Introduction

Exposurix Documentation

Exposurix is an all-in-one cybersecurity toolkit for individuals, freelancers, and small businesses who need professional-grade security monitoring — without a dedicated security team.

The platform combines dark web breach monitoring, 14 active security scanning tools, a Security Score engine, and automated alerts in a single dashboard. Every scan hits live targets — there is no cached or simulated data.

ℹ️ All tool results come from live API calls and real network requests. Scan times vary between 1 second (DNS, WHOIS) and up to 60 seconds (Port Scanner, Exposed Files).

14

Security Tools

12B+

Breach Records

100%

Real Data

Getting Started

Quick Start Guide

You can start using Exposurix in under 3 minutes. No credit card required for the Free plan.

1

Create your account

Go to exposurix.com/login and sign up with your email. You'll receive a confirmation link — click it to activate your account. New accounts get a 14-day Pro trial automatically — no credit card required.

2

Add your email to monitor

From the Dashboard, type your email address in the "Add an email to monitor" field and click Add. Exposurix checks it against 12+ billion breach records instantly. You'll see "⚡ Never scanned — click to check" — click the 🔍 button to trigger your first live scan.

3

Run your Security Score

Click 🛡️ Security Score in the sidebar, enter your domain (e.g. yourdomain.com), and click Scan. Within 30–60 seconds you'll get a score from 0–100 covering SSL, HTTP headers, email security, open ports, vulnerabilities, exposed files, and DNS.

4

Explore the individual tools

Navigate to Tools → Network Tools or Security Tools. Free tools (DNS, SSL, WHOIS, Headers, Password, Email Spoofing, CVE) are available immediately. Starter+ tools unlock with any paid plan.

5

Set up notifications (recommended)

Go to Settings → Notifications. Enable Instant Breach Alerts to be emailed immediately when a new breach is detected on any monitored email. Starter+ users can also enable Automatic Scan so Exposurix scans your emails on a schedule without any manual action.

✅ The Free plan includes 1 monitored email, 7 security tools, and 4 generators tools — permanently free, no credit card required.

Feature

🛡️ Security Score

The Security Score gives you a single 0–100 aggregate rating for any domain by running 7 parallel checks and weighting each by impact. It's the fastest way to get a comprehensive security overview.

⚠️ Requires a Starter plan or higher.

What gets scanned

🔐

SSL / TLS Certificate — 20 pts max

Certificate validity, expiry date, issuer, protocol version (TLS 1.2 vs 1.3). An expired cert scores 0. Close to expiry scores partial.

📋

HTTP Security Headers — 20 pts max

Checks for HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Missing headers reduce the score proportionally.

📨

Email Security (SPF / DKIM / DMARC) — 15 pts max

Verifies SPF record correctness, DKIM key presence, and DMARC policy strength. A DMARC policy of p=reject scores full points; p=none scores partial.

🔌

Dangerous Open Ports — 15 pts max

Scans for high-risk open ports: RDP (3389), SMB (445), database ports (3306, 5432, 27017), Telnet (23), FTP (21). Each exposed service deducts points.

🛡️

Vulnerability Check — 15 pts max

Runs a basic vulnerability scan covering server version disclosure, outdated software signals, and common misconfigurations.

🗂️

Exposed Sensitive Files — 10 pts max

Probes for publicly accessible .env, .git, database dumps, and admin panels. Any accessible sensitive file causes a major deduction.

📡

DNS Security — 5 pts max

Checks for CAA records (restricts which CAs can issue certs for your domain) and verifies that DNS records are consistent.

Grade scale

A — 80–100 · Excellent B — 60–79 · Good C — 40–59 · Fair D — 20–39 · Poor F — 0–19 · Critical

Remediation guide

Every finding below your target score includes a step-by-step fix guide — exact DNS records to add, Nginx/Apache config lines, and links to test your changes. The report can be exported as a PDF from the Security Score page.

💡 Scan history for Security Score is stored locally in your browser (up to 10 domains). Pro users also have access to server-side scan history via Settings → Scan History.

⚡ Try it →

Tools

Network Tools

Network tools analyze the external footprint of any domain or IP. All scans use live network requests against real targets.

