Search | Sailfish OS | Running | PineTime | All Posts

List of useful websites to check your security posture

October 23, 2023 — Nico Cartron

Context

I recently stumbled upon Security Headers, thanks to a tweet by Stephen Rees-Carter.

I started looking at it, and found things I could improve (nice understatement, as you'll see below), but I figured out it would be nice to do a sum up of the security websites which can help improve your security posture.

securityheaders.com

  • Scope: websites
  • Goal: check HTTP security headers used on a specific website, and give recommandations
  • Principle:
    • the site "scans" your website and fetches the HTTP headers to see whether specific security ones are being used.
    • it then gives you a grade, from A+ (very good) to F (not using any security headers)
    • and then gives you recommendations: missing headers, and also upcoming headers, i.e. which will come soon.

I wrote a detailed article about it, explaining how I used it to secure my website.

dnsviz.net

  • Scope: Authoritative DNS
  • Goal: Check that DNS zones are properly configured, with a focus on DNSSEC
  • Principle:
    • dnsviz checks the whole DNS chain, and highlights the misconfigurations.
  • Sum up: to me, dnsviz is THE DNS troubleshooting tool to use when dealing with DNS issues. It is now being maintained by DNS-OARC

dmarctester.com

  • Scope: emails
  • Goal: DMARC testing
  • Principle:
    • you send an email to dmarctester
    • which looks at the various DMARC/SPF DNS records
    • and tells you if it's well configured or not
  • Sum up: very nice UI, and very didactic: the site shows and explains each step it takes:

Note that it is also available over mobile, with a more minimalist UI:

Qualys' SSL Server Test

  • Scope: website
  • Goal: analyse the configuration of a "SSL server on the public Internet"
  • Principle: comparable to securityheaders.com - it scans your web server and gives it a grade, depending on how it is configured. It goes a bit deeper though, as it not only look at the security headers, but also looks at TLS certificate, supported protocols (TLS 1.3, ...), Cipher suites, ...
  • Sum up: a good complement to securityheaders.com, as it gives more details on your TLS configuration.

Have I been p0wned?

  • Scope: Passwords leaks
  • Goal: Have I been p0wned lists all the security breaches that happened and led to passwords for various sites to be exposed.
  • Principle:
    • You enter your email address, and the site tells you whether it found it in a breach
    • You can also subscribe to future updates: whenever a site gets compromised/passwords are stolen, you'll get an email notification to warn you, so that you can change your password.
  • Sum up: also a site that you MUST subscribe to, to get alerted whenever one of the websites you're using has been compromised.

Wrap Up

I hope you found that list useful - I have probably forgotten many others, so please feel free to hit me on Twitter if you think one of them is worth adding to that article.

Tags: IT, Misc

I don't have any commenting system, but email me (nicolas at ncartron dot org) your comments!
If you like my work, you can buy me a coffee!