← Back to Blog
Security2026-03-2813 min read

What Hackers Can See About Your Website (Live Scan Guide)

Before an attacker tries to break into your website, they perform reconnaissance. They map your technology stack, find exposed files, identify server versions, and discover forgotten subdomains. Here is exactly what they can see about your site, and how to use the same techniques defensively.

Server Headers: Your Website's Name Tag

Every HTTP response your server sends includes headers that can reveal sensitive information. Run a simple curl command against any website and you will likely see:

curl -I https://example.com

# Common information-leaking headers:
Server: Apache/2.4.52 (Ubuntu)
X-Powered-By: PHP/8.1.2
X-AspNet-Version: 4.0.30319
X-Generator: WordPress 6.4.2

Each of these headers tells an attacker exactly which software and version you are running. They can then search for known CVEs (Common Vulnerabilities and Exposures) specific to those versions. An Apache 2.4.52 server has different vulnerabilities than 2.4.58. Knowing the exact version turns a broad attack into a targeted one. Read our article on why exposed server versions are dangerous.

Fix: Remove or genericize server headers in your web server configuration. In Nginx: server_tokens off;. In Apache: ServerTokens Prod and ServerSignature Off. Remove X-Powered-By entirely.

Technology Fingerprinting

Even without headers, attackers can identify your technology stack through:

  • HTML comments: CMS platforms leave identifiable comments in source code
  • Cookie names: PHPSESSID reveals PHP, ASP.NET_SessionId reveals .NET, JSESSIONID reveals Java
  • URL patterns: /wp-admin/ reveals WordPress, /admin/ patterns reveal various CMSes
  • JavaScript libraries: Specific versions of jQuery, React, Angular visible in source
  • Error pages: Default error pages are unique per web server and framework
  • File extensions: .php, .asp, .jsp reveal the backend language

Tools like Wappalyzer, WhatRuns, and BuiltWith automate technology detection. The SecureBin Exposure Checker includes technology fingerprinting in its scan results.

Exposed Files and Directories

Attackers routinely check for files that should not be publicly accessible:

# Files attackers check (automated):
/.env                    # Database creds, API keys
/.git/config             # Repository configuration
/.git/HEAD               # Full source code recovery
/wp-config.php           # WordPress database creds
/phpinfo.php             # Full PHP configuration
/backup.sql              # Database dump
/robots.txt              # Reveals hidden paths
/.htaccess               # Server configuration
/server-status           # Apache server status
/web.config              # IIS configuration
/crossdomain.xml         # Flash cross-domain policy
/sitemap.xml             # Complete URL structure

The SecureBin Exposure Checker automatically tests for all of these and more. An exposed .env file alone can provide database credentials, API keys, and encryption secrets. Learn more about the danger of exposed .env files.

See What Attackers See

Run the same checks hackers run against your domain. SecureBin Exposure Checker tests 19 security vectors in seconds. Free, no signup required.

Scan Your Website Free

DNS Records: Your Infrastructure Blueprint

DNS records reveal a wealth of information about your infrastructure:

  • A records: Your server's IP addresses (cloud provider identification)
  • MX records: Email provider (Google Workspace, Microsoft 365, custom)
  • TXT records: SPF rules (reveal all authorized email senders), domain verification tokens
  • CNAME records: Third-party services (CDN, load balancer, SaaS integrations)
  • NS records: DNS provider

Use the SecureBin DNS Lookup to see exactly what your DNS reveals. Pay special attention to dangling CNAME records that could enable subdomain takeover.

Open Ports: Doors Left Unlocked

A port scan reveals which services are running and accessible from the internet:

  • Port 22 (SSH): Remote access, target for brute force
  • Port 3306 (MySQL): Database access (should never be public)
  • Port 5432 (PostgreSQL): Database access
  • Port 6379 (Redis): Cache/session store (often no auth by default)
  • Port 27017 (MongoDB): Database access
  • Port 9200 (Elasticsearch): Search engine (often no auth)
  • Port 8080/8443: Application servers, admin panels

Read our detailed guide on open port security risks.

Subdomain Enumeration

Attackers enumerate your subdomains to find forgotten services, staging environments, and internal tools. Tools like Subfinder, Amass, and Sublist3r can discover hundreds of subdomains through DNS brute forcing, certificate transparency logs, and search engine indexing. Common finds include:

  • staging.example.com with weaker security controls
  • dev.example.com with debug mode enabled
  • admin.example.com with basic authentication
  • old.example.com running outdated, unpatched software
  • api-v1.example.com with deprecated, vulnerable API versions

SSL/TLS Configuration

Your SSL configuration reveals supported TLS versions, cipher suites, certificate details (including organization name and registration date), and whether you have implemented HSTS. Weak configurations (supporting TLS 1.0/1.1, using RC4 or 3DES ciphers) are immediately flagged as potential entry points. Check yours with the SecureBin SSL Checker.

Frequently Asked Questions

Is it legal for someone to scan my website?

Passive reconnaissance (viewing headers, checking DNS records, browsing robots.txt) is generally legal because it only accesses publicly available information. Active scanning (port scanning, vulnerability testing) enters a legal gray area. In the US, the Computer Fraud and Abuse Act (CFAA) prohibits unauthorized access, but the definition of "unauthorized" is debated. Many organizations consider uninvited port scans unwelcome but rarely pursue legal action. However, you should always scan your own infrastructure proactively so you know what attackers can see.

Can I prevent all information disclosure?

Not entirely, but you can minimize it significantly. Remove server version headers, disable directory listing, block access to sensitive files, use generic error pages, and keep your DNS records minimal. The goal is not perfect invisibility but reducing the useful information an attacker can gather without authentication. Every piece of information you withhold increases the effort required for a successful attack.

What should I do first after reading this article?

Run the SecureBin Exposure Checker on your domain right now. It takes 30 seconds and covers the most critical checks: exposed files, security headers, SSL configuration, DNS records, and technology fingerprinting. Fix any critical findings immediately, then work through the remaining items over the next week. This single action will close the most common attack vectors.

Run Your Reconnaissance Check Now

Know what attackers know. SecureBin Exposure Checker runs 19 parallel security checks on your domain. Free, instant, no signup.

Scan Your Website Free

The Bottom Line

Attackers do not start with sophisticated exploits. They start with reconnaissance. Server headers, exposed files, open ports, DNS records, and technology fingerprints give them a detailed map of your attack surface. The good news is that most of this information disclosure is easy to fix. Remove unnecessary headers, block access to sensitive files, close unused ports, and run regular scans. Knowing what attackers can see is the first step to making sure they see as little as possible.

Related reading: Is Your Website Leaking Data?, Free Website Security Scan, Security Headers Guide, Open Port Security Risks.