AcuityScan

Threat Check

Full security audit — SSL/TLS certificates, protocol versions, cipher suites, Google Safe Browsing status, 10+ security headers with deep CSP analysis, exposed sensitive files, server version leakage, and HSTS preload verification.

Google Safe BrowsingSSL/TLS analysisCSP analysisExposed file detection10+ security headersHSTS preload check

What you get

Example

A full SSL/TLS security audit covering certificates, protocols, and headers.

Certificate

Issuer: Let's Encrypt
Expires: 87 days
Key: 2048-bit RSA
SANs: 3 domains

Protocols

TLS 1.3 ✓
TLS 1.2 ✓
TLS 1.1 ✗ (disabled)
TLS 1.0 ✗ (disabled)

Security Headers

HSTS ✓ (preload verified)
CSP: unsafe-inline flagged
Permissions-Policy: 4/9
Grade: B

What this tool checks

Certificate Details

Subject, issuer, validity dates, days until expiry, key size, signature algorithm, Subject Alternative Names, and self-signed detection.

TLS Protocol Versions

Tests whether TLS 1.0, 1.1, 1.2, and 1.3 are supported. Flags deprecated versions (1.0/1.1) that create vulnerabilities.

HTTP → HTTPS Redirect

Checks if HTTP properly redirects to HTTPS with a 301 (permanent), not a 302 (temporary). Also verifies the redirect target.

Deep Security Header Analysis

Checks 10 headers and assigns A+ through F grade. Analyzes CSP directives for unsafe-inline, unsafe-eval, and wildcard sources. Evaluates Permissions-Policy across 9 sensitive features (camera, microphone, geolocation, and more). Flags Server and X-Powered-By headers leaking version info.

HSTS Preload Verification

Checks HSTS presence, max-age, includeSubDomains, and preload directive — then verifies whether your domain is actually on the browser HSTS preload list.

Certificate Chain

Validates the full certificate chain is present and complete — missing intermediate certificates cause failures in some browsers.

Exposed Sensitive Files

Probes for files that should never be public — .git/config, .env, wp-config.php.bak, .DS_Store, debug.log, and other common leaks that expose credentials or internal paths.

Vulnerability Assessment

Checks for known vulnerabilities including BEAST, POODLE implications from legacy protocols, weak ciphers, and missing forward secrecy.

Common questions

What's the difference between SSL and TLS?
SSL is the old name — it was replaced by TLS in 1999. When people say 'SSL certificate' they mean a TLS certificate. We check TLS 1.0 through 1.3. TLS 1.2 and 1.3 are considered secure. TLS 1.0 and 1.1 are deprecated.
Why do security headers matter?
Security headers tell browsers how to handle your content — preventing clickjacking (X-Frame-Options), XSS (CSP), MIME sniffing (X-Content-Type-Options), and forcing HTTPS (HSTS). We go deeper than just checking presence: we analyze CSP directives for unsafe-inline and wildcard sources, check Permissions-Policy for 9 sensitive browser features, flag server version leakage, and verify HSTS preload status. Missing or misconfigured headers leave your visitors vulnerable to common attacks.
My certificate is valid but I got a low score — why?
A valid certificate is just the baseline. Our score also factors in protocol support (TLS 1.3), HSTS, the redirect chain (301 vs 302), security headers, and forward secrecy. Most low scores come from missing security headers — easy to fix.
How do I add missing security headers?
It depends on your hosting. On Cloudflare, use Transform Rules. On Apache, add them to .htaccess. On Nginx, add header directives. Our scan results include the exact header values to add — just copy and paste.

Related tools

HTTP Headers Check DNS Lookup Redirect Checker Port Scanner

Want the full picture?

The checks SSL plus 7 other categories — email, DNS, performance, SEO, accessibility, privacy, and mobile.

Run