Web / TLS
HTTPS reachability, redirects, certificate quality, HSTS and protocol posture.
Passive domain posture audit
Domain Security Scanner
Audit HTTPS, TLS certificates, HSTS preload readiness, DNSSEC, CAA, RPKI routing, browser security headers, registration, CT logs, security.txt, and email authentication from public evidence.
No exploit probingPublic DNS / HTTP / TLSRPKI and registry checks
TLS
CAA / DNSSEC
Security coverage map
The scan groups public signals into practical checkpoints so domain owners can move from evidence to fixes.
DNS / Web PKI
DNSSEC validation, CAA issuer policy, SVCB/HTTPS and TLSA observations.
SPF, DKIM, DMARC and mail-server evidence connected to the same domain.
CT / security.txt
Certificate Transparency exposure and security disclosure signals.
Routing
RPKI route-origin validation for web, nameserver and mail infrastructure.
Registry
RDAP lifecycle, expiry windows, transfer lock and risky domain statuses.
What This Domain Security Scan Covers
PrivKit checks public security controls around a domain and groups the results into practical evidence panels: browser-facing HTTPS behavior, certificate quality, DNS and Web PKI policy, routing, registration, email authentication, Certificate Transparency, and disclosure signals.
The scan uses public DNS, HTTP, TLS, RDAP, CT, and routing data. It does not run exploit tests, authenticate into applications, crawl private areas, or guarantee compliance.
How The Score Is Organized
The score is weighted across HTTPS/TLS, DNS and Web PKI, browser headers, email security, routing and registry posture, plus CT and disclosure metadata. Critical findings reduce the score more heavily than informational improvements.
HTTPS, TLS and HSTS
The HTTPS/TLS panel checks whether apex and www hostnames are reachable over HTTPS, whether HTTP redirects to HTTPS, and whether certificates are valid for the tested hostnames. It also flags weak signature algorithms, weak keys, unusually long certificate validity, missing forward secrecy signals, OCSP stapling visibility, and modern TLS baseline issues. HSTS checks look for preload-ready max-age, includeSubDomains, the preload directive, and apex/www coverage where applicable.
DNS, CAA and DNSSEC
The DNS & Web PKI panel reviews DNSSEC validation posture and CAA policy. DNSSEC results are reported as secure, insecure, bogus, or indeterminate based on available resolver and DNS evidence. CAA analysis parses issue, issuewild, issuemail, issuevmc, iodef, accounturi and validationmethods tags, then highlights unknown critical tags, wildcard-deny posture, and issuer alignment.
Routing and Registry
The Routing & Registry panel checks route-origin validation for website, authoritative nameserver and mail server IPs using public RIPEstat route-origin data. RDAP lifecycle checks surface expiry windows, missing transfer lock signals, and registrar states that may need attention, such as pendingDelete, redemptionPeriod or serverHold.
Headers, Email and Disclosure
The Browser Headers panel parses CSP and CSP-Report-Only, then flags high-impact weaknesses such as unsafe inline script, broad wildcards, missing object-src, base-uri, frame-ancestors or form-action, duplicate directives, and missing modern isolation headers. Email, CT and disclosure checks connect the site posture with SPF, DKIM, DMARC, Certificate Transparency and security.txt evidence.
How To Interpret Warnings
A warning does not always mean the domain is vulnerable. Some controls are contextual: RPKI depends on network coverage, DNSSEC depends on the domain's delegation model, CSP depends on application requirements, and HSTS preload may not be appropriate for every domain. Use the evidence panel to decide which findings are actionable for the domain you control.
Related Tools And Guides
What does the Domain Security Scanner check?
It checks public domain security signals across HTTPS, TLS certificates, HSTS preload readiness, DNSSEC, CAA, RPKI route-origin validation, CSP and browser security headers, RDAP registration lifecycle, Certificate Transparency, security.txt, SPF, DKIM and DMARC.
Is this a vulnerability scanner?
No. PrivKit performs passive and public-signal checks using DNS, HTTP, TLS, RDAP, CT and routing data. It does not run exploit tests, authenticated scans, application crawling, password checks or JavaScript secret scanning.
What do DNSSEC secure, insecure, bogus and indeterminate mean?
Secure means the domain appears to validate successfully through DNSSEC-aware resolution. Insecure means the domain or parent delegation does not provide a validated DNSSEC chain. Bogus means validation evidence indicates a DNSSEC problem. Indeterminate means the scanner could not confidently classify the posture from available data.
What does RPKI route validation tell me?
RPKI route-origin validation checks whether the networks announcing website, nameserver or mail-server IPs match published routing authorizations. Invalid results should be reviewed with the network or hosting provider.
Why does CAA matter?
CAA records tell certificate authorities which issuers are allowed to issue certificates for a domain. A strong CAA policy can reduce accidental or unauthorized certificate issuance, especially when wildcard issuance and issuer alignment are reviewed.
Should every domain enable HSTS preload?
No. HSTS preload is powerful but difficult to roll back. A domain should only preload after confirming all required subdomains support HTTPS and the organization is ready to maintain HTTPS permanently across the covered namespace.