Glossary

Each report uses a random id in the URL; cached data expires after a limited time (by default about 12 hours). Checks are non-intrusive (DNS, HTTPS, TLS, mail DNS, and similar)—we do not exploit vulnerabilities or guess credentials.

Full Data Retention & Privacy · Terms Of Use

The OG Preview tool loads public HTML for a URL you enter and reads <meta property="og:*"> and <meta name="twitter:*"> (and related tags). It shows approximate link-card layouts for major platforms—helpful for checking titles, descriptions, and images, though each app may render previews slightly differently.

On the results page you can copy a share link with ?url=… so someone else opens the same preview without retyping. Each visit performs a fresh fetch; we don’t keep a permanent snapshot of every preview. Requests are rate-limited, and private or blocked hosts aren’t fetched (same rules as scans).

From a scan report, Social card preview runs the same check against your homepage in a modal.

The SEO Snapshot page loads a URL’s HTML and reads common on-page signals: <title>, meta name="description", link rel="canonical", meta name="robots", a count of <h1> tags, and how many application/ld+json blocks appear. It also loads the host’s /robots.txt and applies a simplified longest-prefix match for User-agent: * against your URL path.

It does not show rankings, Core Web Vitals, or fully rendered JavaScript. For social sharing cards, use OG Preview.

security.txt (RFC 9116) tells security researchers how to report vulnerabilities responsibly—usually a Contact: line and optionally Expires: and Canonical:.

Common URLs: /.well-known/security.txt or /security.txt.

RFC 9116 · securitytxt.org

robots.txt suggests which URL paths crawlers should fetch. It is a convention, not access control—attackers may ignore it.

A sitemap lists important public URLs for search engines (often /sitemap.xml). It helps discovery, not authorization.

CAA (Certification Authority Authorization) DNS records say which certificate authorities may issue TLS certs for your domain. They reduce the risk of mis-issued certificates.

DNSSEC adds cryptographic signatures to DNS so resolvers can detect tampering. It does not encrypt queries by itself; it protects integrity of DNS answers.

TLS encrypts traffic between the client and server. The report checks protocol versions, certificate validity, chain, and related signals.

Certificate Transparency logs publicly issued TLS certificates. Sampling CT names helps discover hostnames that may belong to your domain.

HSTS tells browsers to use HTTPS only for your site for a period (max-age), reducing SSL stripping. Optional flags include includeSubDomains and preload.

CSP limits where scripts, styles, and other resources may load from—reducing XSS impact. It often uses nonces or hashes instead of broad unsafe-inline.

These controls limit who can embed your site in a frame (clickjacking). Legacy X-Frame-Options (DENY/SAMEORIGIN) overlaps with CSP frame-ancestors.

Reduces MIME-type confusion attacks by telling browsers not to “sniff” a different content type than declared.

Controls how much of the URL is sent in the Referer header when navigating away—balancing analytics and privacy.

Controls powerful browser features (camera, geolocation, payment, etc.) per origin or frame.

Cross-Origin-Opener-Policy and Cross-Origin-Resource-Policy isolate your page from other origins and reduce certain cross-origin side-channel risks.

Secure cookies are only sent over HTTPS. HttpOnly hides cookies from JavaScript, reducing theft via XSS.

Servers may compress HTTP bodies (often gzip, deflate, or Brotli / br) and advertise it with the Content-Encoding response header. That reduces bytes on the wire and speeds up pages—it is a performance / technology signal, not a security control by itself (though a compromised compressor has been a rare class of bugs in the past).

Perimeter runs a separate GET to your HTTPS homepage with Accept-Encoding: gzip, deflate, br and without auto-decoding the body, so the reported Content-Encoding matches what the origin sent. The Website card shows this under Transfer encoding and in Strengths when relevant.

Mixed content is loading insecure http:// resources on an https:// page. Browsers may block or weaken it.

SPF (Sender Policy Framework) is a DNS TXT record listing which mail servers may send mail for your domain.

DKIM adds cryptographic signatures to outgoing mail so receivers can verify it was not altered in transit and align with your domain.

DMARC is a DNS TXT record at _dmarc that tells receivers what to do when mail fails SPF/DKIM alignment (e.g. none, quarantine, reject) and where to send reports.

MTA-STS lets mail servers advertise that SMTP connections should use TLS, with a policy file served over HTTPS.

TLS-RPT (TLS Reporting) collects aggregate reports about TLS failures for inbound mail to your domain.

BIMI can display a brand logo next to mail in some providers when DMARC passes and a valid SVG logo is published.

TLSA DNS records (for DANE) can pin expected certificates for SMTP TLS, complementing opportunistic TLS and MTA-STS.

STARTTLS upgrades a plain SMTP connection to TLS after EHLO. It is a common way inbound mail servers offer encryption.

CORS (Cross-Origin Resource Sharing) lets browsers enforce which origins may read responses from your APIs. Misconfiguration can expose data to other sites.

Findings about name resolution, NS/MX, CAA, DNSSEC hints, IPv6, CDN guesses, and HTTP→HTTPS redirect at the apex. See also CAA, DNSSEC.

Public registration and RDAP-style signals (registrar, dates) where available—non-authoritative hints, not legal proof of ownership.

Reachability over HTTP/HTTPS, mixed content hints, fingerprint headers, directory listing, and similar public web signals. See mixed content, compression.

Security headers on HTTPS responses: HSTS, CSP, framing, cookies, and related controls. See HSTS, CSP, framing, cookies.

Certificate validity, chain, protocol versions, hostname match, and Certificate Transparency sampling. See TLS, Certificate Transparency.

SPF, DMARC, DKIM, MTA-STS, TLS-RPT, BIMI, DANE/TLSA, and SMTP STARTTLS hints. See SPF, DMARC, DKIM, MTA-STS, STARTTLS.

Detected libraries and platforms with version hints vs reference data—patch posture, not a full dependency audit.

Discoverability of security.txt, privacy/cookie/terms links from public pages. See security.txt.

Email addresses in HTML, forms posting to HTTP, environment markers in page copy, subdomain resolution—publicly visible signals. See CORS for API exposure.

Reports are kept for a limited time (by default about 12 hours after the scan finishes) and are tied to your browser session. Download PDF, JSON, or CSV while the report is open if you need to keep a copy.

Terms & Privacy · About