Back to features

Feature

Security scanning & grade

A full security audit on every check, rolled up into a single letter grade you can read at a glance — and explained line-by-line if you want the details.

What gets scanned

Security headers

HSTS (with includeSubDomains and preload awareness), Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Missing or weak values pull the grade down with a specific reason.

CAA records

Xpiry queries DNS for CAA records on your apex domain and confirms they exist, are well-formed, and authorize a CA. Missing CAA records mean any CA could issue a cert for your domain — not what you want.

DNSSEC

Validates that your zone is signed and that the chain of trust resolves correctly back to the root. Either you have it or you don't — and it's surfaced front-and-center on the domain page.

Certificate Transparency

Confirms your certificate is published in the CT logs that browsers expect. Modern browsers refuse to trust certs missing from CT, so this is a "must-have" check.

OCSP stapling

Whether your server is stapling a fresh OCSP response with the handshake. Stapling improves both privacy and TLS performance.

TLS configuration

Negotiated version, cipher strength, forward secrecy, and which deprecated TLS/SSL versions your server is still willing to speak. SSL 3, TLS 1.0, and TLS 1.1 cap your grade severely.

The grade

Each domain gets a letter grade from A+ down to F. The score is hard-capped on serious issues so a beautiful header configuration can't save a broken cert:

  • 0
    Cap 0: revoked or expired certificate.
  • 20
    Cap 20: self-signed certificate.
  • 50
    Cap 50: SSL 3.0 still supported.
  • 60
    Cap 60: TLS 1.0 or TLS 1.1 still supported.

Above the caps, individual sub-scores for cert health, TLS, headers, CAA, DNSSEC, CT, and OCSP combine into the final grade. Every contributing reason is listed on the domain page so you know exactly what to fix to move up a tier.

Start monitoring in minutes

Free for one domain. No credit card required.

Get started free

See the full feature list or pricing.