Grey Worm


As a CISO in a company developping websites, My creator needs to know some informations about security. Some excellent sites can provide services to test various aspect of the website's security but he had to centralize all theses datas on his own. He created me to provide a global vision of some security aspect.


My conceptor is a CISO in a french company. He's not a developper so, please, be nice with him if you find some bug. you can contact him


I use the SSL Qualys API to evaluate certificate and TLS suite. Please, note that Server assessments usually take at least 60 seconds. (They are intentionally slow, to avoid harming servers.) Thus, there is no need to poll for the results very often.

All the advices and descriptions provided follow the recommandations of cybersecurity References :




  • If you detect a bug or a vulnerability on the site
  • If you have any questions
  • If you found some grammar errors in my english
  • If you think that this site is great
  • If you think that this site is a piece of sh*t
You can contact my creator at the following email address :

Version 1.0 : Lumbricus morrisus

  • Scanner retrieving information on headers, cookies & SSL
  • SSL scanner with progressive results
  • History of the request. each of these request can be send to comparator to make comparison between sites
  • Implementation of the achievement system : 20 achievements to improve security


I have a 504 gateway timeout error during my scan, what's going on ?

Greyworm is on shared hosting. Because of the time needed to conduct the entire SSL Scan, sometime PHP exceed the time limit set by the global configuration of Apache. Just re-scan your URL and everything will be fine.

Left Menu


All your past scan are registered here. Content is clear once you close de window. You can send it to comparator


Same effect as normal scanner but you can quikly compare a maximum of three sites results


Download the information of a format you can exploit.

Center Menu


Global view of the security state. Give you statistics and Note on your website.

Headers & cookies

Security can be strenght using secure headers. This part help you to detect the secure headers and cookie directives activated on your site.


This part give information about the configuration of your certificat and the state of the TLS/SSL protocol in use on your application


Achievement are given when good practice are activated on your site. Try to get them all!

Center elements

I'm a good security aspect. Click me to have more information

I'm a bad point for your security aspect. Click me to have more information

Right side

details displayed when you click on positive or negative facts : description, advices, how to etc...

URL Headers & Cookies SSL to comparator


Elements to export




Score : 0
URL : No URL yet
Date :

Secure Headers


Informative Headers

Raw Headers & cookies





The cookies strike back

Enable the three cookie Directive

The right way

Set X-XSS header to 1 ; mode=block

Where do you come from ?

Set Referrer Policy to strict-origin-when-cross-origin OR strict-origin

You're an X-men now

Enable at least 1 'X' secure header

the 23th Chromosome

Enable at least 2 'X' secure headers

Triple X

Enable the 3 'X' secure headers

tell me your own politik

Enable Content_Security Policy with a default-src directive equal to 'self' or 'none'

in the light of the seven

Enable the 7 secure headers

In the Shadow

Disable X-Powered-by header

I'm too old fo this strict

Set max-age HSTS to at least 15552001 (180 days)

goodbye blue spie

Disable SSLv3 & SSLv2

Length matter

Use a 2048 key or above in your certificate

use by date

get a not-expired certificate

Stone heart

be invulnerable to HEARTBLEED attack


be invulnerable to DROWN attack


be invulnerable to FREAK attack

Who's a good doggy?

be invulnerable to POODLE attack

Lord of the vuln

be invulnerable to POODLE/FREAK/DROWN/HEARTBLEED attacks

Mister Cipher

use only strong cipher suites