Tech Solvency / Checks

Checks: site-checking tools for security, conformance, and usability

Given a fully-qualified hostname, this form generates links to multiple site-checking tools. (Some tools prefer bare domains, so we will attempt to extract the domain, unless you can specify one. If a tool gives different results for both, both are shown.) Tools in bold are essential. In the results for most tools that provide a score or rating, items in red warrants short-term attention.

Enter your hostname below to generate custom links to each tool:

On larger screens, the table has a 'Description and notes' column.

On smaller screens, the 'Description and notes' column is hidden.

Tool links

Category	Tool	Test your host	Description and notes
Attack surface	Shodan *		Internet-wide IP / service scans. Requires free login for hostname search - definitely worth it.
Attack surface	Censys *		Internet-wide IP / service scans. Be sure to check the 'IPv4', 'website', and 'certificates' sections. Eventually requires free login (after a certain number of queries per day).
Attack surface	DNS Dumpster	(use direct link)	DNS and recon data, based on Censys and Rapid7 Internet-wide IP / service scans - but often has unique analysis and discovered hosts.
Attack surface	RiskIQ Community Edition *		Wide variety of correlated public data. Be sure to check each tab. Free login required.
Attack surface	ZoomEye		The Chinese equivalent of Shodan.
Attack surface	Onyphe *		Internet-wide IP scans and botnet-list status. Requires free login for full search.
Attack surface	host.io		DNS, shared IPs, backlinks, and references
Multi	Hardenize	,	One of the best site security validation suites - includes HTTP TLS, HTTP headers, DNS/DNSSEC, email TLS, email controls (SPF/DKIM/DMARC), and more. Includes very clear explanations and analysis. Once you've assessed your public attack surface, start here.
Multi	Internet.nl		Checks security and depth of IPv6, DNSSEC, and TLS
Multi	Mozilla Observatory		Checks multiple site security parameters, and calls other tools on your behalf (including a few listed here). Be sure to check the 'TLS', 'SSH', and 'Third-Party Tests' tabs.
TLS	Qualys SSL Labs Server Test †		The most thorough TLS tester - the gold standard. Takes a minute or two to run a fresh scan. To improve your score, consult the SSL Labs documentation, generate an appropriate config, and harden your IIS TLS config. Note that this tool can only check TLS on the default TCP port (443).
TLS	crt.sh	*.,	Search public Certificate Transparency logs for cert issuance in a domain. If you acquire a public certificate, it will appear here - even if you have obscure DNS entries, etc. Operated by Sectigo (formerly Comodo).
TLS	HSTS Preload status	,	The HSTS Preload list is a hard-coded list of sites that should be HTTPS only, embedded in browsers to eliminate the first HTTP-to-HTTPS redirection window. This tool checks both for the presence of the domain in the Preload list, and also if the domain is set up properly to be eligible for inclusion.
TLS	DNS CAA Tester		Use DNS to specify which registrars are authorized to issue certs for a domain. To create your own, use the SSLMate CAA Record Helper.
TLS	CryptCheck		Simpler than Qualys SSL Labs, and more strict about cipher strengths, with a clear matrix of strength. A French site.
HTTP headers	Security Headers †	,	Validate security-specific HTTP headers, with tips. Check 'follow redirects' in the tool if neeeded. 'Referrer Policy' and 'Feature Policy' show up as red, but these are emerging standards - fix the others first. To get started on creating your headers, see Scott Helme's CSP cheat sheet. Send reports to a centralized location like Report URI (currently 10K events/month free).
HTTP headers	Google CSP Evaluator		Evaluate a site's Content Security Policy header. You can also set up a local policy in Chrome prior to test your headers prior to publishing with the CSP Tester Chrome extension.
HTTP headers	URIports		Validate a site's security headers, including Reporting API, Network Error Logging (NEL), Content Security Policy (CSP), Expect-CT, Feature Policy, DMARC, and SMTP TLS Reporting (TLS-RPT).
Email	DMARC Inspector		Parse a site's DMARC policy for validity. Also includes an explanation of each element. See also the dmarc.org list of deployment tools.
Email	GCA DMARC Guide		Simple cross-check for SPF, DKIM, and DMARC. See links on site for guidance and starting points. Use `p=none` DMARC mode to collect reports prior to moving to one of the enforcement modes.
Email	MTA-STS validator	(use direct link)	DNS-based publication of Strict Transport Security policy for email. New standard (now RFC8461).
Email	SPF validator		MX Toolbox's SPF validity checker - thorough.
DNS	IntoDNS DNS validator		General DNS validation - good coverage.
DNS	DNSSEC Debugger (Verisign Labs)		Thorough validation of DNSSEC for a given host/domain.
DNS	MXToolbox DNS SuperTool		Similar to IntoDNS, with some different checks.
SSH	Rebex SSH Check		Health check of SSH key exchange, algorithms, MACs, compression, and key size. Duplicates the Mozilla Observatory SSH tests. Rebex is a Czech company.
Tracking	Blacklight	,	Check a public website for trackers and other privacy checks. From The Markup.
Website	Google Mobile-Friendly Test *		Validate usability on smaller screens. Google is moving to a "mobile first" indexing strategy, so make sure your site is usable on mobile. The major browsers' built-in web development tools now also include simulated mobile modes. Requires solving a CAPTCHA.
Website	W3C CSS (CSS2)		Check CSS2 syntax - CSS2 (base page only).
Website	W3C CSS (CSS3)		Check CSS3 syntax - CSS3 (base page only).
Website	W3C HTML5		Check HTML5 syntax - HTML5 (base page only).
Website	W3C i18n		Check internationalization / UTF-8 (base page only).
Website	WAVE		Accessibility checks (screen readers, color contrast, etc.).

* Requires an additional step (login or CAPTCHA) - either immediately, or after N queries, or to get additional functionality.
† Publishes a "recent best/worst" dashboard (but the links provided here automatically specify exclusion from them).

References

To see simple examples of good implementations and scores, check www.techsolvency.com itself. For notes on its status see the about techsolvency.com page.
These tools are hostname-driven. To learn more about the IP space that you're coming from, use Hurricane's BGP looking-glass.
xnnd.com - a useful multi-DNS checker
learndmarc.com - interactive SPF / DKIM / DMARC explainer
https://check-your-website.server-daten.de/ - another interesting checker
Cryptolyzer - a broad-spectrum checker

Disclaimers

The goal of this form is to empower defenders to improve their security posture - not to aid threat actors or to shame organizations. When we are supportive of efforts to improve security and to encourage transparency, everyone benefits.
Since the URLs use GET to be forward-ready, the webserver powering this form does log the URL parameters to a general webserver log. It has no access to the results from the destination services.
While reasonable effort has been made to use the "hide results from public dashboards" versions of these links, the destination services may log, or even publish, the results. That being said, most of these services are run by well-known organizations who only publish in the aggregate, when queried about specific hosts or domains, or in short-lived dashboards (top X recent best/worst).
Anyone in the world can (and will) use these tools. Judge and prioritize your mitigations accordingly. Prioritize based on risk - which of your public-facing services are critical to the services that you provide (or could provide a pivot point in your network to reach critical services?
I make some tool/site recommendations here, but I'm not affiliated with any of them - just a fan.

Back to Tech Solvency.