Notes from the scanner
Web security, privacy, and vulnerability scanning: practical guides from the team behind OnScanner.
We write about what we build and what we see in real scans: how attackers map a website from the outside, which CVEs actually get exploited and how EPSS and CISA KEV separate them from the noise, why trackers and consent banners fail privacy audits, and what SPF, DKIM, DMARC, TLS and security headers reveal about a domain before anyone logs in. No fluff, no recycled press releases; each post explains a technique, shows the evidence a scanner collects, and ends with fixes you can apply the same day.
RSS feedThe Best Web Vulnerability Scanners in 2026
An honest, source-verified guide to the leading web vulnerability scanners in 2026, mapped to the job each does best. Includes our own, with disclosure.
TLS and Certificate Misconfigurations Attackers Look For
Expired certs, legacy TLS versions, missing HSTS, and chain issues are visible from one handshake. What attackers look for and how to check yours.
SPF, DKIM, and DMARC: Your Email Security, Seen from the Outside
SPF, DKIM, and DMARC live in public DNS. What each record does, how they chain, and the misconfigurations that leave a domain open to spoofing.
Canvas, WebGL, and Audio Fingerprinting Explained
How canvas rendering, WebGL renderer strings, and audio processing identify devices without cookies, and how an instrumented browser detects it.
Website Privacy Scanning: Trackers, Fingerprinting, Consent
What a privacy scan reveals about trackers, ad pixels, session recording, fingerprinting, and whether your consent banner is actually honored.
End-of-Life Software: The Risk That No Patch Will Ever Fix
End-of-life software gets no more security fixes, ever. Why EOL risk differs from a CVE, where it hides in your stack, and what to do about it.
Backported Patches and False Alarms: Why Version Numbers Lie
Distro backports mean version numbers lie about vulnerability. How patch-status detection separates real CVE exposure from false alarms.
EPSS and KEV Explained: Fixing the CVEs Attackers Actually Use
CVSS, EPSS, and CISA KEV answer different questions. Why severity-only triage fails, and how to build a fix order around real-world exploitation.
The OWASP Top 10, Through the Lens of an Automated Scanner
Which OWASP Top 10 risks can an automated scanner reliably detect, and which need manual testing? A category-by-category detectability guide.