How is SSL/TLS verified?

The scanner fetches the HTTPS version of your site from a Cloudflare Worker. If the TLS handshake succeeds, SSL is valid. It also checks whether HTTP redirects to HTTPS and whether HSTS is set with appropriate directives.

What security headers are checked?

The scanner checks for Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, and Cross-Origin-Opener-Policy.

What is information leakage?

Headers like Server, X-Powered-By, and X-AspNet-Version reveal implementation details. Attackers can use this to target known vulnerabilities in specific software versions.

Yes. Scan results are cached for 5 minutes per domain using a Cloudflare Durable Object, giving you instant results for repeat scans.

Tools

Site Verifier

Enter any URL to scan its SSL/TLS setup, security headers, cookie attributes, redirect chain, and caching configuration. Results are cached for 5 minutes.

What's Checked

SSL / TLS: HTTPS availability, HTTP→HTTPS redirect, HSTS header and preload eligibility.
Security Headers: 7 recommended headers including CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy, and COOP.
Cookie Safety: Checks Secure, HttpOnly, and SameSite attributes on every Set-Cookie header.
Information Leakage: Flags headers that expose server software: Server, X-Powered-By, etc.
Caching: Cache-Control, ETag, Last-Modified, Vary headers for CDN and browser caching.

Use the Header Inspector for a lighter header-only view. Read about HTTPS & TLS, Cookie Security, and Headers & Caching.

Site Verifier

What's Checked

Related