I built a security scanner, never shipped it, and finally finished the job

I built SecURL about six months ago during a stretch of evenings where I kept hitting the same frustration: running a security scan on a site and getting back either a wall of jargon or a narrow result that only checked one thing. securityheaders.com checks headers. SSL Labs checks TLS. Mozilla Observatory covers a bit more. But nothing gave you the full picture in one pass, ranked by what to actually fix first.

So I built it. SecURL scans a URL and checks HTTP security headers, TLS configuration, DMARC, SPF, DKIM, DNSSEC, third-party script exposure, cookie flags, redirect chains, and more. It gives you an A to F grade and ranks every finding by severity with OWASP references attached. Paste a URL, get a report in about 30 seconds.

The scanner itself worked well. The engine was solid. But the project sat in a state I think a lot of side projects end up in: technically functional, never actually shipped. No marketing presence, no billing system, UX issues I knew about but kept deferring, documentation that existed only in my head.

That is the before.

The finish-up started with the UX problems I had been ignoring. There was a white gap appearing at the bottom of the page on certain viewport sizes. The navigation tab bar was getting truncated because a share button was stealing horizontal space in the same flex row. The recent scans list showed every grade in the same teal colour regardless of whether the site got an A or an F. The version badge in the hero was showing the full internal build string — core version, build hash, app version — fine for me, noise for everyone else.