Fixes

Three DNSSEC failure modes (broken, missing, partial), each needing different remediation. Broken is outage-grade and urgent.

Publish CAA records to control which Certificate Authorities can issue certificates for your domain. Examples and common pitfalls.

When the NS at your registrar disagrees with what your zone publishes, resolvers can land on the wrong nameserver. How to sync both sides.

If all your nameservers sit behind one network, one outage takes the whole domain offline. Add NS hosts and spread the network footprint.

An authoritative nameserver that answers recursive queries can be abused for DDoS amplification. How to disable recursion per software.

Open AXFR lets anyone download your full zone in one query. Restrict transfers to known secondaries via TSIG or IP allow-list.

Informational SPF presence check (weight 0 in DNS). For the scored SPF check, see SPF Policy Strength in Email Security.

Informational DMARC presence check (weight 0 in DNS). For the scored DMARC check, see DMARC Policy Enforcement in Email Security.

A wildcard subdomain expands attack surface and enables takeover. Decide whether yours is intentional, then harden it or remove it.

Always-pass audit page for your MX records. Use it to review hostnames, priorities, and whether you should publish a null MX.

Two correct postures: publish real MX records, or publish a null MX. Having neither is the only state that loses points.

Only -all (hard fail) earns full credit. ~all warns, missing fails. How to publish a record and audit senders before tightening.

Pass requires p=quarantine or p=reject. Phased rollout: publish at p=none, audit reports, fix alignment, then tighten.

Subdomains inherit DMARC behavior unless sp= is set. Publish sp=reject (or per-subdomain DMARC for senders) to lock down spoofing.

rua= sends DMARC aggregate reports to a mailbox you designate. Without it, your DMARC policy runs blind. Add a rua= destination.

Two-part config (DNS TXT plus HTTPS policy file). Publish both, run testing mode first, then switch to enforce.

TLS-RPT delivers daily JSON reports about TLS failures during inbound mail delivery. Publish a record at _smtp._tls. with rua=.

SPF caps at 10 DNS lookups (RFC 7208). Pass under 8, warn 8-10, fail above. Audit and prune senders or flatten the include chain.

How to set up DKIM signing, clean up revoked keys, and verify selectors that passive DNS scanning could not detect.

Informational selector probe (weight 0). Lists DKIM keys found at common selectors. For the scored DKIM check, see DKIM Key Validation.

Dangling CNAMEs are subdomain takeover surface. Heaviest single check (35 pts). For each finding, decide reclaim or remove.

Currently an apex TCP probe on ports 80/443 only. Broader stale-A detection across subdomains is planned.

Stratified-sample probe of discovered subdomains. Only owned A/AAAA/CNAME records affect score. Clean up stale entries to pass.

Pass requires WAF/CDN on every host. Warn on partial coverage, fail on none. Detection is header-based (Cloudflare, Akamai, Fastly, etc.).

Detects sensitive subdomains (web, api, admin) that bypass your CDN/WAF. Move bypass hosts behind the front door or lock origin firewall.

Every host should serve HTTPS. Pass on full coverage, warn on mixed, fail on none. Free TLS via Let's Encrypt and most CDNs.

Composite of 11 header and TLS sub-weights (100 pts total). Drill into each sub-weight for the actual fix. Apex is the primary host.

Penalizes default, parked, placeholder, and thin primary pages so empty hosting does not score like a hardened production site.

Whether the primary host can be meaningfully probed. Pass needs full coverage; partial warns; unreachable fails.

Pass requires every reachable host's first successful response to be HTTPS. Add HTTP-to-HTTPS redirects across all hosts.

Forces browsers to use HTTPS for your domain. Pass needs the header with max-age. Best practice: 2-year max-age + preload.

Restricts which scripts and resources the page can load. Pass needs default-src or script-src. Use Report-Only first, then enforce.

Pass requires TLS 1.2 or 1.3 negotiated on every primary HTTPS host. TLS 1.0 and 1.1 score zero. Per-server config snippets included.

Pass requires 30+ days to expiry. 7-30 days gets half credit; under 7 or expired fails. Use ACME automation everywhere.

One-line header. Pass requires exactly X-Content-Type-Options: nosniff. Disables MIME-type sniffing in browsers.

Anti-clickjacking. Pass needs X-Frame-Options DENY/SAMEORIGIN or CSP frame-ancestors. Modern: use CSP. Legacy compat: send both.

Cert's SAN list must cover the hostname being served. Tied to Chain Completeness via the same verified-handshake flag.

