I built SecURL about six months ago during a stretch of evenings where I kept hitting the same frustration: running a security scan on a site and getting back either a wall of jargon or a narrow result that only checked one thing. securityheaders.com checks headers. SSL Labs checks TLS. Mozilla Observatory covers a bit more. But nothing gave you the full picture in one pass, ranked by what to actually fix first.
So I built it. SecURL scans a URL and checks HTTP security headers, TLS configuration, DMARC, SPF, DKIM, DNSSEC, third-party script exposure, cookie flags, redirect chains, and more. It gives you an A to F grade and ranks every finding by severity with OWASP references attached. Paste a URL, get a report in about 30 seconds.
The scanner itself worked well. The engine was solid. But the project sat in a state I think a lot of side projects end up in: technically functional, never actually shipped. No marketing presence, no billing system, UX issues I knew about but kept deferring, documentation that existed only in my head.
That is the before.
The finish-up started with the UX problems I had been ignoring. There was a white gap appearing at the bottom of the page on certain viewport sizes. The navigation tab bar was getting truncated because a share button was stealing horizontal space in the same flex row. The recent scans list showed every grade in the same teal colour regardless of whether the site got an A or an F. The version badge in the hero was showing the full internal build string — core version, build hash, app version — fine for me, noise for everyone else.
Copilot helped me move quickly through these fixes. The kind of changes where you know exactly what needs to happen but the back-and-forth of finding the right element, checking what the parent is doing, adjusting the layout — having inline suggestions while you work through it means you stay in flow instead of breaking to look things up. The white gap was a single CSS property once I found the right place. The tab truncation was moving the share button out of the flex row into its own div above the nav. Small things individually, but the app looks significantly more polished now.
The marketing site (securl.online) also needed work. The comparison table footer copy said "active checks" which contradicted the rest of the site explaining that SecURL only makes passive observations — public-response checks, nothing invasive. One line that would have undermined trust with anyone who read carefully.
The after is that SecURL is now actually launched rather than just running.
The UX issues are fixed and shipped. There is a Twitter account (@thisissecurl) with posts going out. A Dev.to presence. A Product Hunt profile. A proper UX review checklist so future deploys go through a structured check before anything ships.
The scanner itself does things most free tools do not. It checks email trust records properly — not just whether DMARC exists but whether the policy is set to quarantine or reject, whether SPF has overly permissive qualifiers, whether DKIM selectors are discoverable. It detects session replay tools and analytics vendors from the third-party script surface. It maps the redirect chain and flags security issues at each hop. The grade system collapses all of that into something a non-security person can act on.
If you want to try it: app.securl.online. Free, no account needed, takes about 30 seconds. Particularly interested to hear from anyone who scans something and gets a result they think is wrong — the engine is still being tuned and real-world feedback is genuinely useful.
Top comments (0)