Transport Security
The handshake is where trust begins. We enumerate every TLS version the server accepts, probe for weak cipher suites, and verify that forward secrecy, OCSP stapling, and certificate chains are wired correctly.
- TLS 1.0 / 1.1 / 1.2 / 1.3 protocol matrix
- Weak legacy cipher acceptance (RC4, 3DES, SHA-1 CBC)
- Forward secrecy (ECDHE / DHE / TLS 1.3 AEAD)
- Cipher preference (server vs. client)
- Ephemeral key strength (DH group, EC curve)
- RSA / ECDSA key size on certificate
- OCSP stapling enabled
- Certificate chain authorization & host match
- HSTS max-age, includeSubDomains, preload list membership
Content & Headers
Your response headers are the last line of defense against XSS, clickjacking, and MIME confusion. We parse Content-Security-Policy directive-by-directive and validate every modern isolation header.
- Deep CSP directive parse with strict-dynamic awareness
- unsafe-inline / unsafe-eval detection
- default-src and object-src baselines
- X-Frame-Options vs. CSP frame-ancestors coverage
- X-Content-Type-Options nosniff
- COOP / COEP / CORP cross-origin isolation
- Mixed content references in final HTML
- SRI integrity on external scripts
Privacy & Trackers
The curated tracker database covers analytics, advertising, session-replay, tag managers, and social pixels. We parse the rendered HTML and flag every third-party origin that matches a known signature.
- Google Analytics, Tag Manager, Ads, DoubleClick
- Meta, TikTok, LinkedIn, X, Pinterest, Reddit, Snap pixels
- Hotjar, FullStory, LogRocket, Smartlook, Mouseflow
- Mixpanel, Segment, Amplitude, Heap, PostHog, Plausible
- Microsoft Clarity, Adobe Audience Manager
- Chat widgets (Intercom, Drift, Zendesk)
- Referrer-Policy and Permissions-Policy headers
- Third-party host aggregation with eTLD+1 filtering
Email Authentication
A properly configured domain publishes more than SPF and DMARC. We probe the full stack including DKIM key publication, MTA-STS enforcement, TLS reporting destinations, and BIMI branding.
- SPF record with all-qualifier analysis (-all / ~all / +all)
- DMARC policy (none / quarantine / reject) and pct
- DKIM selector probing across 13 common ESP selectors
- MTA-STS TXT record plus policy body fetch (RFC 8461)
- MTA-STS mode: enforce / testing / none
- SMTP TLS Reporting endpoints (RFC 8460)
- BIMI record with optional VMC authority URL
Cookies & CORS
Cookies carry authentication state. CORS controls cross-origin access. A wildcard ACAO with credentials is the canonical critical misconfiguration, and we cap the grade accordingly.
- Secure, HttpOnly, SameSite attributes per cookie
- SameSite=None without Secure (hard fail)
- Set-Cookie parsing via RFC-compliant splitter
- Access-Control-Allow-Origin wildcard detection
- ACAO: * combined with Allow-Credentials: true
- Per-origin allowlist validation
DNS & Exposure
DNS controls who can issue certificates and whether responses are validated. We also probe well-known sensitive paths to surface leaked secrets, repository metadata, and backup files.
- CAA record presence and issuer allowlist
- DNSSEC validation via Cloudflare DoH (AD flag)
- MX record inventory
- Reverse DNS / rebinding protection
- Exposure probes: /.git/config, /.env, /.well-known/security.txt
- Directory listing and backup file detection
- HSTS Preload list cross-check against Chromium
- Technology fingerprinting (CMS, framework, server, CDN)
