Tech Solvency / Checks

Checks: site-checking tools for security, conformance, and usability

Given a fully-qualified hostname, this form generates links to multiple site-checking tools. (Some tools prefer bare domains, so we will attempt to extract the domain, unless you can specify one. If a tool gives different results for both, both are shown.) Tools in bold are essential. In the results for most tools that provide a score or rating, items in red warrants short-term attention.

Enter your hostname below to generate custom links to each tool:

  • (or start over)

On larger screens, the table has a 'Description and notes' column.

On smaller screens, the 'Description and notes' column is hidden.

Tool links

Category Tool Test your host Description and notes
Attack surface Shodan * Internet-wide IP / service scans. Requires free login for hostname search - definitely worth it.
Attack surface Censys * Internet-wide IP / service scans. Be sure to check the 'IPv4', 'website', and 'certificates' sections. Eventually requires free login (after a certain number of queries per day).
Attack surface DNS Dumpster (use direct link) DNS and recon data, based on Censys and Rapid7 Internet-wide IP / service scans - but often has unique analysis and discovered hosts.
Attack surface RiskIQ Community Edition * Wide variety of correlated public data. Be sure to check each tab. Free login required.
Attack surface ZoomEye The Chinese equivalent of Shodan.
Attack surface Onyphe * Internet-wide IP scans and botnet-list status. Requires free login for full search.
Attack surface DNS, shared IPs, backlinks, and references
Multi Hardenize , One of the best site security validation suites - includes HTTP TLS, HTTP headers, DNS/DNSSEC, email TLS, email controls (SPF/DKIM/DMARC), and more. Includes very clear explanations and analysis. Once you've assessed your public attack surface, start here.
Multi Checks security and depth of IPv6, DNSSEC, and TLS
Multi Mozilla Observatory Checks multiple site security parameters, and calls other tools on your behalf (including a few listed here). Be sure to check the 'TLS', 'SSH', and 'Third-Party Tests' tabs.
TLS Qualys SSL Labs Server Test † The most thorough TLS tester - the gold standard. Takes a minute or two to run a fresh scan. To improve your score, consult the SSL Labs documentation, generate an appropriate config, and harden your IIS TLS config. Note that this tool can only check TLS on the default TCP port (443).
TLS *., Search public Certificate Transparency logs for cert issuance in a domain. If you acquire a public certificate, it will appear here - even if you have obscure DNS entries, etc. Operated by Sectigo (formerly Comodo).
TLS HSTS Preload status , The HSTS Preload list is a hard-coded list of sites that should be HTTPS only, embedded in browsers to eliminate the first HTTP-to-HTTPS redirection window. This tool checks both for the presence of the domain in the Preload list, and also if the domain is set up properly to be eligible for inclusion.
TLS DNS CAA Tester Use DNS to specify which registrars are authorized to issue certs for a domain. To create your own, use the SSLMate CAA Record Helper.
TLS CryptCheck Simpler than Qualys SSL Labs, and more strict about cipher strengths, with a clear matrix of strength. A French site.
HTTP headers Security Headers † , Validate security-specific HTTP headers, with tips. Check 'follow redirects' in the tool if neeeded. 'Referrer Policy' and 'Feature Policy' show up as red, but these are emerging standards - fix the others first. To get started on creating your headers, see Scott Helme's CSP cheat sheet. Send reports to a centralized location like Report URI (currently 10K events/month free).
HTTP headers Google CSP Evaluator Evaluate a site's Content Security Policy header. You can also set up a local policy in Chrome prior to test your headers prior to publishing with the CSP Tester Chrome extension.
HTTP headers URIports Validate a site's security headers, including Reporting API, Network Error Logging (NEL), Content Security Policy (CSP), Expect-CT, Feature Policy, DMARC, and SMTP TLS Reporting (TLS-RPT).
Email DMARC Inspector Parse a site's DMARC policy for validity. Also includes an explanation of each element. See also the list of deployment tools.
Email GCA DMARC Guide Simple cross-check for SPF, DKIM, and DMARC. See links on site for guidance and starting points. Use p=none DMARC mode to collect reports prior to moving to one of the enforcement modes.
Email MTA-STS validator (use direct link) DNS-based publication of Strict Transport Security policy for email. New standard (now RFC8461).
Email SPF validator MX Toolbox's SPF validity checker - thorough.
DNS IntoDNS DNS validator General DNS validation - good coverage.
DNS DNSSEC Debugger (Verisign Labs) Thorough validation of DNSSEC for a given host/domain.
DNS MXToolbox DNS SuperTool Similar to IntoDNS, with some different checks.
SSH Rebex SSH Check Health check of SSH key exchange, algorithms, MACs, compression, and key size. Duplicates the Mozilla Observatory SSH tests. Rebex is a Czech company.
Tracking Blacklight , Check a public website for trackers and other privacy checks. From The Markup.
Website Google Mobile-Friendly Test * Validate usability on smaller screens. Google is moving to a "mobile first" indexing strategy, so make sure your site is usable on mobile. The major browsers' built-in web development tools now also include simulated mobile modes. Requires solving a CAPTCHA.
Website W3C CSS (CSS2) Check CSS2 syntax - CSS2 (base page only).
Website W3C CSS (CSS3) Check CSS3 syntax - CSS3 (base page only).
Website W3C HTML5 Check HTML5 syntax - HTML5 (base page only).
Website W3C i18n Check internationalization / UTF-8 (base page only).
Website WAVE Accessibility checks (screen readers, color contrast, etc.).

* Requires an additional step (login or CAPTCHA) - either immediately, or after N queries, or to get additional functionality.
† Publishes a "recent best/worst" dashboard (but the links provided here automatically specify exclusion from them).



Back to Tech Solvency.