FS HOT logo
Free Website Privacy Scanner

SurfaceScan™

Audit any website’s privacy exposure for free — JavaScript, cookies, third-party resources, fingerprinting signals, tracking services, and security headers — scored out of 100.

Static analysis · No JavaScript · Pure PHP + cURL
SurfaceScan™ — Free Website Privacy Scanner by FS HOT

Scan a website

Fetches the target URL server-side via cURL, reads HTTP response headers, and analyses the static HTML for scripts, cookies, third-party resources, fingerprinting APIs, and known trackers. Results reflect static content only — JS-rendered SPAs may score higher than their true exposure.

53 /100

kagi.com

Mixed — noticeable client-side footprint and some exposure.

Scan quality: full page retrieved — results are reliable

Category breakdown

JavaScript exposure 5/25

5 external scripts

Cookie footprint 20/20

No cookies set

Third-party surface 0/20

2 third-party domains: cloudflare.com, googleapis.com

Fingerprinting risk 15/15

No fingerprinting signals detected

Tracking signals 10/10

No tracking or analytics detected

Security headers 3/10

Present: HSTS, X-Frame-Options. Missing: Content-Security-Policy, Referrer-Policy, X-Content-Type-Options, Permissions-Policy

Key findings

5 external scripts — heavy third-party JS dependency.
Stateless — no cookies set.
2 third-party domains: cloudflare.com, googleapis.com.
No fingerprinting API calls detected.
No analytics, pixels, or tag managers detected.
HTTPS confirmed.
Missing headers: Content-Security-Policy, Referrer-Policy, X-Content-Type-Options, Permissions-Policy.
Security headers present: HSTS, X-Frame-Options.

How to improve

Self-host or remove external scripts to cut third-party JS dependencies.
Add header: Content-Security-Policy: default-src 'self'
Add header: Referrer-Policy: no-referrer
Add header: X-Content-Type-Options: nosniff
Add header: Permissions-Policy: geolocation=(), camera=(), microphone=()

Score detail

Scanned URL https://kagi.com/
Total score 53 / 100
Protocol HTTPS
JavaScript exposure 5/25 — 5 external scripts
Cookie footprint 20/20 — No cookies set
Third-party surface 0/20 — 2 third-party domains: cloudflare.com, googleapis.com
Fingerprinting risk 15/15 — No fingerprinting signals detected
Tracking signals 10/10 — No tracking or analytics detected
Security headers 3/10 — Present: HSTS, X-Frame-Options. Missing: Content-Security-Policy, Referrer-Policy, X-Content-Type-Options, Permissions-Policy
Scan quality Scan quality: full page retrieved — results are reliable

← Scan another site