Given a fully-qualified hostname, this form generates links to multiple site-checking tools. (Some tools prefer bare domains, so we will attempt to extract the domain - or you can specify one). Tools in bold are essential. In most tools that provide a score or rating, red warrants short-term attention.
Enter your hostname below to generate custom links to each tool:
On larger screens, the table has a 'Description and notes' column.
On smaller screens, the 'Description and notes' column is hidden.
|Category||Tool||Test your host||Description and notes|
|Attack surface||Shodan *||Internet-wide IP / service scans. Requires free login for hostname search - definitely worth it.|
|Attack surface||Censys *||Internet-wide IP / service scans. Be sure to check the 'IPv4', 'website', and 'certificates' sections. Eventually requires free login (after a certain number of queries per day).|
|Attack surface||DNS Dumpster||(use direct link)||DNS and recon data, based on Censys and Rapid7 Internet-wide IP / service scans - but often has unique analysis and discovered hosts.|
|Attack surface||RiskIQ Community Edition *||Wide variety of correlated public data. Be sure to check each tab. Free login required.|
|Attack surface||ZoomEye||The Chinese equivalent of Shodan.|
|Multi||Hardenize||One of the best site security validation suites - includes HTTP TLS, HTTP headers, DNS/DNSSEC, email TLS, email controls (SPF/DKIM/DMARC), and more. Includes very clear explanations and analysis. Once you've assessed your public attack surface, start here.|
|Multi||Mozilla Observatory||Checks multiple site security parameters, and calls other tools on your behalf (including a few listed here). Be sure to check the 'TLS', 'SSH', and 'Third-Party Tests' tabs.|
|TLS||Qualys SSL Labs Server Test †||The most thorough TLS tester - the gold standard. Takes a minute or two to run a fresh scan. To improve your score, consult the SSL Labs documentation, generate an appropriate config, and harden your IIS TLS config. Note that this tool can only check TLS on the default TCP port (443).|
|TLS||crt.sh||Search public Certificate Transparency logs for cert issuance in a domain. If you acquire a public certificate, it will appear here - even if you have obscure DNS entries, etc. Operated by Comodo.|
|TLS||HSTS Preload status||The HSTS Preload list is a hard-coded list of sites that should be HTTPS only, embedded in browsers to eliminate the first HTTP-to-HTTPS redirection window. This tool checks both for the presence of the domain in the Preload list, and also if the domain is set up properly to be eligible for inclusion.|
|TLS||DNS CAA Tester||Use DNS to specificy which registrars are authorized to issue certs for a domain. To create your own, use the SSLMate CAA Record Helper.|
|TLS||CryptCheck||Simpler than Qualys SSL Labs, and more strict about cipher strengths, with a clear matrix of strength. A French site.|
|HTTP headers||Security Headers †||Validate security-specific HTTP headers, with tips. Check 'follow redirects' in the tool if neeeded. 'Referrer Policy' and 'Feature Policy' show up as red, but these are emerging standards - fix the others first. To get started on creating your headers, see Scott Helme's CSP cheat sheet. Send reports to a centralized location like Report URI (currently 10K events/month free).|
|HTTP headers||Google CSP Evaluator||Evaluate a site's Content Security Policy header. You can also set up a local policy in Chrome prior to test your headers prior to publishing with the CSP Tester Chrome extension.|
|DMARC Inspector||Parse a site's DMARC policy for validity. Also includes an explanation of each element. See also the dmarc.org list of deployment tools.|
|GCA DMARC Guide||Simple cross-check for SPF, DKIM, and DMARC. See links on site for guidance and starting points. Use p=none DMARC mode to collect reports prior to moving to one of the enforcement modes.|
|MTA-STS validator||(use direct link)||DNS-based publication of Strict Transport Security policy for email. New standard (now RFC8461).|
|DNS||IntoDNS DNS validator||General DNS validation - good coverage.|
|DNS||DNSSEC Debugger (Verisign Labs)||Thorough validation of DNSSEC for a given host/domain.|
|DNS||MXToolbox DNS SuperTool||Similar to IntoDNS, with some different checks.|
|SSH||Rebex SSH Check||Health check of SSH key exchange, algorithms, MACs, compression, and key size. Duplicates the Mozilla Observatory SSH tests. Rebex is a Czech company.|
|Website||Google Mobile-Friendly Test *||Validate usability on smaller screens. Google is moving to a "mobile first" indexing strategy, so make sure your site is usable on mobile. The major browsers' built-in web development tools now also include simulated mobile modes. Requires solving a CAPTCHA.|
|Website||W3C CSS (CSS2)||Check CSS2 syntax - CSS2 (base page only).|
|Website||W3C CSS (CSS3)||Check CSS3 syntax - CSS3 (base page only).|
|Website||W3C HTML5||Check HTML5 syntax - HTML5 (base page only).|
|Website||W3C i18n||Check internationalization / UTF-8 (base page only).|
|Website||WAVE||Accessibility checks (screen readers, color contrast, etc.).|
* Requires an additional step (login or CAPTCHA) - either immediately, or after N queries.
† Publishes a "recent best/worst" dashboard (but the links provided here automatically specify exclusion from them).
Back to Tech Solvency.