OWMeter

Free OWASP Top 10 security scanner for websites and code repositories

Verify ownership, run passive and active security checks, and get a detailed score mapped to all 10 OWASP categories. Free, open source, no tracking.

Get Started

Verified ownership only

Before any scan, you must prove you own the domain or repository. Connect private GitHub repos via GitHub App — no public verification file needed.

Passive + active scanning

HTTP security headers, SSL/TLS config, OWASP ZAP active attack simulation, and static source-code analysis for JavaScript and TypeScript projects.

Security score out of 100

Every finding maps to a specific OWASP Top 10 category. See what passed, what failed, and report any false positives directly from your results.

Free and open source

No paid plans, no vendor lock-in. OWMeter is open source — inspect the code, contribute, or self-host.

View on GitHub →

Latest high-security-score sites analysed

Sites scoring 90 or above on OWMeter

Jun 2, 2026

95/100

Websitelotestats.com

Private repo

10/10 categories evaluated

May 25, 2026

96/100

Websiteowmeter.dev github.com/tasiodev/owmeter

10/10 categories evaluated

May 16, 2026

100/100

Repohttps://github.com/tasiodev/react-places-autocomplete

9/10 categories evaluated · 3 partial

Web security is not optional

Misconfigured websites are the easiest targets for attackers. Knowing your security posture is the first step.

46%

of data breaches affect organisations with fewer than 1,000 employees (Verizon DBIR 2024)

$4.45M

average cost of a data breach worldwide (IBM 2023)

Minutes

is all it takes for an automated scanner to find a vulnerable website

Standard

The OWASP Top 10 is the global benchmark for web application security

How it works

Three steps to know your project's security posture

1Add your project

Enter a website URL or link a code repository on GitHub, GitLab, or Bitbucket. Private GitHub repos are supported via GitHub App.

2Verify ownership

Confirm domain ownership via DNS TXT record, HTML meta tag, or .well-known file. For private GitHub repos connected via GitHub App, no extra verification step is needed.

3Get your score

Get a security score out of 100 and a full list of findings mapped to each OWASP category. You'll know exactly what's wrong and what to fix.

Every check maps to the OWASP Top 10

The OWASP Top 10 is the industry standard for the most critical web security risks. OWMeter evaluates your project against each one.

A01

Broken Access Control

Auth guards, CORS policies, path traversal, IDOR

A02

Cryptographic Failures

HTTPS, HSTS, TLS config, Secure cookie flag, weak algorithms

A03

Injection

SQL, XSS, and command injection via OWASP ZAP active scan

A04

Insecure Design

Input validation and security patterns in source code

A05

Security Misconfiguration

HTTP headers, CSP, X-Frame-Options, server info leakage

A06

Vulnerable Components

Known CVEs and outdated dependency detection

A07

Auth Failures

Cookie flags, JWT signing, password hashing, brute-force protection

A08

Data Integrity Failures

Unsafe deserialization and supply chain patterns in code

A09

Logging Failures

Logging practices and sensitive data in logs

A10

SSRF

Server-side request forgery probes on public endpoints