🚫 Only use these tools on systems you own or have explicit written permission to test. Unauthorized scanning may violate laws in your jurisdiction. Passive tools (DNS, WHOIS, SSL, Header Analyzer) are safe to use on any public domain.

🔍

Port Scanner Starter+

Scans TCP ports on any domain or IP address to identify open services and potential entry points. Uses parallel scanning across 50 workers — a 1–1000 port range typically completes in 2–10 seconds depending on target response time.

Input

Domain or IP address, port range (e.g. 1-1000 or 80,443,8080), protocol (TCP/UDP/Both)

Scan time

2–10 seconds (depends on range and target response time)

Returns

Open port list with service name, protocol, and banner (version/service info where available)

Data source

Direct TCP connection attempts from the Exposurix server

Example result:
Port 22 (SSH) — OPEN · Banner: SSH-2.0-OpenSSH_8.9p1
Port 443 (HTTPS) — OPEN
Port 3306 (MySQL) — OPEN ⚠️ High risk — database exposed

Ports 22, 80, 443 being open is normal. Ports 3306 (MySQL), 5432 (Postgres), 27017 (MongoDB), 3389 (RDP), 445 (SMB) should never be publicly exposed.

If you see a database port open, restrict it immediately using your firewall or cloud security group to allow only your server's IP.

Use the range 1-65535 for a full scan, but this takes longer. Start with 1-1000 to catch the most common services.

⚡ Try it →

🛡️

Vulnerability Scanner Pro

Checks for common security misconfigurations and weaknesses: missing headers, outdated TLS, exposed dangerous ports, missing SPF/DMARC, server version disclosure, and more. Deep scan mode (Pro) runs additional checks including directory traversal probes.

Input

Domain or IP, scan depth (Basic / Standard / Deep)

Scan time

10–40 seconds

Returns

Findings sorted by severity (CRITICAL / HIGH / MEDIUM / LOW / INFO), each with a remediation recommendation

Plan

Basic + Standard: Starter · Deep scan: Pro only

Start with Standard scan — it covers the most impactful issues without the longer Deep scan time.

CRITICAL and HIGH findings should be fixed immediately. MEDIUM within a week. LOW are improvements, not emergencies.

Re-scan after making fixes to confirm the finding is resolved.

⚡ Try it →

🌐

Subdomain Finder Starter+

Enumerates subdomains of a domain using Certificate Transparency logs (crt.sh) combined with a brute-force wordlist. Returns only active subdomains with their resolved IP addresses.

Input

Root domain (e.g. example.com)

Scan time

10–30 seconds

Returns

List of active subdomains, their IPs, and HTTP status where available

Data source

crt.sh (Certificate Transparency) + DNS resolution

Forgotten subdomains (staging, dev, old-api) are a common attack vector — they often run outdated software with fewer protections.

If you find a subdomain you don't recognize, check who manages it and either secure or decommission it.

⚡ Try it →

📡

DNS Lookup Free

Queries live DNS servers for A, AAAA, MX, TXT, NS, CNAME, and SOA records for any domain. Useful for verifying DNS changes, checking SPF/DMARC records, and troubleshooting email delivery issues.

Input

Domain name, record type(s) to query

Scan time

1–3 seconds

Returns

Raw DNS records for each selected type with TTL values

Data source

Live DNS resolution via dnspython (Google/Cloudflare resolvers)

Common use cases:
Verify SPF: query TXT on your domain → look for v=spf1 ...
Verify DMARC: query TXT on _dmarc.yourdomain.com
Check mail server: query MX → returns priority + mail server hostname

DNS changes can take up to 48 hours to propagate. Use this tool to verify if your change is live yet.

TXT records hold SPF, DMARC, Google/Microsoft verification codes, and DKIM public keys.

⚡ Try it →

🔐

SSL/TLS Checker Free

Connects to any domain and inspects its SSL/TLS certificate — validity, expiry date, issuer chain, and protocol version. Grades from A (valid, 90+ days remaining) to F (expired or invalid).

