters: An expired or misconfigured cert turns your site into a browser warning page. But the failure window before it fully expires is worse — some browsers are more forgiving than others, so you get inconsistent behavior that's hard to debug. According to Keyfactor's 2024 report, 88% of companies experienced an unplanned outage from an expired certificate in the past two years.
Quick manual check:
# Check when your cert expires
echo | openssl s_client -servername yoursite.com -connect yoursite.com:443 2>/dev/null | openssl x509 -noout -enddate
The scanner flags certificates expiring within 30 days and checks chain completeness automatically.
4. Missing Security Headers
What we check: CSP (Content-Security-Policy), HSTS (Strict-Transport-Security), X-Frame-Options, X-Content-Type-Options, Referrer-Policy.
What we typically find: This is the most universally failed check. The vast majority of sites we scan are missing at least two critical security headers. HSTS and CSP are the most commonly absent.
Why it matters:
- No HSTS: Visitors can be MITM'd on their first visit before the redirect to HTTPS happens.
- No CSP: No defense against XSS attacks injecting scripts into your page.
- No X-Frame-Options: Your site can be embedded in an iframe on a malicious page (clickjacking).
- No X-Content-Type-Options: Browsers may MIME-sniff responses and execute files as scripts that weren't intended to be scripts.
Quick manual check:
curl -sI https://yoursite.com | grep -iE "strict-transport|content-security|x-frame|x-content-type|referrer-policy"
Empty result = no security headers. The scanner shows which ones are missing and what each one protects against.
5. Schema & SEO Issues
What we check: JSON-LD structured data validation, canonical URLs, Open Graph tags, meta descriptions, title tags.
What we typically find: Missing or malformed JSON-LD is common — especially after a CMS update or template change. Missing Open Graph tags mean your site looks bare when shared on LinkedIn, Twitter, or Slack. Duplicate or missing canonical URLs confuse search engines about which page to index.
Why it matters: These don't break your site visually, but they break your site's reach. Bad schema means Google can't generate rich snippets. Missing OG tags mean your links look unprofessional when shared. Wrong canonicals mean your SEO juice is split across duplicate pages.
6. Discoverability
What we check: Does robots.txt exist and is it valid? Is there a sitemap.xml and does it return 200?
What we typically find: Missing sitemaps are surprisingly common — especially on SPAs and Jamstack sites where nobody thought to generate one. Occasionally we find robots.txt files that accidentally Disallow: / — blocking all search engines from the entire site.
Why it matters: Without a sitemap, search engines crawl your site less efficiently. A misconfigured robots.txt can de-index your entire site. These are 5-minute fixes with massive impact.
What the Report Looks Like
The scanner returns a prioritized report with severity rankings:
- Critical — Things actively breaking your site for visitors (broken scripts, expired SSL)
- Warning — Things silently degrading the experience (mixed content, missing security headers)
- Info — Things that affect SEO and discoverability (missing schema, no sitemap)
Every finding includes a plain-language explanation of what it is, why it matters, and how to fix it. No jargon dumps. No "error code 4xx on subresource" without context.
Why We Built This
We run Sitewatch — a website monitoring tool that continuously checks if sites actually work, not just if they respond.
But continuous monitoring is a commitment. You need to sign up, configure checks, set up alerts. That's the right move for production sites — but sometimes you just want a quick answer: is my site healthy right now?
The scanner is that quick answer. Think of it as a one-time checkup versus ongoing monitoring. The doctor visit versus the daily vitamin.
It's completely free. No email required. No credit card. No "enter your email to see the full results" nonsense.
What Happens After the Scan
If your site is clean — great. You just got peace of mind in 20 seconds.
If it found issues — the report tells you exactly what to fix and why, ordered by severity. Most of the critical issues (broken assets, SSL problems) can be fixed in under an hour.
And if you want to make sure these issues don't come back after the next deploy, that's where continuous monitoring comes in. Sitewatch checks your site on an ongoing basis and alerts you before your users notice something is broken.
But the scan itself? No strings attached. Use it, fix what it finds, move on.
Try it on your own site and drop your health rating in the comments — I'm curious what people find.
Top comments (0)