Serious security, made simple.

Web security and performance monitoring built for businesses without a security team. Continuous scanning, plain-English findings, fair pricing, your whole team included.

Start free → Already have an account? Login →

HERO — scanner finding issues + plain-English explanation

Serious security, made simple.

Most small business websites run on a stack of plugins, themes, and outside services. Each one changes on its own schedule. More than 130 new security flaws are published every day in 2025^[1]. Keeping up takes a security team you probably do not have.

AuraWatch fills that gap. We check your sites continuously for the security flaws and performance problems that affect real customers. Every finding comes with a plain-English explanation of what it is, why it matters, and how to fix it — or whether you need someone to fix it for you. Your whole team is included. No card required to start.

[1] Source: NVD dashboard, NIST — 35,196 publicly catalogued security flaws in the first 9 months of 2025.

Same finding. Two very different ways to read it.

Here’s a real Next.js vulnerability disclosed in March 2025, the way the security industry writes it up — and the way AuraWatch tells you about it.

NVD entry CVE-2025-29927

Next.js Authorization Bypass via x-middleware-subrequest

Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

CVSS 3.1: 9.1 (Critical) · Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Read on NVD →

AuraWatch finding High · needs fix

Anyone could bypass login on your site

What it is. Your site uses Next.js, and older Next.js versions have a bug where a special header (x-middleware-subrequest) tells Next.js to skip a security check it shouldn’t skip. The check is the one that decides “is this person logged in / allowed to see this page?”

Why it matters. If your login or your admin area is protected by Next.js middleware (most modern Next.js sites are), an attacker can add that one header to a request and walk straight in — no password, no session. They see whatever your logged-in visitors see.

How to fix it. Update Next.js to a patched version. The safe versions are 15.2.3 or newer on the 15.x line, 14.2.25 or newer on 14.x, 13.5.9 or newer on 13.x, and 12.3.5 or newer on 12.x. If you can’t update right now, block any request that includes the x-middleware-subrequest header at your CDN or reverse proxy.

What you get on every plan.

Every plan includes the full set of checks on day one. Plans differ on how many sites you cover and how often we scan — not on what we look for.

Continuous security scanning

Open ports, exposed services, web-application flaws, encryption quality, and forgotten subdomains, checked on a schedule — not just when you remember to click.

Mobile and desktop performance

Every scan measures how fast your site loads for mobile and desktop visitors. Two separate scores, so a slow phone experience never hides behind a fast desktop one.

One health score, not a wall of jargon

Every scan rolls up to a single number that goes up or down. The breakdown is one click away when you need it.

Plain-English explanations

Every finding tells you what it is, why it matters, and how to fix it — written so anyone can act on it.

See what changed

Every scan shows what's new, what's fixed, and what changed since last time.

Performance from multiple regions

See how your site performs for customers around the world. Free runs from one region; Pro picks one region; Enterprise picks up to four and compares them side by side.

Email, Slack, and webhook alerts

Get told the moment something changes — through whichever channel you actually read.

PDF reports

Stakeholder-ready PDFs for insurance, audits, and compliance evidence — built from your real scan history.

Your whole team included on every plan

Bring your accountant, your developer, your auditor — they all see the same dashboard at no extra cost.

Early-access tester quotes Real customer testimonials replace these before public launch.

From people running the businesses we built it for.

TESTIMONIAL PHOTO 1

“Found and fixed an SSL warning on our online-ordering page the day I signed up. Took the cook 10 minutes between services.”

Pat Tester

Restaurant owner / Early-access tester

TESTIMONIAL PHOTO 2

“Our client portal certificate had been expiring on a Sunday for months — everyone saw a scary browser warning. AuraWatch caught it on the Monday before and saved us a few angry phone calls.”

Robin Sample

Accountant / Early-access tester

TESTIMONIAL PHOTO 3

“I'm not technical but the explanations actually make sense. I forwarded one to my developer with 'this please' and it was fixed by the afternoon.”

Alex Demo

Online retailer / Early-access tester

Elemental Concept logo

Want a security engineer to do it for you?

The team behind AuraWatch is Elemental Concept — a security and performance consultancy. Run our scanner, then book a call if you’d like one of our engineers to walk through the findings or fix them for you.

Talk to our team →