Input

Domain name (port 443 by default)

Scan time

2–5 seconds

Returns

Valid until date, days remaining, issuer, subject, grade, protocol version

A — Valid, 90+ days B — Valid, 30–90 days C — Valid, <30 days F — Expired or invalid

If using Let's Encrypt, set up automatic renewal with certbot renew --cron to avoid expiry. Render.com manages SSL automatically for custom domains.

A certificate expiring in less than 30 days should be renewed immediately — browsers show full-page warnings on expiry.

⚡ Try it →

📋

WHOIS Lookup Free

Retrieves domain registration data from WHOIS servers — registrar, creation date, expiry date, nameservers, and registrant contact (when not GDPR-redacted). Useful for researching domain ownership and checking your own domain's expiry.

Input

Domain name

Scan time

2–6 seconds

Returns

Registrar, creation/expiry dates, nameservers, country, registrant info (if public)

GDPR rules mean most .com/.net registrant contact details are now redacted. Country and registrar are usually still visible.

Always check your own domain's expiry date — an expired domain can be registered by anyone and used for phishing.

⚡ Try it →

📊

Header Analyzer Free

Fetches HTTP response headers from any URL and grades the security configuration. Checks for 6 critical security headers and identifies server version disclosure. Produces an overall score from 0–100 and a letter grade.

Input

URL (e.g. https://example.com)

Scan time

3–8 seconds

Checks

HSTS · CSP · X-Frame-Options · X-Content-Type-Options · Referrer-Policy · Permissions-Policy

Returns

Per-header pass/fail, overall score, server type (if disclosed), specific remediation lines

Most impactful missing headers:
HSTS — forces HTTPS, prevents downgrade attacks
CSP — prevents XSS by restricting script sources
X-Frame-Options — prevents clickjacking attacks

Adding all 6 security headers takes under 10 minutes in Nginx: one add_header line per header in your server block.

Start with HSTS and X-Frame-Options — they're the simplest to add and have the highest security impact.

⚡ Try it →

📧

Email Harvester Pro

Discovers publicly exposed email addresses associated with a domain by crawling publicly accessible pages and OSINT sources. Used to assess your domain's email exposure — exposed emails are prime targets for phishing and credential stuffing attacks.

Input

Domain name

Scan time

10–25 seconds

Returns

List of discovered email addresses with source URL

If emails like admin@, dev@, or ceo@ are publicly exposed, add them to your breach monitoring immediately.

Use a contact form instead of publishing email addresses directly on your website to reduce exposure.

⚡ Try it →

Tools

Security Tools

Threat intelligence and configuration analysis tools to identify vulnerabilities before attackers do.

🔑

Password Strength Checker Free

Analyzes password strength (entropy, length, character diversity) and checks if the password appears in known data breaches using HaveIBeenPwned's k-anonymity API. Your password is sent securely to our server via HTTPS, where the k-anonymity check is performed — only the first 5 characters of its SHA-1 hash are sent to HIBP, and your password is never stored or logged.

Input

Password to check (processed entirely in your browser)

Privacy

K-anonymity — only 5 chars of SHA-1 hash sent, full match done locally

Returns

Strength score (Weak/Fair/Good/Strong), entropy bits, breach count if found in HIBP database

K-anonymity explained:
Your password hunter2 → SHA-1 hash → F3BBBD...
We send F3BBB to HIBP → they return all hashes starting with F3BBB
Your browser checks locally if the full hash matches → no password transmitted

A password found in breaches means it exists in attacker wordlists — change it immediately on all services where you use it.

A strong password has 12+ characters, uppercase + lowercase + numbers + symbols, and no dictionary words.

Use the Password Generator tool to create a cryptographically secure password, then test it here.

⚡ Try it →

📨

Email Spoofing Checker Free

Audits SPF, DKIM (checks 15+ common selectors), and DMARC records for any domain. Grades each component A–F and generates specific remediation instructions including the exact DNS records to add.

Input

Domain name (e.g. yourdomain.com)

Scan time

5–12 seconds

Returns

SPF record + grade, DKIM key status + grade, DMARC policy + grade, actionable fix for each failure

What each record does:
SPF — lists servers allowed to send email for your domain
DKIM — cryptographically signs outgoing emails so recipients can verify they weren't modified
DMARC — tells mail servers what to do if SPF/DKIM fail (none / quarantine / reject)

Without SPF + DMARC, anyone can send emails pretending to be from your domain — this is how most phishing attacks work.

