v1.0 is now live

Security scanner
for indie developers.

Marshell scans your domain and tells you exactly what's misconfigured — in plain English, with step-by-step fixes. No pentest knowledge required.

$ marshell scan yoursite.com

>>> Starting security scan...

>>> Checking open ports... ✓ done

>>> Checking SSL/TLS config... ✗ weak cipher detected

>>> Checking security headers... ✗ missing HSTS, CSP

>>> Checking exposed paths... ✓ clean

>>> Checking DNS config... ✓ clean

>>> Checking fingerprinting... ✗ nginx version exposed

SCAN COMPLETE — 3 issues found

Severity Issue Fix

HIGH Missing HSTS header add to next.config.js → headers()

MEDIUM Weak TLS cipher (RC4) add to middleware.ts → setHeader()

LOW Server version exposed set in vercel.json → headers[]

─────────────────────────────

FIX WITH AI

─────────────────────────────

Paste into Claude Code or Cursor:

Fix these security issues in my Next.js app on Vercel:

1. [HIGH] Missing HSTS header — add to next.config.js headers()

2. [MEDIUM] Weak TLS cipher — update vercel.json

3. [LOW] Server version exposed — strip in middleware.ts

Show me every file to change. Don't explain, just fix.

marshell@scan:~$ _

8 CHECKS

Everything that usually gets missed before launch.

Open Ports

Ports you forgot were open after testing something quickly on your server.

SSL / TLS

Expired certs, weak ciphers, and missing HTTPS redirects caught instantly.

Security Headers

Missing crucial headers like CSP, HSTS, X-Frame-Options, and Referrer-Policy.

Exposed Paths

.env files, /admin panels, and /.git directories accidentally left public.

DNS Issues

Subdomain takeover vulnerabilities hiding in your outdated DNS configurations.

Fingerprinting

Stop your web server from revealing its underlying software versions to attackers.

Frontend Leaks

Debug endpoints, source maps, and platform headers accidentally exposed in your frontend.

Attack Surface

Unsafe HTTP methods, rate limiting gaps, and entry points attackers probe first.

WORKS WITH YOUR STACK

Detects your platform. Fixes are specific to your setup.

Marshell automatically detects where you're deployed and generates fixes for your exact config files — not generic advice.

VercelVercel
RailwayRailway
Render
Fly.io
DigitalOcean
NetlifyNetlify
Next.jsNext.js
NuxtNuxt
SvelteKitSvelteKit
ExpressExpress
FastAPIFastAPI
nginxnginx

Don't see your stack? Marshell falls back to universal fixes that work everywhere.

2,400+domains scanned
8vulnerability checks
< 30saverage scan time
GET STARTED

Scan your first site in 30 seconds.

Free forever for basic scans. Upgrade for unlimited scans, API access, and AI fix prompts.

Continue with GoogleContinue with GitHub

No credit card required. Free tier includes 3 scans per day.

Already have an account? Sign in →