The 12 scanners behind every report

1 of 12

SSL Labs

The reference TLS audit on the public web. Tests certificate validity, chain trust, supported protocols, cipher suites, key exchange, forward secrecy, vulnerabilities like ROBOT and Heartbleed, and HSTS configuration. Returns a single letter grade from A+ down to F (or T/M for trust and mismatch issues).

Why it matters: if your TLS is wrong, nothing else you do at the application layer can save you. SSL Labs catches expired certs, weak ciphers, missing intermediate chains, and protocol downgrades that browsers will start blocking.

Notes: the API is polling-based. A first scan with no cache hit can take 1 to 3 minutes. Subsequent scans are fast as long as cache is enabled.

ssllabs.com/ssltest

2 of 12

Mozilla Observatory v2

Mozilla's opinionated audit of HTTP security headers and adjacent best practices. Looks at Content Security Policy, Strict-Transport-Security, X-Content-Type-Options, Referrer-Policy, cookie flags, subresource integrity, and cross-origin policies. Returns a numeric score (0 to 130 in v2, capped at 100 by us) plus a letter grade.

Why it matters: headers are the single cheapest hardening you can do. They cost nothing, deploy instantly, and stop entire classes of attack (XSS, clickjacking, MIME confusion, mixed content).

developer.mozilla.org/observatory

3 of 12

securityheaders.com

An independent letter-grade audit of HTTP response headers, run by Scott Helme. It overlaps with Mozilla Observatory but uses a different scoring rubric, so the two grades together give a more honest read.

Notes: the public X-Grade header was gated behind an API key in 2024. When the unauthenticated probe returns a notice instead of a letter, Url Reporter falls back to fetching the target's headers itself and reporting any missing recommended ones. In that fallback path there is no overall letter, only a list of findings.

securityheaders.com

4 of 12

internet.nl

A non-profit run by SIDN (the .nl registry) that audits web standards: modern TLS, DNSSEC, IPv6, certificate transparency compliance, and email security. The most thorough free public scanner if you can use it.

Notes: there is no free public single-scan API. To use it programmatically you must register for an API token. Without one, Url Reporter degrades to a link-out result: the report shows a link to internet.nl with the target URL pre-filled, but contributes no number to the average.

internet.nl

5 of 12

HSTS preload list

The Chrome HSTS preload list is hard-coded into Chromium and shipped to every Chrome, Edge, Firefox, and Safari user. Domains on the list are forced to HTTPS by the browser before any network request, so attackers cannot strip TLS via a hostile network.

This scanner checks whether your apex and www subdomain are on the official list maintained at hstspreload.org.

Why it matters: a single misconfigured HTTP redirect can be intercepted on a hostile WiFi network. Preload eliminates that window completely.

hstspreload.org

6 of 12

crt.sh (Certificate Transparency)

Every TLS certificate ever issued by a public CA is logged to Certificate Transparency. crt.sh is a public search interface to those logs. Url Reporter pulls every cert ever issued for the domain, then grades on issuer concentration over the last 90 days.

Why it matters: CT logs reveal certs you didn't issue (rogue CA, mis-issuance, sub-domain takeover) and concentration patterns (one CA doing all the work, or sudden new CAs appearing). It is also the only way to find every wildcard a domain has ever had.

crt.sh

7 of 12

CAA records

A CAA (Certificate Authority Authorization) DNS record pins which CAs are allowed to issue certs for your domain. Without one, any CA in the world can issue a cert for your domain and a single compromised CA can be used to MITM your traffic.

Url Reporter queries CAA via Cloudflare DoH, walks up the DNS tree to find inherited records (CAA inherits from the parent zone if absent on the apex), and grades on whether issuance is constrained at all.

Why it matters: a one-line DNS record blocks the entire class of attacks where an unrelated CA issues a fraudulent cert for your domain. There is no excuse not to set one.

8 of 12

DNSSEC

DNSSEC signs DNS responses cryptographically so resolvers can verify they came from the real authoritative nameservers and were not modified in transit. Url Reporter asks Cloudflare DoH and checks the AD (Authenticated Data) flag on the response.

Why it matters: without DNSSEC, an attacker on the network path between you and your DNS resolver can return forged answers (wrong A record, wrong MX record). DNSSEC makes that detectable. Adoption is still patchy, especially among major US registrars, but it is the right default.

9 of 12

HTTP to HTTPS redirect

The most basic check on the list and still the most commonly broken. Url Reporter calls http://<host> with no scheme upgrade and walks the redirect chain. It flags three failure modes:

• No redirect at all. The site serves content over plaintext HTTP. Anyone on the path can read or modify it.
• Intermediate http hop. A 302 to another http URL before finally hitting https. There is a window where a network attacker can intercept.
• Cross-host detour. The redirect bounces you through a different domain (often a tracking redirect or vanity hostname). Often legitimate, sometimes a phishing tell.

10 of 12

DoS posture (passive)

A passive read of how prepared the site is for traffic spikes and abuse. Url Reporter looks at headers and behavior to detect a CDN or WAF in front (Cloudflare, Fastly, Akamai, AWS CloudFront, BunnyCDN, and others), edge-cacheable responses, and rate-limit headers.

Important: this scanner generates no load. It does not flood your server, hold connections open, or attempt to exhaust any resource. Active load testing is out of scope and will never be added. If you want real DoS resilience numbers, use a paid load-testing service in a controlled window.

11 of 12

Email auth (SPF, DMARC, DKIM)

Three TXT records that together control whether attackers can send email pretending to be your domain. Url Reporter probes all three via Cloudflare DoH and grades by policy strictness.

• SPF on the apex. Lists which servers are allowed to send mail from your domain. Best policy is -all (hard fail). ~all (softfail) is acceptable. +all is broken.
• DMARC at _dmarc.<host>. Tells receivers what to do when SPF or DKIM fail. Best policy is p=reject. p=quarantine is acceptable. p=none is monitor-only and gives no protection.
• DKIM probed across 10 common selectors (default, google, mail, k1, selector1, etc). DKIM keys are per-selector so we cannot guarantee discovery, but the common selectors cover most senders.

Why it matters: without these three, anyone in the world can send email from your domain and most receivers will deliver it. Phishing sent from billing@yourdomain.com is much harder to spot than phishing from a typo domain.

12 of 12

security.txt (RFC 9116)

A standard published as RFC 9116 in 2022. The file lives at /.well-known/security.txt (with /security.txt as a legacy fallback) and tells security researchers how to report vulnerabilities to you. Url Reporter fetches it, parses it, and grades on:

• Canonical location. The file should live at /.well-known/security.txt, not just at the root.
• Contact field. An email or URL where reports can be sent. Required by the RFC.
• Expires field. An ISO 8601 timestamp in the future. Required by the RFC. A past expiry is worse than no file at all.

Why it matters: the average bug bounty researcher will spend about 30 seconds looking for who to email before moving on. If you do not have one, your bug stays unreported. If you do, you get a free disclosure pipeline.

how they fit together

One report, twelve angles

The 12 scanners cover four broad surfaces of a public website:

• Transport (TLS, HSTS preload, HTTP redirect, certificate transparency, CAA): is traffic in flight protected and was the cert issued correctly.
• Application headers (Mozilla Observatory, securityheaders.com): is the browser told the right things to refuse to do.
• DNS (DNSSEC, CAA, SPF, DMARC, DKIM): is the underlying name resolution and email channel honest.
• Disclosure and ops posture (security.txt, DoS posture): can researchers reach you, and is the site sitting behind any abuse protection.

None of these on its own is the security of your site. Together they catch a useful slice of what a competent attacker would probe in the first hour.