v2.0
01

DNS and email protection

DNS tells the internet where your website and email live. Bad DNS or missing email records can make your brand easier to spoof and can hurt email deliverability.

SPF

What we look for: a TXT record that lists who can send email for your domain.

Bad condition: no SPF, or +all, which allows anyone.

Good condition: a narrow SPF record using only real mail providers with ~all or -all.

DMARC

What we look for: a policy at _dmarc.yourdomain.com.

Bad condition: no DMARC, or monitoring forever with no plan.

Good condition: reports enabled, then a move toward p=quarantine or p=reject.

CAA

What we look for: certificate authority authorization records.

Bad condition: any certificate authority can issue certificates unless restricted.

Good condition: CAA records limited to the certificate authorities you actually use.

Nameservers

What we look for: multiple authoritative nameservers.

Bad condition: one nameserver or broken delegation.

Good condition: two or more reliable nameservers with public records resolving correctly.

02

SSL, TLS, and HTTPS

HTTPS protects visitors by encrypting traffic and proving the site is really the domain they intended to visit.

Certificate validity

Bad condition: expired, expiring soon, untrusted, or unreachable certificate.

Good condition: valid certificate with enough renewal runway and a trusted chain.

Key strength

Bad condition: weak or old certificate key.

Good condition: RSA 2048+ or modern ECDSA keys.

SAN coverage

Bad condition: certificate does not cover the names users visit.

Good condition: Subject Alternative Names include the relevant domain names.

HTTP to HTTPS redirect

Bad condition: visitors can land on insecure HTTP.

Good condition: all HTTP traffic redirects cleanly to HTTPS.

03

Browser security headers

Security headers tell browsers how to safely handle your site. They are small configuration choices that can block whole classes of attacks.

HSTS

Forces browsers to use HTTPS in the future. Good when every subdomain supports HTTPS reliably.

Content Security Policy

Limits which scripts, frames, images, and connections the browser should trust. Helps reduce XSS impact.

X-Content-Type-Options

Prevents browsers from guessing file types. Good value: nosniff.

Referrer-Policy

Controls how much URL/referrer data leaks to other sites. A common good value is strict-origin-when-cross-origin.

Permissions-Policy

Disables browser features your site does not need, like camera, microphone, geolocation, payment, or USB.

Clickjacking protection

Uses X-Frame-Options or CSP frame-ancestors so attackers cannot invisibly frame your site.

04

Trust and contact signals

Public trust signals help visitors and security researchers understand how to contact the right people without exposing unnecessary personal details.

security.txt

What we look for: /.well-known/security.txt or /security.txt with a Contact field.

Good condition: a standard security contact and expiration date.

Visible email exposure

What we look for: public same-domain emails on the homepage.

Good condition: use role-based addresses and spam protection when possible.

05

Score, report, and priority plan

The score is a public posture baseline. It weighs DNS/email protection, TLS, browser headers, and trust signals. The report turns the raw findings into a plain-English explanation, priority plan, concrete provider request, and retest checklist.

Best use: run a scan, send the provider request to your developer or hosting company, make the changes, then rerun the scan to confirm the score improves.
06

What Security does not test

Security checks public signals only. It does not log into your website, scan source code, test payment flows, verify server patch levels, detect malware, or replace a full penetration test. It is a fast education and readiness tool, not a complete security audit.