Start DMARC with p=none to monitor, then move to p=quarantine, then p=reject once you're confident.

If you use Resend or Amazon SES, check their docs for the exact DKIM CNAME records to add to your DNS.

⚡ Try it →

🌍

IP Reputation Check Starter+

Checks any IP address against the AbuseIPDB threat intelligence database — one of the largest community-maintained blocklists. Returns an abuse confidence score, total report count, ISP, country, and whether the IP is a known Tor exit node.

Input

IPv4 or IPv6 address

Scan time

2–5 seconds

Returns

Abuse score (0–100%), total reports, ISP, country, Tor status, recent report categories

Data source

AbuseIPDB — community-reported threat intelligence

Score 0–25%: clean. 26–75%: suspicious, watch carefully. 76–100%: high risk — block immediately if you see this in your logs.

Use this to check IPs making unusual requests to your server — look for failed login IPs in your logs and run them here.

Your own server's IP should score 0%. If it doesn't, investigate whether your server has been compromised and is sending spam or attacks.

⚡ Try it →

🔬

Tech Stack Detector Starter+

Fingerprints technologies used by any website by analyzing HTTP response headers, HTML meta tags, JavaScript files, and cookie names. Identifies CMS (WordPress, Shopify, Drupal), frameworks (React, Vue, Next.js), CDN providers, analytics platforms, payment systems, and more.

Input

URL (e.g. https://example.com)

Scan time

5–15 seconds

Returns

Detected technologies grouped by category with confidence scores

Run this on your own site to check what version information you're leaking — a visible WordPress version or PHP version helps attackers target known CVEs.

If WordPress version is visible, add remove_action('wp_head', 'wp_generator'); to your theme's functions.php.

Use this for competitive research — understanding a competitor's stack is legitimate OSINT.

⚡ Try it →

🗂️

Exposed Files Scanner Starter+

Probes 29 commonly misconfigured sensitive paths on any domain. Checks for accessible .env files, .git directory exposure, database dumps, backup files, admin panels, and debug endpoints. An accessible .env exposes every API key and database password in your application.

Input

Domain or URL

Scan time

8–20 seconds (parallel requests across 10 workers)

Paths checked

.env, .git/HEAD, config.php, wp-config.php, database.sql, backup.zip, phpinfo.php, and 22 others

Returns

Accessible paths with HTTP status, content preview, and severity (CRITICAL/HIGH/MEDIUM)

🚨 If this tool finds an accessible .env file or .git directory, treat it as a critical incident — rotate all credentials immediately, then fix the exposure.

Block access to sensitive paths in Nginx: location ~ /\.(env|git|htpasswd) { deny all; return 404; }

Never deploy .env files to your web root. Use platform environment variables (Render env vars, Vercel env vars) instead.

⚡ Try it →

🐛

CVE Search Free

Searches the NIST National Vulnerability Database (NVD) for known CVEs by software name, version, or keyword. Returns results sorted newest first with CVSS scores, severity ratings, and links to full vulnerability details.

Input

Software name + optional version (e.g. WordPress 6.4, OpenSSL, Apache log4j)

Scan time

3–8 seconds

Returns

CVE ID, CVSS score (0–10), severity, publication date, description, NVD link

Data source

NIST NVD API — official US government vulnerability database

CVSS score guide:
9.0–10.0 · CRITICAL — patch immediately
7.0–8.9 · HIGH — patch within 24–72 hours
4.0–6.9 · MEDIUM — patch within 1 week
0.1–3.9 · LOW — patch in next maintenance window

Search your exact software versions after any major security news to check if you're affected.

Filter by CRITICAL to prioritize — even one unpatched critical CVE is a significant risk.

Subscribe to NVD email alerts at nvd.nist.gov for the software you run in production.

⚡ Try it →

Tools

⚡ Generator Tools

Client-side generators that run entirely in your browser. Nothing is sent to any server — all computation happens locally using the browser's built-in cryptographic APIs.

