Blog post

Web Check — helping you to secure your public sector websites

Created:  17 Jul 2017
Updated:  17 Jul 2017
Author:  Philip C
Web Check Findings example screen shot

The UK public sector has a huge digital estate to manage, and it isn't easy. Many of you with responsibilities in this area have told us that you'd really like help with keeping on top of all your services and staying protected against common problems with the websites you manage. We listened. We did the research. 

And so now we'd like to introduce you to Web Check — a free to use website configuration and vulnerability scanning service, available to all UK public sector organisations.

We've built up steadily during development and tested with users across government. So already, Web Check is robust and it:

  • services over 300 users with a 'quiet'* package of scans
  • scans more than 1,200 government sites every day
  • has delivered more than 2,900 findings to our users
*The 'quiet' package makes fewer connections to a server than an average web user visiting a single page.

And, we are constantly expanding the range of vulnerabilities and misconfigurations on which Web Check can check and report.

"Web Check came about by listening to the experiences of local government with automated vulnerability scanning tools. We see Web Check helping system owners find and fix common issues; letting them focus on trickier issues that only people can find."

Chief Technology Officer, NCSC Digital Government

Who can use it

Web Check is now live and currently available to those who manage websites for UK public sector bodies including:

  • local government
  • emergency services — Police, Fire and Rescue Services, NHS Ambulance Services, HM Coastguard
  • central government
  • the National Health Service
  • devolved administrations
  • Crown dependencies
  • British overseas territories

Of these, we think that local government and emergency services are particularly likely to benefit from using Web Check.

We will also look at opportunities to extend the service to the private sector in future.

What it does

First you create your own 'watch list' of website URLs you manage. Then Web Check runs a non-intrusive scan and reports its findings to you.  You can share your URLs and findings with colleagues and annotate findings for future reference.


Web Check scans the URLs on your watch list and checks on whether or not your:

  • user data is protected both in transit and in the user's web browser
  • website is well engineered and modern technologies are in use to protect it, such as HTTP Strict Transport Security (HSTS) and Content Security Policy (CSP)
  • servers and their software are patched

Web Check does this on an ongoing basis, so it will inform you of new issues as they emerge and as new checks are added.


Web Check reports to you, breaking down information about each website into several groups of findings:

  • positive — site configurations that conform to best practices
  • informational — configurations that you could optimise, or information that you may find useful
  • advisory — configuration problems that leave the site vulnerable
  • urgent — serious configuration problems that you should fix without delay
Focusing on your certificates

Data from our trial users suggest that most urgent findings arise in sites that have misconfigured or outdated certificates (the data files that allow secure connections from a web server to a web browser). These issues can lead to insecure transactions and error messages, both of which harm the relationship between citizens and the public service they are using.

We aim to do more in this area, so that Web Check can help you set up and manage your certificates better.

"We use Web Check on new and existing URLs to check for common vulnerabilities and to ensure we have set sites up in line with current recommended practice. It gives peace of mind to know we will get notifications from the service if any future issues occur. If you are considering using this free service I would thoroughly recommend signing up."

Senior Project Manager, Local Authority

How to get started with Web Check

If you're among those we mentioned (Who can use it), then go ahead and create an NCSC Signin account at You can request access from there.


paul - 17 Jul 2017
we are eligible for this service, but, more and more, we are engaging with third parties that host services for us - as we don't directly manage those services (and they won't have a domain), is it permitted to include them as sites to be scanned?
Web Check team - 28 Jul 2017
Paul, thanks for your enquiry. You can add domains to Web Check with a non gov suffix as long they host services that have a public sector function and you have permission to run our checks against them. If you need any help adding them you can contact us directly by choosing the "feedback" link from any page on the Web Check site.
David - 04 Aug 2017
We are a digital agency who develop sites and apps, as well as the middleware that powers them, for a range of public-sector clients, including the NHS. Are we able to access Web Check ourselves?
Chris - 14 Aug 2017
Can schools use the service?
Web Check team - 18 Aug 2017
Hi Chris. Thanks for your feedback and interest in Web Check. We can confirm that schools are able to use this service
Nil - 20 Sep 2017
Will any of the information contained within the service be accessible or monitored by the NCSC or other organisation?
Can I obtain further detail on the hosted location and security standard employed by the service?
Many thanks.
Web Check team - 09 Oct 2017
All of the information contained within the service will be handled in accordance with the privacy policy at and the terms and conditions at
Mark Taylor - 25 Sep 2017
What is the scanning schedule for sites that are added? Do you scan once and then only again if new vulnerability alerts are released since that scan, or do you re-scan on a set period?
Also can you explain the "Lifespan" column please? What does the lifespan time refer to?

