Every time you visit a website, that site learns a lot more about you than you probably realize. Your IP address, browser fingerprint, DNS queries, the whole chain of redirects — it’s all visible on the other end.
But what if you could flip the script and see exactly what you are exposing?
That’s the idea behind Web-Check — a free, open-source OSINT dashboard built by Alicia Sykes (lissy93) that analyzes any website from the outside in. So drop in a URL, and within 20-30 seconds you get a full breakdown of what that site reveals about its infrastructure, its users, and you.
What Is Web-Check?
Web-Check (github.com/lissy93/web-check) is a TypeScript-based tool with over 33,500 GitHub stars and 2,700+ forks. It runs 37 different checks on any public URL and presents the results in a single dashboard.
But think of it as putting a website under X-ray vision. And you see what an attacker (or a nosy advertiser) would see in minutes.
We tested it on our own site at vpnreview.nxtniche.com to see what it found. Here’s what it looks like in action.
Key Features of Web-Check
The dashboard runs dozens of checks across five categories — from server location to security headers and tracking scripts:
| Feature Category | What It Reveals |
|---|---|
| Server & IP | IP address, server location (city/country/timezone), traceroute, WHOIS lookup |
| DNS & Security | DNS records, DNSSEC status, SPF/DMARC mail config, TLS version, SSL certificate chain |
| Headers & HTTP | HTTP security headers, HSTS status, Content-Security-Policy, redirect chain |
| Content & Tracking | Cookies, social tags, tech stack detection, block list status, known threats |
| Performance & SEO | Carbon footprint estimate, uptime status, global rank, sitemap/robots.txt |
It also generates a screenshot of the target page, checks archive history, and scans for open ports.
Why VPNReview Readers Should Care
So this tool is directly useful for anyone who uses a VPN or cares about online privacy. Here’s why.
Check for VPN leaks. Run Web-Check while connected to your VPN. The “Get IP Address” and “Server Location” sections will show you the VPN server’s IP — not your real one. And if you see your home city instead of the VPN server’s city, you’ve got a leak. (For a deeper look at leak-proof VPN setups, check our WireGuard Setup Guide.)
See what websites learn about you. The Headers section shows what your browser sends to every site. The Cookies section lists tracking cookies. And the Tech Stack section reveals what analytics and tracking scripts a site runs. (We used similar OSINT-style checks during our ProtonVPN review to verify their no-logging claims.)
Audit your own site’s privacy posture. When we tested Web-Check on vpnreview.nxtniche.com, it immediately flagged three issues — missing Content-Security-Policy header, missing Strict-Transport-Security header, and no HSTS enforcement. That’s actionable intelligence you’d otherwise need a security audit to find.
| Check Result | Our Site | What It Means |
|---|---|---|
| Security Issues | 3 | Missing CSP, HSTS, STS headers |
| Warnings | 8 | Mixed content, cookie flags, etc. |
| Passes | 14 | HTTPS, DNSSEC, valid SSL, DMARC |
| Server Location | Toronto, Canada | Correct for our Cloudflare edge |
How to Use Web-Check
The easiest way is to head to web-check.xyz, enter any URL, and wait about 20-30 seconds. And the dashboard populates in real time — you can watch results appear as each check completes.
Still, if you want to run it on internal sites or want full control, you can self-host with Docker:
docker run -p 3000:3000 lissy93/web-check
That’s it. One command, and you’ve got your own private instance. Plus the source is MIT-licensed, so there are no restrictions.
Honest Limitations
But Web-Check is a surface-level analysis tool. It won’t find SQL injection vulnerabilities or authenticate against your APIs. And it shows what’s publicly visible — which is exactly what makes it useful for privacy audits, not deep penetration testing.
Still, the free hosted version at web-check.xyz sends your queries through the project’s own infrastructure. So for sensitive targets, self-hosting is the safer bet. The self-hosted setup via Docker is straightforward, but you’ll need a machine with Node.js or Docker running.
Bottom Line
Web-Check is a free tool for anyone who wants to understand their digital footprint. For VPN users, it doubles as a quick leak test — run it with your VPN on, and verify your IP and location are masked. And for site owners, it’s a free security audit that catches missing headers and misconfigurations in seconds.
Who should use it: Privacy-conscious users who want to check what their browser reveals, VPN users verifying leak protection, and site owners doing a quick security scan.
Skip it if: You need deep penetration testing, authenticated scanning, or compliance-grade auditing.
Disclosure: Some links below are affiliate links. If you sign up through them, I may earn a commission at no extra cost to you.
- Vultr — Starts at $6/mo, deploy Docker in one click
- DigitalOcean — $200 credit for new users, run Web-Check 24/7