🔑

Password Generator Free

Generates cryptographically secure passwords using window.crypto.getRandomValues() — the same API used by password managers. Configurable length (8–64 characters), character sets (uppercase, lowercase, numbers, symbols), with real-time strength scoring.

Use 16+ characters with all 4 character types for accounts that matter — email, banking, admin panels.

Generate a password here, then immediately test it in the Password Checker to see if it has been in any breaches (very unlikely for newly generated passwords, but good practice).

Store generated passwords in a password manager (Bitwarden, 1Password) — never in a plain text file or browser autofill only.

👤

Username Generator Free

Generates unique usernames in 5 styles: Cool, Cyber, Gamer, Pro, and Random. Generates 8 suggestions at once. Click any username to copy it. Useful for creating pseudonymous accounts that don't reveal your real name or identity.

Using a username that doesn't reveal your real name reduces your digital footprint and makes cross-site tracking harder.

Cyber and Pro styles generate usernames that look professional — useful for API keys, service accounts, or developer profiles.

🛡️

Security Headers Generator Free

Generates a complete set of HTTP security response headers ready to paste into your server configuration. Supports three output formats: Nginx (add_header directives), Apache (.htaccess / mod_headers), and Cloudflare Workers (event listener with header injection). The generated configuration covers all major security headers: Strict-Transport-Security (HSTS) with includeSubDomains and preload, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. All generation runs client-side — nothing is transmitted to Exposurix servers.

Input

Platform selection (Nginx, Apache, Cloudflare, Next.js) — no other input required

Output

Ready-to-paste configuration block with all major security headers, one-click copy to clipboard

Processing

Entirely client-side — nothing is sent to Exposurix servers

Nginx: Paste the generated directives inside your server {} block, then run nginx -t && systemctl reload nginx to apply.

Apache: Paste into your .htaccess file at the root of your site. Requires mod_headers to be enabled (a2enmod headers).

Cloudflare: Use the Transform Rules → Modify Response Headers tab in your Cloudflare dashboard, or place the output in a _headers file at your site root if using Cloudflare Pages.

Next.js: Paste the headers array into next.config.js under the headers() async function. Deploy or restart the dev server to activate.

After applying, verify your headers using the HTTP Header Analyzer tool to confirm they are served correctly in production.

🔥

Firewall Rules Generator Free

Generates hardened firewall rule sets for three common environments: UFW (Ubuntu/Debian), iptables (Linux raw), and AWS Security Groups (inbound rules JSON). Each profile is tailored to a use case — Web Server (ports 22, 80, 443), API Server (22, 443, 3000/8080), Database Server (22, 5432/3306 restricted to your network), Mail Server (22, 25, 587, 993), or Full Stack (all of the above). Rules follow the deny-all-then-allow principle: all traffic is blocked by default and only the minimum required ports are opened. All generation runs client-side — nothing is transmitted to Exposurix servers.

Input

Firewall type (iptables, UFW, AWS Security Groups) + server profile (Web Server, Mail Server, Database Server, VPN Server)

Output

Complete, ordered rule set ready to apply on your server or paste into your cloud provider's console

Processing

Entirely client-side — nothing is sent to Exposurix servers

UFW: Copy the generated commands and run them as root or with sudo. Always confirm SSH (port 22) is allowed before running ufw enable — locking yourself out of a remote server is a common mistake.

iptables: Rules are applied immediately but are not persistent across reboots. Save them with iptables-save > /etc/iptables/rules.v4 and restore on boot via iptables-restore or netfilter-persistent.

AWS Security Groups: The generated JSON follows the AWS inbound rules format. You can apply it via the EC2 console (Security Groups → Inbound Rules → Edit) or with the AWS CLI using aws ec2 authorize-security-group-ingress.

For Database Server profiles, the rules restrict database ports (5432 for PostgreSQL, 3306 for MySQL) to your internal network range only. Update the source CIDR to match your actual VPC or private subnet before applying.

After applying firewall rules, use the Port Scanner tool to verify that only the intended ports are visible from the outside.