Thanks in advance,

Web Check team - 09 Oct 2017
The scanning schedule varies but defaults to every 24 hours. The lifespan column shows the amount of time that has elapsed since the finding was last detected
Buddy - 05 Oct 2017
Can regulated public utilities (Electricity, Gas, Water) use this function to check their public-facing websites?
Web Check team - 06 Oct 2017
Hi Buddy,

Regulated public utilities are not currently covered by the NCSC's terms and conditions and therefore, at this time, they cannot access Web Check.
Martin H. - 25 Oct 2017
Dear NCSC, you state "We will also look at opportunities to extend the service to the private sector in future." Can you say any more on this? Also internationally for other friendly countries CNI operators? Working with FCO and DIT this is an important topic for all. Happy to discuss..
nick smith - 31 Oct 2017
Hi Web Check Team

We are a major managed services who host multiple .gov customers (incl infrastructure and web sites) and have aligned our protective monitoring against the gpg13 framework. Would we be eligible for this service?
M - 14 Nov 2017
I am not responsible for my authority's (County Council) website but I have a cyber crime role within the business. Our IT functions are contracted out to a large outsourcing firm. Can I run the web check on our behalf so I can refer to the relevant teams (and potentially use the findings as a case study when working with partners) or does it need to be managed via the web team themselves?

Web Check team - 16 Nov 2017
Thanks for the comment. You can run any public sector websites that you're responsible for through Web Check - or delegate the responsibility to your contractors.
Suraj - 21 Mar 2018
Hi Web Check Team,
We run a large number of LocalGov websites and it would be hugely beneficial to be able to test during the build and deploy phases and through our continuous releases. Is there any guidance on asking our customers to grant us access?
Chris - 05 Dec 2017
We have a few public facing web pages /services from which we only allow user via HTTP (port 80) or are other ports required?

Does the service require additional access beyond basic web browsing to page?
Web Check team - 08 Dec 2017
Hi Chris. All that you need to add a url to Web Check is for it to be publicly available for browsing.
David - 21 Dec 2017
Hello Chris, We are a cybersecurity agency within a Canadian provincial government would there be any way for us to either take advantage of the service or migrate it to Canada? We would be more than happy to collaborate and finance any conversion needed.
David Whelbourn - 02 Jan 2018
Apologies this comment was aimed at the Webcheck team and not Chris :-)
Web Check team - 03 Jan 2018
Hi David,

Thanks for getting in touch. We'll be responding to you directly.
Terry Sullivan - 14 Jan 2018
Hi Web Check team

I see from an earlier comment that schools can use this service. Can universities?
Web Check team - 15 Jan 2018
Hi Terry. Thanks for the comment. Universities can!
Phil Williams - 15 Jan 2018
Hi Web Check Team.
I'm really interested in this as part of my checks of websites I run on behalf of charities and not-for-profit organisations associated with schools and school age sports.
Do you have a timetable for when such organisations may be added to the list of 'who can use it'?
Web Check team - 17 Jan 2018
Hi Phil,
State funded schools can use Web Check they should request access at
Web Check team - 19 Jan 2018
Bad form replying to our own reply... but just to confirm that schools and associated not-for-profit organisations can use the service now. They need to request access.
Andy - 08 Mar 2018
Hi Web Check Team,

Is this available to non-profit organisations (Hospices) as we usually qualify for these kinds of services through government agreements.


Web Check team - 19 Mar 2018
Hi Andy,

Hospices can indeed use webcheck as they are charities.
Peter Norell - 19 Mar 2018
How will this service differ against commercial alternatives, such as Qualys SSL Labs, which inspects and highlights common faults within SSL set-ups?

Does this one offer more for non-SSL line-ups? Does it perform an audit of all major ports?
Web Check team - 19 Mar 2018
Thanks for the message Peter. We do look at more than just TLS, but we don’t audit many ports. We focus on web technologies for Web Check, ports may be part of a future NCSC project
James H - 20 Mar 2018

Are charities eligible for the service!?

Thank you

Web Check team - 21 Mar 2018
Hi James. Charities are indeed eligible.
Bart Hogeveen - 22 May 2018
Good morning,
We are currently looking at a web check tool for Australia. I'd be keen to get in touch with someone to speak about this UK initiative, e.g. regarding its set-up and management. Thanks.
Zahid Ghani - 11 Jul 2018
We host several local government sites. We want to use Web Check to check these sites. Can you let us know how we go about doing this. Do I need to have a particular email domain account. ( Idon't seem to be able to Register with NCSC using my none government email account)
Web Check team - 12 Jul 2018

Thanks for your enquiry. If you go to you can sign up and request access from there. You can use any email address, although we prefer a .gov. one or a uk company address.

Let us know if you have any problems.
Mike - 16 Oct 2018
Surely it's in your interests to allow people to use this tool for all websites? For example, if a gardening website is cracked then the registered users are at risk. Viruses can also spread, so the more places that are protected, the slower it will spread.
Oscar - 02 Nov 2018
Their servers run this service and they pay for said servers.
Why would they pay for private businesses?

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No