Pass requires no-referrer, strict-origin-when-cross-origin, or same-origin. Stops URL leakage via Referer headers.

Server must serve the full intermediate chain, not just the leaf cert. Tied to SAN Hostname Match via the same verified-handshake flag.

Banned cipher tokens: RC4, DES, 3DES, MD5, NULL, EXPORT, ANON, IDEA. Anything else passes. Mozilla Intermediate is the easy answer.

One-line header. Pass requires any non-empty Permissions-Policy. Recommended: deny camera, microphone, geolocation, payment, USB.

Set Secure on every cookie. Session cookies missing Secure fail; non-session missing warns. Fix in your framework's session config.

Set HttpOnly on every session cookie. JavaScript cannot read HttpOnly cookies, so XSS cannot steal auth tokens.

Pass needs explicit SameSite on session cookies. SameSite=None without Secure fails outright; missing on sessions warns.

Informational roll-up: prefix usage, session lifetime, scope breadth, tracker-before-consent. Weight 0; surfaces findings only.

Composite of stack visibility and outdated-version signals (18 pts). Reduce identifiable tokens and update behind-current-stable software.

Pass needs absent, generic, or CDN-pass-through Server header. Version exposed scores zero. Genericize per web server.

Pass needs no framework-disclosure headers (X-Powered-By, etc.) or meta-generator tags. Version exposed scores zero per host.

Debug mode in production is the only critical fail in this check. X-Runtime / X-Request-ID warn. Disable debug, strip diagnostic headers.

Strips internal IPs (RFC 1918) and internal hostnames from response headers. Each finding deducts 15 of 30 pts; both = fail.

Scans HTML for source maps, internal URLs in comments, internal hrefs/srcs, insecure form actions. Source maps = heaviest hit.

Database errors and stack traces in 4xx/5xx pages are the worst leaks. Use custom error pages that show no internal detail.

Sensitive paths in robots.txt advertise them to attackers. Use real auth or noindex; reserve robots.txt for crawl management.

Worst-host live cert expiry (25 pts). Expired = 0; <=14 days = 0.2; <=30 days = 0.6. Automate renewal across every sampled host.

Worst-host TLS chain trust (15 pts). Untrusted or incomplete chain on any sampled host fails the whole check.

Apex leaf cert key strength (10 pts). RSA 2048+ or ECDSA P-256/P-384/P-521/Ed25519 pass. RSA <= 1024 fails.

Informational (weight 0). Counts distinct CAs issuing certs over 12 months. Many CAs = fragmented procurement; reports without scoring.

Wildcards trade convenience for blast radius. Pass under 40%; deductions ramp up; floor at 0.58 above 75% (CDN/SaaS reality).

Per-cert lifespan scoring (15 pts). <=90 days: full credit. 91-398: 0.85. >398: 0. Migrate to ACME for short-lived certs.

Cross-checks 12 months of CT against your CAA policy. Recent unauthorized issuance fails; historical mismatch warns; no CAA scores ~0.33.

Queries 6 major blocklists (Spamhaus DBL, SURBL, URIBL, Barracuda, SpamCop, URLhaus). Listings deduct per-list weights from 40 pts.

IP-level reputation across Spamhaus ZEN (PBL/SBL/XBL), Barracuda, SpamCop. SBL/XBL = 15 pt penalty; deductions stack to 30 max.

GSB flagging triggers full-screen browser warnings. Pass/fail; if flagged, investigate via Search Console and request review.

Domain age and expiry risk via RDAP. Time fixes recent-registration penalty; renew early to fix expiring-soon penalty.

Tamper-detection hashes on external scripts. All SRI-covered: pass. >=50%: 0.6. <50%: 0.28. None: 0.0.

Active mixed content (scripts/iframes/CSS) fails. Passive (images) warns. Replace http:// with https:// or use upgrade-insecure-requests.

Flags polyfill.io, AngularJS (EOL), vulnerable jQuery/Bootstrap/Lodash, deprecated moment.js. polyfill.io = immediate supply-chain critical.

Informational (weight 0). Counts distinct external script-source domains. 0-3 healthy; 4-6 moderate; 7-10 high; 11+ excessive.

Informational (weight 0). Categorizes trackers by tier. Fingerprinting or 3+ ad trackers = 0; ad+analytics = 0.4; analytics only = 0.75.

Informational (weight 0). Counts ALL distinct external resource domains (scripts, CSS, images, fonts, XHR). 0-5 healthy; 21+ excessive.