Feature

📧 Email Breach Monitoring

Exposurix continuously monitors your email addresses against the HaveIBeenPwned database — the largest public breach database with 12+ billion compromised accounts across thousands of breaches.

How it works

1

You add an email to monitor

Your email is stored encrypted in our database and used only to query the HIBP API. We never sell or share it.

2

We query HaveIBeenPwned

On each scan, we send your email to the HIBP v3 API and get back a list of all breaches containing that email. Breach data includes name, date, affected service, data types exposed (passwords, phone numbers, addresses, etc.).

3

New breaches trigger an alert

If a breach is found that wasn't in our records before, you receive an email alert immediately (if enabled in Settings → Notifications). The alert includes the breach name and the types of data exposed.

Scan frequency by plan

Plan	Manual scan	Auto scan	Email alerts
Free	1× per 24h per email	—	—
Starter	Unlimited	Monthly (1st of month)	✓ Instant
Pro	Unlimited	Weekly (Sundays)	✓ Instant

What to do if you find a breach

⚠️

Immediate action checklist when a breach is detected:
1. Change your password on the affected service immediately
2. If you reused that password elsewhere, change it on every other service
3. Enable 2-factor authentication on the affected account
4. Check your email account for suspicious login activity
5. If financial data was exposed, monitor your bank statements

💡 The Scan All button on your dashboard re-checks every monitored email sequentially with a 1.8-second delay between each to respect HIBP rate limits.

Plans

Plans & Pricing

Feature	Free	Starter $33/yr · $6/mo	Pro $87/yr · $9/mo
Monitored emails	1	5	25
Breach check frequency	1× per 24h per email	Unlimited	Unlimited
Instant breach alerts (email)	✗	✓	✓
Weekly security report email	✗	✓	✓
Automatic email scan	✗	Monthly	Weekly
Free tools (DNS, SSL, WHOIS, Headers, Password, Email Spoofing, CVE Search)	✓	✓	✓
Security Score	✗	✓	✓
Starter+ tools (Port Scanner, Subdomain Finder, IP Reputation, Tech Stack, Exposed Files)	✗	✓	✓
Vulnerability Scanner — Deep Scan mode	✗	✗	✓
Email Harvester	✗	✗	✓
Scan history (last 100 scans)	✗	✗	✓
Export PDF security reports	✗	✗	✓
Export scan history as CSV	✗	✗	✓
Custom notification schedule	✗	✓	✓
14-day Pro trial on signup	✓	✓	✓
Priority support	✗	✗	✓

💡 All prices are in USD dollars (USD). Enterprise plans with unlimited emails and API access are available — contact us for pricing.

Trust

Security & Privacy

A cybersecurity platform that doesn't secure your data is worthless. Here's exactly how Exposurix handles your information.

🔐

Password checking — k-anonymity

When you use the Password Checker, your password is sent securely over HTTPS to the Exposurix server, where it is hashed using SHA-1. Only the first 5 characters of that hash are sent to HaveIBeenPwned. The API returns all hashes matching that prefix — the server checks if the full hash matches and returns the result. Your password is never stored, logged, or retained after the check completes.

📧

Email monitoring — what we store

Monitored email addresses are stored encrypted in our database and used exclusively to query the HIBP breach database. We never sell, share, or use your emails for any purpose other than breach detection. You can delete all monitored emails at any time from the Dashboard.

🔑

HIBP API keys — encrypted at rest

If you provide your own HaveIBeenPwned API key in Settings, it is encrypted using AES-256 (Fernet symmetric encryption) before being stored in the database. The key is only decrypted in memory at scan time and is never exposed in API responses — only a masked preview (xxxx...xxxx) is returned.

🌐

Scan results — what gets saved

For Free and Starter users, tool scan results are not stored server-side — they are returned in real time and displayed only in your browser session. Pro users have Scan History which stores the last 100 scans, accessible and deletable at any time from Settings → Scan History.

🛡️

Authentication

Passwords are hashed with bcrypt — never stored in plain text. Sessions use signed JWT tokens with a 24-hour expiry, invalidated immediately on logout via a token blacklist. All API endpoints require authentication and are rate-limited to prevent brute-force attacks. Two-factor authentication (TOTP) is available in Settings → Security.

