Frequently Asked Questions

AuditStack is a website security and performance auditing service. We scan your website for security vulnerabilities, performance problems, and data breaches — and give you a plain-English report with clear steps to fix everything we find. No technical knowledge required.

AuditStack is built for small business owners, freelancers, and anyone who runs a website but doesn't have a dedicated IT or security team. If you want to know whether your website is safe and fast — without wading through technical jargon — AuditStack is for you.

No. You just enter your website URL and email address, pay if required, and we deliver your report. No sign-up, no password, no account needed.

Yes, completely safe and legal. We only analyse publicly available information — SSL certificates, HTTP response headers, DNS records, and similar data that any browser or server lookup would return. We never attempt to log in, exploit vulnerabilities, or do anything intrusive. The scan is entirely passive.

Most scans complete in under 60 seconds. You'll see your full results in the browser as soon as the scan is done, and you can download a PDF copy straight away. A detailed report is also delivered to your email.

We check ten security categories: SSL/TLS configuration, security headers (HSTS, CSP, X-Frame-Options, and more), cookie security flags, HTTPS enforcement, mixed content, server information leakage, robots.txt for sensitive path exposure, security.txt compliance, DNS authentication records (SPF, DMARC, DKIM), and technology detection. Each category gets a pass, warning, or fail result with a plain-English explanation.

Your score runs from 0 to 100 and maps to a letter grade from A+ to F. An A or A+ means your website follows current best practices across all major areas. A B or C means there are areas to improve — important, but not urgent. A D or F means there are significant gaps that should be addressed soon, as they could put your business or visitors at risk.

You can scan any publicly accessible website — including websites you don't own. We only use data that any browser or DNS lookup would return, so scanning a competitor or checking a supplier's site is perfectly fine. If a website requires a login to access, we won't be able to scan those protected pages.

No. Every finding includes a plain-English explanation of what the issue is, why it matters to your business, and exactly how to fix it. You don't need to know what a CSP header is — we tell you what to ask your developer to do, or walk you through it yourself. If anything is still unclear, reply to your results email and we'll help for free.

Every issue in your report comes with specific, actionable steps. For many findings, you can fix them yourself by updating a setting in your hosting control panel or CMS. For others, you may need to pass the report to a developer — and we've written the recommendations in plain language so anyone can understand them. If you're stuck, email us and we'll point you in the right direction.

The speed report is powered by Google PageSpeed Insights and covers four areas: Performance, Accessibility, Best Practices, and SEO — each scored out of 100 for both mobile and desktop. You get Core Web Vitals data (LCP, INP, CLS), specific issues that are slowing your site down, and clear recommendations to improve each score. The report is completely free — no payment required.

Google PageSpeed tests mobile performance using a simulated slower device and mobile network connection. Most websites score lower on mobile because they haven't been optimised for those conditions. Your report will tell you exactly which issues are dragging your mobile score down and how to fix them.

We cross-reference your email address and domain against a database of known data breaches — compiled from publicly disclosed incidents where credentials, personal data, or business information was leaked. We check for email accounts, leaked passwords, and domain-level exposure. If a match is found, we tell you which breach it came from, what data was exposed, and what you should do next.

Yes. We use your email address only to deliver your report — we never sell it, share it with third parties, or use it for marketing without your consent. Scan results are stored securely and not shared beyond your report delivery. See our Privacy Policy for full details.

We accept all major credit and debit cards (Visa, Mastercard, American Express) via Stripe — a secure, PCI-compliant payment processor. We do not store your card details. Prices are shown in your local currency where possible.

Because scan results are delivered instantly and in full, we're unable to offer refunds as a general policy. However, if your scan fails to complete or delivers an error, get in touch straight away and we'll resolve it — either by re-running the scan at no charge or issuing a full refund. We want you to be happy with your results.

Monthly monitoring ($79/month) runs a full security and performance scan of your website every month and sends you an updated report. You'll be alerted if your scores drop, new vulnerabilities emerge, or anything changes. It also includes historical score tracking so you can see progress over time. Cancel anytime — no minimum commitment.

The Full Website Audit combines a Security Scan and a Data Breach Scan into one report at a bundled price. You get the complete security analysis across ten categories plus a check of your email and domain against known breach databases — everything you need to understand your website's security posture in one go.

Yes. Free 1-to-1 support is included with every paid scan. If anything in your report is confusing, you're not sure how to fix an issue, or you'd like a second opinion, simply reply to your results email. We'll respond personally — not with an automated template.

We aim to respond to all support requests within one business day. For urgent issues — such as a scan that failed or a security finding you're concerned about — we'll do our best to get back to you the same day.