Full security scan.
Every layer checked.

TLS & Certificate

• Protocol grade (TLSv1.3 → TLSv1.0)
• Cipher suite: AEAD vs legacy
• Key bit strength (256–4096)
• Certificate chain depth
• Self-signed detection
• Days until expiry
• Signature algorithm (RSA/EC/PQC)
• HSTS preload eligibility

Security Headers

• Content-Security-Policy presence and eval/inline flags
• Strict-Transport-Security max-age and includeSubDomains
• X-Frame-Options (DENY / SAMEORIGIN)
• X-Content-Type-Options: nosniff
• Referrer-Policy value
• Permissions-Policy
• Cross-Origin-Opener-Policy
• Cross-Origin-Resource-Policy

Email Authentication

• SPF record presence and policy
• DKIM — scans 18 common selectors
• DKIM key type (RSA/Ed25519) and bit estimate
• DMARC policy (reject / quarantine / none)
• DMARC pct coverage
• MTA-STS mode (enforce / testing)

DNS Hardening

• CAA record count and issuers
• DNSSEC — RRSIG and DNSKEY detection
• Authenticated Data (AD) flag
• NS redundancy count
• IPv6 AAAA record presence
• Domain age proxy from SOA serial

Misconfigurations

• Server header version disclosure
• X-Powered-By header exposure
• phpinfo() output in page HTML
• Verbose stack trace in page HTML
• Clickjacking protection check
• Cache-Control directive presence
• Mixed content (HTTP refs on HTTPS pages)

Cookie Security

• Per-cookie Secure flag
• HttpOnly flag on each cookie
• SameSite attribute (Strict / Lax / None)
• Total cookie count
• Session vs persistent cookie ratio