Five security dimensions, each scored A to F, with a plain-English finding behind every deduction.
Which protocol versions the server accepts (TLS 1.0/1.1 are a fail), whether the cipher has forward secrecy, the key and signature strength, and HSTS. This is the part SSL Labs grades — we grade it the same way.
HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy — present or missing, with what each one protects against. This is the part securityheaders.com grades.
SPF, DKIM, and DMARC (including whether DMARC is actually enforced or only reporting), plus whether the domain accepts mail at all. Spoofable mail is a fail.
DNSSEC signing, CAA records that restrict which CAs may issue for you, and dangling CNAMEs that expose a subdomain to takeover.
Whether the host is flagged by threat-blocking DNS — the same feeds that would block your visitors before they ever load the page.
Yes. Paste a domain on the homepage and you get the full grade with every finding, no signup and no email. An account is only needed to watch a domain over time and get alerted when its grade drops.
SSL Labs grades TLS configuration; securityheaders.com grades response headers. CertPost grades both, plus email authentication, DNS security, and reputation, in one check — and then monitors them, so you find out when something regresses instead of remembering to re-run a scanner.
Each area is scored A to F from a transparent rubric — protocol support, cipher strength, key and signature, headers present, email records, DNSSEC/CAA, and threat-intel status — and every deduction is shown as a plain-English finding you can act on.
The instant check reads the certificate your server presents and does a handful of DNS lookups — the same things a browser and a mail server already do. Nothing is installed, and the one-off check needs no account.