web-check: Browser-Based Website OSINT and Reconnaissance Dashboard

When you investigate a domain — a company you're researching, an organization tied to a subject, or a website in a suspicious message — your first question is: what is this thing, who runs it, and what's its tech stack?

Manual lookup requires juggling multiple tools, including WHOIS, DNS, SSL, headers, and tech fingerprinting. This process takes around ten minutes and yields scattered results.

web-check streamlines this process by putting all the information in one place. It is browser-based, requires no account, and has no installation needed. Simply paste the URL, and the dashboard fills in the information within thirty seconds.

What web-check Does

Web-Check: Instant Domain Analysis

One URL input triggers over 100 analysis checks. Results show up as panels. You see the entire public profile of a domain: DNS records, WHOIS data, SSL certs, HTTP headers, tech stack, open ports, cookies, redirect chains.

The tool runs in-browser at web-check.xyz. No install, no account, no API key. For most investigations, this is it: paste the domain, hit enter.

The tool has garnered 32k+ GitHub stars from real users in the security and OSINT community who use it daily against real targets, with better tools to choose from. DNS records, WHOIS data, SSL certs, HTTP headers, tech stack, open ports, cookies, redirect chains. Its usefulness is why it has become a staple.

Key Data Points for Investigators

The SSL certificate panel provides significant benefits, especially when expanding scope. Each certificate has a Subject Alternative Names field, which lists all domains and subdomains covered by the certificate. A certificate for company.com might list dev.company.com, api.company.com, old.company.com, subsidiary-brand.com. The related infrastructure and alternative domains are not found in a DNS lookup on the primary domain. web-check extracts these automatically.

The HTTP security header audit reveals which domains are protected and which are not. The audit covers Content Security Policy, HTTP Strict Transport Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. The presence or absence of these headers provides characterization for OSINT. A domain with strong headers indicates something about the organization behind it, differing from one with no configuration.

Tech stack detection is achieved through server advertisements, HTTP response headers, and page metadata. This detection reveals the CMS, backend framework, CDN provider, and analytics platforms. For example, a WordPress site can be distinguished from a custom-built site, and Cloudflare can be identified as opposed to direct hosting. This information provides context and opens up investigation angles.

Workflow Fit: Where web-check Belongs

web-check belongs at the start of any domain investigation, before specialized lookups. It gives you bearings.

The output consolidates, tells you what's there, and helps decide where depth matters.

Time saving is real. Gathering WHOIS, DNS records, SSL details, headers, tech stack manually takes 10-15 minutes per domain, with scattered results across tabs. web-check does it in 30 seconds, in one place.

The time difference adds up across 20 domains.

web-check doesn't replace specialist tools. Shodan has port and service banner data, actual services running on IPs, version info, and vulnerability context.

crt.sh has full certificate transparency log history, every certificate ever issued, including historical ones. More than current SANs.

SecurityTrails has years of passive DNS history, showing domain infrastructure changes over time.

web-check identifies threads worth pulling; specialist tools do the pulling.

becomes

web-check belongs at the start of any domain investigation, before specialized lookups. It gives you bearings.

The output consolidates, tells you what's there, and helps decide where depth matters.

Time saving is real. Gathering WHOIS, DNS records, SSL details, headers, tech stack manually takes 10-15 minutes per domain, with scattered results across tabs. web-check does it in 30 seconds, in one place.

The time difference adds up across 20 domains.

web-check doesn't replace specialist tools. Shodan has port and service banner data, actual services running on IPs, version info, vulnerability context.

crt.sh has full certificate transparency log history, every certificate ever issued, historical ones.

SecurityTrails has years of passive DNS history, domain infrastructure changes over time.

web-check identifies threads worth pulling, specialist tools do the pulling.

Further becomes

web-check belongs at the start of any domain investigation, before specialized lookups. It gives you bearings.

The output consolidates, tells you what's there, and helps decide where depth matters.

Time saving is real. Gathering WHOIS, DNS records, SSL details, headers, tech stack manually takes 10-15 minutes per domain, with scattered results across tabs. web-check does it in 30 seconds, in one place.

The time difference adds up across 20 domains.

web-check doesn't replace specialist tools. Shodan has port and service banner data, actual services running on IPs, version info, vulnerability context.

crt.sh has full certificate transparency log history. Every certificate ever issued, historical ones.

SecurityTrails has years of passive DNS history, domain infrastructure changes over time.

web-check identifies threads worth pulling, specialist tools do the pulling.

The final version web-check belongs at the start of any domain investigation, before specialized lookups. It gives you bearings.

The output consolidates, tells you what's there, and helps decide where depth matters.

Time saving is real. Gathering WHOIS, DNS records, SSL details, headers, tech stack manually takes 10-15 minutes per domain. The results are scattered across tabs. web-check does it in 30 seconds, in one place.

The time difference adds up across 20 domains.

web-check doesn't replace specialist tools. Shodan offers port and service banner data, actual services running on IPs, version info, and vulnerability context.

crt.sh offers full certificate transparency log history. The history includes every certificate ever issued, historical ones.

SecurityTrails offers years of passive DNS history. The history shows domain infrastructure changes over time.

web-check identifies threads worth pulling. Specialist tools then do the pulling.

Deployment and Operational Security

Fastest Path to Results

The web-check.xyz public instance delivers results quickly. It's the right choice for most OSINT investigations. You send queries; they process them.

Every query you submit to web-check.xyz generates a data point on their servers: your IP, the domain you queried, and the timestamp. For routine OSINT work, this isn't a concern. But if the domain you're investigating is sensitive — a target that might notice your interest, or one with connections that make your query patterns noteworthy — it becomes an issue.

Self-Hosted Deployment

A self-hosted Docker deployment eliminates this exposure. The Docker image is available on the Lissy93/web-check GitHub repository. Deployment takes about ten minutes on a machine with Docker installed. After that, all queries run locally, and the only external traffic is the analysis checks directly to the target domain — same traffic a browser visit would generate. No data points on someone else's server.

Hosted Instance Options

For those who prefer a hosted instance without managing Docker, one-click deploy options to Vercel and Railway are available. This sets up a personal web-check instance at a private URL. Queries route through your deployment, not the public instance. No local Docker management is required.

Decide Before You Query

The guidance is straightforward: choose your deployment path before sending your first query. If domain confidentiality is a concern, set up Docker or a personal instance first. If not, web-check.xyz is ready to go.

Verdict

web-check earns its place as the default first tool on any domain entering an investigation. The combination of coverage breadth, DNS, WHOIS, SSL with SANs, headers, tech stack, ports, cookies, and redirects in one dashboard, and zero-friction access makes it the fastest way to build an initial picture of what a domain is and how it is operated. That orientation output, assembled in thirty seconds, determines where investigation time gets spent next.

The only meaningful limitation is the public instance's query exposure. Self-hosting resolves it with a one-time setup that applies permanently to every subsequent investigation. For anyone running regular OSINT work involving sensitive targets, that setup investment is worth making.

Use web-check first. Use specialist tools when it shows you where depth is needed.

Best for: OSINT investigators and researchers needing fast consolidated domain intelligence at the start of subject or organization investigations
Live tool: web-check.xyz · GitHub: Lissy93/web-check