🚫

No ads, no data selling

Exposurix does not display advertisements and does not sell user data to third parties. Revenue comes exclusively from paid subscriptions. Full Privacy Policy: exposurix.com/privacy.

FAQ

Frequently Asked Questions

Yes — the Free plan is permanently free with no credit card required. It includes 1 monitored email, 7 security tools, and both generators. All new accounts also get a 14-day Pro trial automatically. Paid plans (Starter at $45 CAD/yr or $8/month, Pro at $119 CAD/yr or $12/month) unlock additional emails, alerts, and advanced tools.

Every new account gets full Pro access for 14 days — including all 14 tools, Security Score, scan history, PDF export, 25 monitored emails, weekly auto-scans, and instant breach alerts. No credit card required. After 14 days, your account automatically reverts to the Free plan unless you upgrade.

Exposurix tools are for authorized use only — you must only scan systems you own or have explicit written permission to test. Unauthorized scanning may violate computer fraud laws in your country. The passive tools (DNS Lookup, WHOIS, SSL Checker, Header Analyzer) are safe to use on any public domain.

We query the HaveIBeenPwned API v3, which contains data from thousands of public data breaches affecting 12+ billion accounts. When you scan an email, we check it against this database and display any breaches found — including the breach name, date, affected data types, and a link to full details on HIBP.

It means the email was just added and has never been checked against the HIBP database yet. Click the ⚡ "Never scanned — click to check" text or the 🔍 button on the email card to trigger your first scan. Results appear in 3–10 seconds.

Free users can manually scan once per 24 hours per email. Starter users get monthly automatic scans (1st of each month) plus unlimited manual scans. Pro users get weekly automatic scans (every Sunday) plus unlimited manual scans. All plans can receive instant breach alerts if enabled in Settings → Notifications.

Act immediately: (1) Change your password on the affected service, (2) If you reused that password anywhere else, change it there too, (3) Enable 2-factor authentication on the affected account, (4) Review your account for unauthorized activity, (5) If financial info was exposed, monitor your bank statements and consider a credit freeze.

Most sites that "seem fine" are missing several HTTP security headers (HSTS, CSP, X-Frame-Options) which are invisible to users but important for security. Missing SPF/DKIM/DMARC records are also common — they don't affect your site's functionality but allow attackers to send emails impersonating your domain. The remediation guide in your Security Score report shows exactly what to fix.

Yes. Cancel anytime from Settings → Subscription. Your plan stays active until the end of the billing period, then automatically reverts to the Free plan. Your account and data are not deleted on cancellation.

Free and Starter users: scan results are not stored server-side — shown in real time in your browser session only. Pro users have Scan History which stores the last 100 scans, filterable, sortable, and exportable as CSV from Settings → Scan History. All stored scans can be deleted at any time.

Go to Settings → Privacy and click "Delete Account". This permanently deletes all your data — monitored emails, breach records, scan history, and account information. This action is irreversible. Alternatively, email [email protected] and we'll handle it manually.

Email us directly at [email protected]. Pro users get priority support with faster response times.

Updates

📝 What's New

Latest updates and improvements to Exposurix.

April 2026

New Forgot Password & Account Deletion

Password reset via email link (1h expiry, anti-enumeration). Delete Account with password confirmation and full data cascade cleanup.

April 2026

Security Pentest — 9.5/10 Score

Full penetration test completed: SSRF (6 variants), CORS, JWT, IDOR, command injection, 2FA bypass — all protected. Rate limiting tightened on promo code endpoint.

March 2026

New Security Score with PDF Export

Aggregate 0-100 security score across 7 categories (SSL, headers, email, ports, vulns, files, DNS). Detailed remediation guide with step-by-step fix instructions. Export as PDF report.

March 2026

New Blog, Promo Codes & Crypto Payments

Bilingual blog (EN/FR) with 13 articles. Promo code system with checkout integration. NOWPayments crypto payment option alongside PayPal.

February 2026

Fix HIBP Key Encryption & Security Hardening

HIBP API keys encrypted at rest with Fernet. IDOR fix on breach deletion. Crypto webhook HMAC bypass fix. Four additional security headers added.