Blog post

Web Check — helping you to secure your public sector websites

Created:  17 Jul 2017
Updated:  17 Jul 2017
Author:  Philip C
Web Check Findings example screen shot

The UK public sector has a huge digital estate to manage, and it isn't easy. Many of you with responsibilities in this area have told us that you'd really like help with keeping on top of all your services and staying protected against common problems with the websites you manage. We listened. We did the research. 

And so now we'd like to introduce you to Web Check — a free to use website configuration and vulnerability scanning service, available to all UK public sector organisations.

We've built up steadily during development and tested with users across government. So already, Web Check is robust and it:

  • services over 300 users with a 'quiet'* package of scans
  • scans more than 1,200 government sites every day
  • has delivered more than 2,900 findings to our users
*The 'quiet' package makes fewer connections to a server than an average web user visiting a single page.

And, we are constantly expanding the range of vulnerabilities and misconfigurations on which Web Check can check and report.

"Web Check came about by listening to the experiences of local government with automated vulnerability scanning tools. We see Web Check helping system owners find and fix common issues; letting them focus on trickier issues that only people can find."

Chief Technology Officer, NCSC Digital Government

Who can use it

Web Check is now live and currently available to those who manage websites for UK public sector bodies including:

  • local government
  • emergency services — Police, Fire and Rescue Services, NHS Ambulance Services, HM Coastguard
  • central government
  • the National Health Service
  • devolved administrations
  • Crown dependencies
  • British overseas territories

Of these, we think that local government and emergency services are particularly likely to benefit from using Web Check.

We will also look at opportunities to extend the service to the private sector in future.

What it does

First you create your own 'watch list' of website URLs you manage. Then Web Check runs a non-intrusive scan and reports its findings to you.  You can share your URLs and findings with colleagues and annotate findings for future reference.


Web Check scans the URLs on your watch list and checks on whether or not your:

  • user data is protected both in transit and in the user's web browser
  • website is well engineered and modern technologies are in use to protect it, such as HTTP Strict Transport Security (HSTS) and Content Security Policy (CSP)
  • servers and their software are patched

Web Check does this on an ongoing basis, so it will inform you of new issues as they emerge and as new checks are added.


Web Check reports to you, breaking down information about each website into several groups of findings:

  • positive — site configurations that conform to best practices
  • informational — configurations that you could optimise, or information that you may find useful
  • advisory — configuration problems that leave the site vulnerable
  • urgent — serious configuration problems that you should fix without delay
Focusing on your certificates

Data from our trial users suggest that most urgent findings arise in sites that have misconfigured or outdated certificates (the data files that allow secure connections from a web server to a web browser). These issues can lead to insecure transactions and error messages, both of which harm the relationship between citizens and the public service they are using.

We aim to do more in this area, so that Web Check can help you set up and manage your certificates better.

"We use Web Check on new and existing URLs to check for common vulnerabilities and to ensure we have set sites up in line with current recommended practice. It gives peace of mind to know we will get notifications from the service if any future issues occur. If you are considering using this free service I would thoroughly recommend signing up."

Senior Project Manager, Local Authority

How to get started with Web Check

If you're among those we mentioned (Who can use it), then go ahead and create an NCSC Signin account at You can request access from there.


paul - 17 Jul 2017
we are eligible for this service, but, more and more, we are engaging with third parties that host services for us - as we don't directly manage those services (and they won't have a domain), is it permitted to include them as sites to be scanned?
Web Check team - 28 Jul 2017
Paul, thanks for your enquiry. You can add domains to Web Check with a non gov suffix as long they host services that have a public sector function and you have permission to run our checks against them. If you need any help adding them you can contact us directly by choosing the "feedback" link from any page on the Web Check site.
David - 04 Aug 2017
We are a digital agency who develop sites and apps, as well as the middleware that powers them, for a range of public-sector clients, including the NHS. Are we able to access Web Check ourselves?
Chris - 14 Aug 2017
Can schools use the service?
Web Check team - 18 Aug 2017
Hi Chris. Thanks for your feedback and interest in Web Check. We can confirm that schools are able to use this service
Nil - 20 Sep 2017
Will any of the information contained within the service be accessible or monitored by the NCSC or other organisation?
Can I obtain further detail on the hosted location and security standard employed by the service?
Many thanks.
Web Check team - 09 Oct 2017
All of the information contained within the service will be handled in accordance with the privacy policy at and the terms and conditions at
Mark Taylor - 25 Sep 2017
What is the scanning schedule for sites that are added? Do you scan once and then only again if new vulnerability alerts are released since that scan, or do you re-scan on a set period?
Also can you explain the "Lifespan" column please? What does the lifespan time refer to?

Thanks in advance,

Web Check team - 09 Oct 2017
The scanning schedule varies but defaults to every 24 hours. The lifespan column shows the amount of time that has elapsed since the finding was last detected
Buddy - 05 Oct 2017
Can regulated public utilities (Electricity, Gas, Water) use this function to check their public-facing websites?
Web Check team - 06 Oct 2017
Hi Buddy,

Regulated public utilities are not currently covered by the NCSC's terms and conditions and therefore, at this time, they cannot access Web Check.

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No