X-Ray

Point it at any website, see what's running underneath.

DNS · HTTP
🔬

Enter a URL above to begin scanning

What is X-Ray?

A lightweight website intelligence tool built for curiosity. No accounts, no tracking, and no third-party analytics. Everything runs in your browser, and nothing about your usage is stored.

What it looks at

X-Ray inspects the public surface of any domain you enter. That includes DNS records (A, MX, TXT, NS, CAA, DNSSEC), HTTP response headers, basic technology and hosting signals, certificate configuration, email security setup (SPF, DKIM, DMARC), the site's robots.txt file, and social meta tags (Open Graph and Twitter Card).

It brings all of that together into a structured view so you can quickly understand how a site is configured at a technical level.

How it works

X-Ray pulls data from two sources:

  • DNS information is retrieved directly from a DNS-over-HTTPS resolver in your browser. This gives authoritative results for records like SPF, DMARC, and CAA. If a record is missing here, it genuinely does not exist in DNS.
  • HTTP information is collected by requesting the target site and reading the publicly observable response headers. This allows the tool to see things like security headers, caching behavior, and server signals.

Everything runs client-side. There is no database, no logging, and no background processing after the page loads. Network requests consist of DNS lookups, an HTTP fetch for the target site, and if a social preview image is declared in the page's meta tags, a direct browser request to load that image for display. No data about your usage is collected or stored.

How results are interpreted

Not every signal has the same reliability, so X-Ray treats them differently.

  • DNS-based records are treated as definitive. If a record such as SPF, DMARC, CAA, or DNSSEC is missing, that reflects the actual state of the domain.
  • HTTP headers are contextual. They reflect a single observed response and can vary depending on caching, routing, or delivery layer behavior. Presence is meaningful, but absence is not always conclusive.
  • Some signals, such as DKIM detection, are inherently incomplete from the outside. DKIM selectors are not standardized, so the tool checks common patterns, but a custom configuration may not be visible.

The security score reflects these differences by weighting DNS-level signals more heavily than HTTP-level ones, and by reducing the impact of incomplete or error responses.

Limitations

X-Ray captures what can be observed from a public vantage point using DNS queries and a single HTTP request. Some sites may behave differently depending on location, user type, or edge configuration, and those differences will not always be visible here.

CDN-backed services may apply security headers at infrastructure layers that are not exposed consistently in raw responses. When this is detected, the tool notes it rather than treating it as a failure.

DKIM detection is also limited by design. Since selectors are arbitrary, absence of a match does not necessarily indicate misconfiguration.

Why it exists

X-Ray started as a tool built to quickly understand what was happening behind domains, and check currently implemented configurations. Instead of digging through multiple tools and dashboards, I wanted a single place to see the full surface-level picture of a site.

The goal is simple: make it easier to look under the hood of a website, understand how it is put together, and do so in a way that is transparent about what can and cannot be seen from the outside.