How do I scan my website for vulnerabilities?

Before you begin...

Please note that you may only scan websites that you own, or have obtained permission from the owner. Do not run scans on any other websites, including third-party software sites that you may use, such as Gmail or Microsoft Office Online. 

Adding a Website for Scanning


  1. Open the Monitoring module in Cyber Safety.
  2. Click on the "Add a Website" button.
  3. Enter your website information. (See details below)
  4. Verify that you have permission to scan this website.
  5. Set your scan level and schedule. (Learn more about scan levels)
  6. Wait for the scan to complete.

Website Details


Website Protocol (HTTPS vs HTTP)

HTTP stands for Hypertext Transfer Protocol. It's a standardized format for transferring data between two devices over a network. HTTPS is HTTP with encryption used by most websites.

If you are not sure which protocol your website supports, enter your URL into a web browser with HTTP and see if the browser is automatically redirected to HTTPS (with a padlock icon). If it does, it's using HTTPS. If not, it's only on HTTP.

Learn more about HTTP vs HTTPS


Website URL: Only use the root URL

You should only enter the root URL of the website you wish to scan. Do not include the protocol (the "https://" part), any path that identifies a specific page within your site (the part of the URL that begins with a forward slash "/") or query string (part of the URL that begins with a "?")

For example, for a URL of

  • The protocol portion is https://
  • The root URL is
  • "/blog" is the path
  • "?client=safari" is a query string

In this example, you'd only enter "" as the URL. The scanner will identify all the pages in your website and run tests on every page it can find.


Website URL: Subdomains are considered separate websites

It may be obvious that and are two separate websites. But it may not be as obvious that different subdomains (such as and are also considered separate websites. Similarly, a root domain and a subdomain (e.g. and are also considered separate sites. 

When you add a website for scanning, the scope of the scan only includes pages with a single website. To illustrate, a scan of will scan all the pages within, including,, etc. However, that same scan will NOT include any subdomains of, such as 

Have more questions? Submit a request