Web & Email Security Test
Welcome! Want to know if your site is secure and modern? We can help with that!
Frequently Asked Questions
How does the scoring work, exactly?Scoring is primarily subtractive — all sites start at 100 and then we deduct points. For some tests, positive bonus points may be awarded. These are for enacting security measures that may be difficult or unnecessary in most circumstances, but if your site does have these, we want to commend you for that! As long as you pass all the tests, you are eligible to receive a score greater than 100.
My site got an A+! That means it's secure, right?While it's certainly a great starting point, this web test only sees a fraction of your site and tests some very basic things that can make or break your site's security, and you shouldn't let down your guard if you receive a high score. There are many other things you should also employ, like proper hashing and salting, SQL-injection mitigations (e.g. prepared statements), proper escaping, CSRF tokens, etc. — and we simply can't test these things. However, there are a lot of easy ways to improve the security of your site — this test helps you uncover some of those items.
This test seems similar to other web security tests. How is this different?We test a combination of factors considered by many other common tests, which are linked under Related Tests on the test page. We aim to include many of the most common metrics in one, easy place — this was originally developed to test many of our own projects. However, security comes in numbers — you should definitely check out some of the other great tests that are available, many of which look at a specific aspect of your site's security more comprehensively. You can find these under Related Tests once you scan your site.
How much does security matter if my site doesn't have any sensitive data?It's not necessarily about whether your site has sensitive data — it's also about safeguarding the security and privacy of your users. For instance, users may reuse passwords from sensitive sites (e.g. banking) on your site. Web developers have a responsibility to secure their site to protect their users.
I'm getting dinged big time for not enabling HTTPS/HSTS, but we don't do HTTPS for backwards-compatability.Actually, it's not really about compatability anymore. See this excellent post by Scott Helme. While it may have once been the case that HTTPS excluded older clients, this is rarely the case anymore. Even Windows 2000 and Windows XP users can do TLS 1.2 and TLS 1.3 — there is just no excuse for not supporting HTTPS anymore. Additionally, search engines like sites that support HTTPS, and so do your users!
Why don't you do a DKIM test?Unfortunately, due to the way DKIM works, we can't do an accurate DKIM test without the DKIM selector, which gets sent whenever a legitimate email gets sent from your domain. Because we don't have that, we lack the information necessary to pull the proper DKIM records. You should definitely make sure you have a DKIM record set up on your domain (if you have an MX record), but because we can't accurately assess this, we don't test for that. We do, however, check for SPF and DMARC records if you have an MX record on your domain, and we score these on a subtractive basis.
Why don't you test for HPKP?Initially, we did. However, this test was removed because HPKP is really hard to get right, and it hasn't seen any significant adoption. In fact, Google, which introduced HPKP, has backtracked on it, recommending Expect-CT instead (which we do test for). HPKP is deprecated and not recommended anymore, so we've removed that from our tests.
Why do you require users to log in to run tests?Actually, we don't, unless you've exceeded our rate limit for guest users. This is an additional security measure to prevent spam and abuse. If you register, you can enjoy even more lenient scan restrictions, including the ability to scan the same site more often.
What is this data used for?We don't use this data for anything other than generating the statistics you see above. We are strongly committed to user privacy and security, and none of this data leaves this site.
I didn't like something about the test.Please let us know what you think could be improved! We're always looking for ways to improve the experience and better serve our users. Also, check out many of the other great tests out there that will scan your site for security issues — don't put all your eggs in one basket.
I did like the test. Can I support it?Thanks for asking! We provide this service for free as part of our mission of improving the security and privacy of the web. Our work is entirely volunteer-driven, and we don't charge for this tool and never will. If you'd like to help us cover some of our expenses, please consider making a donation. We really appreciate it, and every little bit helps a lot!