Skip to main content
When you add a domain to Recon44, an immediate vulnerability scan runs against your site. After that, scans repeat automatically every 24 hours, and you can trigger one manually at any time. The scan is non-destructive: it probes your site the same way an attacker would during reconnaissance, but never modifies data or exploits what it finds.

What Recon44 scans for

Recon44 checks that your SSL/TLS certificate is valid, trusted, and not approaching expiry.
  • Expiry date: Recon44 flags certificates expiring within 30 days and alerts you at 14 days and 7 days.
  • Chain validity: Confirms the full certificate chain is correctly configured and trusted by major browsers.
  • Protocol version: Identifies if your server still accepts deprecated protocols (TLS 1.0, TLS 1.1, SSL 3.0).
  • Cipher suites: Flags weak or deprecated cipher configurations.
A failing SSL check means visitors may see browser security warnings, and some clients may refuse to connect entirely.
HTTP response headers are one of the cheapest and most effective security controls available. Recon44 checks for the presence and correct configuration of:
HeaderWhat it doesWhat a missing or misconfigured header allows
Strict-Transport-Security (HSTS)Forces browsers to use HTTPS for all future requestsDowngrade attacks and cookie theft over HTTP
Content-Security-Policy (CSP)Restricts which scripts and resources the page can loadXSS attacks that load malicious scripts from external origins
X-Frame-OptionsPrevents your pages from being embedded in iframesClickjacking attacks that overlay your site inside a malicious page
X-Content-Type-OptionsStops browsers from sniffing MIME typesDrive-by download attacks via MIME confusion
Referrer-PolicyControls how much URL information is sent in Referer headersLeaking sensitive URL parameters to third-party sites
Permissions-PolicyRestricts access to browser APIs (camera, microphone, etc.)Unauthorized access to device features by embedded scripts
Each header is flagged as Missing, Present, or Misconfigured based on its value.
Recon44 probes for files that should never be publicly accessible. Finding these files is typically one of the first things an attacker does during reconnaissance.
  • .env files: Commonly contain database credentials, API keys, and other secrets. A publicly accessible .env file is a critical severity finding.
  • .git directories: An exposed .git directory allows an attacker to reconstruct your entire source code.
  • Backup files: Files like backup.zip, db.sql, dump.sql, and similar names are checked.
  • Configuration files: wp-config.php, config.php, database.yml, and similar application config files.
An exposed .env or .git directory is a critical finding. Rotate any credentials found in these files immediately and restrict access at your web server or CDN before addressing the underlying cause.
Recon44 scans common ports on your server’s public IP to identify services that are unintentionally exposed to the internet.Common findings include:
PortServiceRisk
3306MySQLDirect database access from the internet
5432PostgreSQLDirect database access from the internet
6379RedisUnauthenticated access to in-memory data
27017MongoDBUnauthenticated database access
22SSHBrute-force login attempts
3389RDPBrute-force and exploit attempts on Windows hosts
Database ports should never be reachable from the public internet. If Recon44 finds one open, the recommended fix is to restrict access to your database port via firewall rules so only your application server can reach it.
Recon44 identifies URL parameters, form fields, and other inputs on your site that appear to be used in database queries and tests them for injection vulnerabilities.The scanner uses non-destructive payloads — it does not attempt to extract real data. It confirms whether a parameter reflects anomalous behavior (error messages, timing differences) that indicates a vulnerable query.
SQL injection scanning requires Recon44 to send test requests to your live site. These requests are benign, but they may appear in your own access logs.
Recon44 probes form inputs, URL parameters, and HTTP headers that are reflected in your page responses, testing whether injected content is returned unescaped.Reflected XSS vectors are flagged when Recon44 confirms a parameter is echoed into the page without sanitization. Stored XSS requires interaction and is not currently detected by automated scanning — use the WAF to catch stored XSS at request time.
Recon44 checks whether your web server returns directory indexes when no index file is present. An enabled directory listing lets anyone browse the file structure of your web root, potentially revealing source files, uploads, backups, and configuration.A directory listing enabled finding means your server (Apache, Nginx, or similar) has not been configured to disable this behavior. The fix is a one-line configuration change.
Recon44 tests whether your site enforces rate limits on high-risk endpoints — particularly login forms and password reset flows.The scanner sends a burst of requests to detected login endpoints and checks whether responses indicate throttling or blocking after repeated attempts. Sites with no rate limiting on login endpoints are trivially vulnerable to credential stuffing and brute-force attacks.

Scan schedule

Recon44 runs a full vulnerability scan of your domain every 24 hours, automatically. You do not need to schedule or configure this.
  • Scans run during off-peak hours to minimize any impact on your site.
  • You receive an alert if a new finding is detected since the last scan.
  • Results from the last scan are always visible on your Vulnerability dashboard.

How to read scan results

Results are grouped by severity: Critical, High, Medium, and Low.

Critical

Fix immediately. Examples: exposed .env file, publicly reachable database port, confirmed SQL injection vulnerability. These represent direct paths to data compromise.

High

Fix soon. Examples: missing CSP header, directory listing enabled, missing HSTS. These reduce your attack surface significantly when addressed.

Medium

Plan to fix. Examples: missing Referrer-Policy, weak cipher suite. These are best-practice gaps that don’t represent immediate compromise risk.

Low

Informational. Examples: SSL certificate expiring in 25 days, optional hardening not applied. Review at your convenience.
Each finding includes:
  • A description of what was found and why it matters
  • The affected URL or port
  • A recommended fix with specific steps or configuration examples

WAF — How It Works

See how Recon44 actively blocks the vulnerabilities your scans surface.

IP Blocking

Block scanners and probes you see in the Threat Feed while you remediate findings.