Security & Privacy Panel
How Safe Are You Right Now?
HTTPS status, WebRTC leaks, permissions, storage access, and your live security score — scanned the moment this page loads.
Understanding Every Signal
What each security check actually tests, and why the result matters.
Connection Security
HTTPS Status & Secure Context
HTTPS confirms your connection to this site is encrypted in transit. Secure context is a stricter browser-level check — it confirms the browser will allow sensitive APIs (camera, microphone, geolocation, WebCrypto) to run. A page can technically be served over HTTPS but still fail the secure context check in edge cases involving mixed content or unusual origins.
Mixed Content
Mixed content means an HTTPS page is loading resources (scripts, images, iframes) over HTTP. Even one HTTP resource weakens the security of an otherwise encrypted page, since that resource can be intercepted and modified in transit. Modern browsers block active mixed content (scripts and iframes) by default but may allow passive content (images) with a warning.
WebRTC Exposure
WebRTC Exposure, Local IP Leak & WebRTC IP Match
WebRTC is a browser API for peer-to-peer communication. It can reveal your real local network IP address (typically 192.168.x.x or 10.x.x.x) even when accessed over a VPN, because it communicates directly rather than through the VPN tunnel. Local IP leak confirms whether your private network address is visible. WebRTC IP match checks whether the public IP WebRTC reports matches what the rest of your connection shows — a mismatch is a VPN leak.
Storage Access
Cookie, localStorage, sessionStorage & IndexedDB Access
These four confirm whether the browser will actually write to each storage mechanism. Users in private browsing, or with aggressive privacy settings, may have some or all of these blocked. Sites that rely on any of these for session management, preferences, or offline capability will behave differently when they're unavailable — knowing which are accessible explains unexpected behavior on some sites.
Permissions
Camera, Microphone, Location & Notification Permission
These report the current permission state — granted, denied, or prompt — for each sensitive API. The states shown here don't mean IntelReap has requested these permissions; it uses the Permissions API to read whatever state was previously set by user decisions on this site or through browser-level defaults, without triggering any new prompts.
Clipboard Read & Write
Clipboard access requires explicit user permission and is gated by a prompt in most browsers. Clipboard read permission is particularly sensitive since it would allow a page to read whatever you've copied system-wide. These are checked via the Permissions API — IntelReap never actually accesses your clipboard content.
Privacy Signals
Do Not Track, Third-Party Cookies & Referrer Policy
Do Not Track is a voluntary browser signal requesting sites not track browsing behaviour — most sites ignore it, but its presence confirms the user has opted in. Third-party cookie access tells you whether cross-site cookies can be set in your browser — increasingly blocked by default. Referrer policy reports what navigation origin information this page's server declares it will share with subsequent requests.
Content Security Policy, Fingerprint Surfaces, Security Flags & Warnings
CSP presence confirms whether this page is served with a Content Security Policy header, which restricts what resources can load and helps prevent XSS attacks. Fingerprint surfaces is a count of how many browser APIs that are commonly exploited for fingerprinting are accessible on your browser. Security flags and warnings are the specific issues found during the scan that contributed to lowering your security score.
What Your Security Score Actually Reflects
It's about your browser's current configuration, not about you
A low security score doesn't mean your device is compromised or that you're under attack. It means your current browser configuration exposes more surfaces than a hardened configuration would — an open WebRTC local IP, broad permissions previously granted, or storage fully accessible. Most of these are adjustable through browser settings or privacy-focused extensions.
The most impactful single change most users can make
If only one security improvement were worth making, disabling WebRTC in browsers where it isn't needed for active use has the highest return for the effort. It eliminates the local IP leak entirely and removes the VPN bypass risk. Most desktop browsers expose a setting or extension option to do this without disabling other functionality.