Blog

Notes from the scanner

Web security, privacy, and vulnerability scanning: practical guides from the team behind OnScanner.

We write about what we build and what we see in real scans: how attackers map a website from the outside, which CVEs actually get exploited and how EPSS and CISA KEV separate them from the noise, why trackers and consent banners fail privacy audits, and what SPF, DKIM, DMARC, TLS and security headers reveal about a domain before anyone logs in. No fluff, no recycled press releases; each post explains a technique, shows the evidence a scanner collects, and ends with fixes you can apply the same day.

RSS feed
Guides6 min read

The Best Web Vulnerability Scanners in 2026

An honest, source-verified guide to the leading web vulnerability scanners in 2026, mapped to the job each does best. Includes our own, with disclosure.

Security7 min read

TLS and Certificate Misconfigurations Attackers Look For

Expired certs, legacy TLS versions, missing HSTS, and chain issues are visible from one handshake. What attackers look for and how to check yours.

Security8 min read

SPF, DKIM, and DMARC: Your Email Security, Seen from the Outside

SPF, DKIM, and DMARC live in public DNS. What each record does, how they chain, and the misconfigurations that leave a domain open to spoofing.

Privacy7 min read

Canvas, WebGL, and Audio Fingerprinting Explained

How canvas rendering, WebGL renderer strings, and audio processing identify devices without cookies, and how an instrumented browser detects it.

Privacy8 min read

Website Privacy Scanning: Trackers, Fingerprinting, Consent

What a privacy scan reveals about trackers, ad pixels, session recording, fingerprinting, and whether your consent banner is actually honored.

Security8 min read

End-of-Life Software: The Risk That No Patch Will Ever Fix

End-of-life software gets no more security fixes, ever. Why EOL risk differs from a CVE, where it hides in your stack, and what to do about it.

Security8 min read

Backported Patches and False Alarms: Why Version Numbers Lie

Distro backports mean version numbers lie about vulnerability. How patch-status detection separates real CVE exposure from false alarms.

Security7 min read

EPSS and KEV Explained: Fixing the CVEs Attackers Actually Use

CVSS, EPSS, and CISA KEV answer different questions. Why severity-only triage fails, and how to build a fix order around real-world exploitation.

Security8 min read

The OWASP Top 10, Through the Lens of an Automated Scanner

Which OWASP Top 10 risks can an automated scanner reliably detect, and which need manual testing? A category-by-category detectability guide.

Page 1 of 2Older →