Everything you need to keep your website healthy.

The same checks security professionals run, automated and updated daily — with plain-English findings the rest of your team can act on.

Continuous security scanning

Open ports, exposed services, web-application flaws, encryption quality, and forgotten subdomains, checked on a schedule — not just when you remember to click.

Mobile and desktop performance

Every scan measures how fast your site loads for mobile and desktop visitors. Two separate scores, so a slow phone experience never hides behind a fast desktop one.

One health score, not a wall of jargon

Every scan rolls up to a single number that goes up or down. The breakdown is one click away when you need it.

Plain-English explanations

Every finding tells you what it is, why it matters, and how to fix it — written so anyone can act on it.

See what changed

Every scan shows what's new, what's fixed, and what changed since last time.

Performance from multiple regions

See how your site performs for customers around the world. Free runs from one region; Pro picks one region; Enterprise picks up to four and compares them side by side.

Email, Slack, and webhook alerts

Get told the moment something changes — through whichever channel you actually read.

PDF reports

Stakeholder-ready PDFs for insurance, audits, and compliance evidence — built from your real scan history.

Your whole team included on every plan

Bring your accountant, your developer, your auditor — they all see the same dashboard at no extra cost.

Mobile and desktop performance are scored separately, so a slow phone experience never hides behind a fast desktop one. Read the methodology →

Same finding. Two very different ways to read it.

Here’s a real Next.js vulnerability disclosed in March 2025, the way the security industry writes it up — and the way AuraWatch tells you about it.

NVD entry CVE-2025-29927

Next.js Authorization Bypass via x-middleware-subrequest

Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

CVSS 3.1: 9.1 (Critical) · Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Read on NVD →

AuraWatch finding High · needs fix

Anyone could bypass login on your site

What it is. Your site uses Next.js, and older Next.js versions have a bug where a special header (x-middleware-subrequest) tells Next.js to skip a security check it shouldn’t skip. The check is the one that decides “is this person logged in / allowed to see this page?”

Why it matters. If your login or your admin area is protected by Next.js middleware (most modern Next.js sites are), an attacker can add that one header to a request and walk straight in — no password, no session. They see whatever your logged-in visitors see.

How to fix it. Update Next.js to a patched version. The safe versions are 15.2.3 or newer on the 15.x line, 14.2.25 or newer on 14.x, 13.5.9 or newer on 13.x, and 12.3.5 or newer on 12.x. If you can’t update right now, block any request that includes the x-middleware-subrequest header at your CDN or reverse proxy.

Start free → How it works