Cyberscan

A small toolkit of free, privacy-first cybersecurity checks you can run yourself. No accounts, no logs, no surveillance — most checks happen entirely in your browser, and the rest just open the official tool with your input pre-filled.

🔒 Privacy by design: nothing you type here is stored, sent to me, or logged anywhere. Password checks use k-anonymity (only the first 5 characters of a hash leave your browser). External lookups open the third-party site in a new tab — your input goes directly to them, never through this site.

01 Has my password been breached?

Check whether a password has appeared in known data breaches via the Have I Been Pwned Pwned Passwords API. The check is safe even for your real password — see "why is this safe?"

How does this work? (k-anonymity explained)

1. Your password is hashed with SHA-1 locally in your browser. It never leaves the page in plain text.

2. Only the first 5 hex characters of the hash are sent to api.pwnedpasswords.com.

3. The API responds with ~500 candidate hash suffixes.

4. Your browser checks locally whether your full hash is in the list.

02 What does the internet see about me?

Your public IP, approximate location, ISP, and ASN — pulled from ipapi.co.

03 Has my email been in a breach?

Search Have I Been Pwned for breaches involving your email address.

04 Website security headers

Run a quick scan against securityheaders.com.

05 Mozilla Observatory (deeper scan)

More thorough TLS, CSP, and cookie audit.

06 Website history — Wayback Machine

See archived snapshots of any website over time.

07 Certificate transparency lookup

Search crt.sh for every TLS cert ever issued for a domain.

08 Domain WHOIS / RDAP

Who registered a domain, when, and through which registrar.

09 Vulnerability search (CVE / NVD)

Search the National Vulnerability Database for known CVEs.

10 Suspicious URL? Sandbox it

Submit to urlscan.io for a sandboxed analysis.

// glossary

Quick glossary

HSTS

Forces a browser to always use HTTPS, preventing downgrade attacks.

CSP

Content Security Policy — restricts what scripts a page can run. Stops most XSS.

MFA / 2FA

Something you know + something you have. Stops 99% of credential stuffing.

SHA-1

One-way hash. Used by HIBP for password lookup with k-anonymity.

k-anonymity

Sharing a small prefix of data so the server can't tell which exact item you asked about.

CT logs

Certificate Transparency — public ledger of every TLS cert ever issued.

RDAP

Modern WHOIS replacement. Returns structured JSON.

ASN

Autonomous System Number — identifies which network an IP belongs to.

OSINT

Open-Source Intelligence — gathering info from public sources only.

CVE

Common Vulnerabilities and Exposures — global ID for a known bug.