Skip to content
https://stackoverflow.com/users/login

Infrastructure

· 17 checks — DNS, redirects, IPv6, crawlability, URL variants, and domain intelligence rolled into one auditable list.
SCORE
88
GRADE
B
FIX
0
REVIEW
7
PASS
10
INFO
0
Probed from New York, United Stated
200 OK
Checks
17
10 PASS 7 REVIEW
B
DNSSEC
Unsigned (DNSSEC not deployed)
REVIEW
Unsigned (DNSSEC not deployed)
Info::
DNSSEC is not deployed
The zone is not DNSSEC-signed. Users on validating resolvers (Cloudflare 1.1.1.1, Quad9 9.9.9.9, growing default in mobile resolvers) get no protection against DNS spoofing for this domain. Most registrars now offer DNSSEC at a single click; consider enabling it for sites where authenticity matters (banking, healthcare, government).
C
Reverse DNS
Action
0/1 IPs match cert SAN
REVIEW
0/1 IPs match cert SAN
Info::
PTR lookup failed for 198.252.206.1: lookup 198.252.206.1: Temporary failure in name resolution
No reverse DNS record set for this IP. Common on bare cloud-VM IPs without provider-side PTR; not a security issue.
C
IPv6 Readiness
Action
No IPv6 support
REVIEW
No IPv6 support
Info::
No IPv6 (AAAA) records found
IPv6 support is increasingly important for global accessibility. About 40% of internet users have IPv6 connectivity.
No IPv6 Support
About 40% of internet users have IPv6. Consider adding AAAA records.

IPv6 support is increasingly important for global accessibility. About 40% of internet users have IPv6 connectivity.

Why this matters

No AAAA records — same impact as 'no IPv6 (AAAA) records'; IPv6-preferring clients pay extra latency falling back to IPv4.

Source: Google IPv6 stats

B
Crawlability
no robots.txt, no sitemap
REVIEW
no robots.txt, no sitemap
Info::
No robots.txt found
robots.txt is optional but recommended. It tells search engine crawlers which pages to index.
Info::
No sitemap.xml found
A sitemap helps search engines discover and index your pages more efficiently.

robots.txt is optional but recommended. It tells search engine crawlers which pages to index.

Why this matters

No robots.txt — crawlers fetch /robots.txt and get 404; not breaking but means default crawl behavior with no directives or sitemap reference.

Learn more

A minimal robots.txt with `User-agent: * / Allow: / / Sitemap: https://example.com/sitemap.xml` covers the basics. Without it, crawlers behave fine but lose the sitemap signal and can't be selectively blocked from crawl-traps.

Source: robotstxt.org

A sitemap helps search engines discover and index your pages more efficiently.

Why this matters

No sitemap.xml — Google relies on crawl-graph discovery alone, slowing indexing of deep or fresh URLs.

Learn more

A sitemap accelerates Google's discovery of new and updated content. Most CMSes auto-generate one; static-site frameworks need a build-step plugin. Reference it from robots.txt and submit in Search Console to confirm Google can fetch it.

Source: sitemaps.org / Google Search Central

robots.txt No robots.txt found

No robots.txt found

This is fine for most sites — a missing robots.txt allows all crawling by default.

sitemap.xml No sitemap found

No sitemap found

Adding a sitemap helps search engines discover your pages.

B
TLS Certificate Expiry & Recommendations
70 days until leaf cert expires — 3 issues to address
REVIEW

Certificate validity

70
days left
0d 30d 60d 90d+

Recommended actions

  • Add the preload directive and submit to hstspreload.org once max-age + includeSubDomains are in place
  • Enable DNSSEC on your domain for DNS spoofing protection
  • Enable OCSP stapling on your TLS server to remove a CA roundtrip and protect user privacy
B
Operational Status Page
No status page link detected
REVIEW
No status page link detected
Info::
No operational status page link detected
Status pages communicate planned maintenance and incidents to users -- a hallmark of operationally-mature services. Most SaaS teams publish one via Atlassian Statuspage, Instatus, BetterUptime, or a self-hosted Cachet. Smaller sites legitimately don't need one; flagged as Info, not a failure.
B
Health Check Endpoint
No conventional health endpoint found
REVIEW
No conventional health endpoint found
Info::
No conventional health endpoint found
Health endpoints (/health, /healthz, /status, /ping, /api/health) let uptime monitors, load balancers, and orchestration systems (Kubernetes, ECS, Fly.io) verify the service is alive. Marketing sites and small services often skip them legitimately; flagged as Info, not a failure. Probe results: /api/health: 404, /health: 404, /healthz: 404, /ping: 404, /status: 404.
A+
DNS Records
1 A records, 5 ms lookup
PASS
1 A records, 5 ms lookup
Info::
Resolves to 1 IPv4 address(es)
Got: 198.252.206.1
Info::
Single A record — no DNS redundancy
Multiple A records provide failover if one server goes down.
Info::
No IPv6 (AAAA) records
Info::
2 nameserver(s) configured
Got: damian.ns.cloudflare.com, sureena.ns.cloudflare.com
Info::
5 mail exchanger(s) configured
Info::
SPF record present in TXT
Info::
DNS resolution time: 5 ms
Got: 5 ms
A198.252.206.1
AAAA
CNAME
NSdamian.ns.cloudflare.com, sureena.ns.cloudflare.com
MX
1 aspmx.l.google.com
5 alt1.aspmx.l.google.com
5 alt2.aspmx.l.google.com
10 alt3.aspmx.l.google.com
10 alt4.aspmx.l.google.com
TXT
MS=ms52592611
ZOOM_verify_AbkNwz5bBl0eurcDKyhhuk
adobe-idp-site-verification=25ba5203f3687c9cd6ee3223ee5de1528917828d1da3ebd3bd9a...
anthropic-domain-verification-q70207=cKyy0llXkD10O4rDQpWz8tQ5K
apple-domain-verification=O9jlnJXAQ7sNSZqC
atlassian-domain-verification=byLeZgl3MIcfOqwWuMhq8Fhr/1zem/jIaouJegvDZbBKUU5Oqh...
cursor-domain-verification-sb0ayf=Pk6AyptQuTpzpcuSlfYGWloxv
docker-verification=d65aee54-9091-4ceb-b792-61f5d5804050
docusign=4262531d-29f4-4a62-9f33-ae9f66f5247b
google-site-verification=2Bi6SYw5skkRexdtdLPL2gpxeIhLxnYVqITVP9Htl3w
google-site-verification=ctogLnZNAdc_CXq8yOhODMLpmugGynjxKecKHDz4oL8
google-site-verification=o3EMam8yBGo1yEjyybIiZcOunGHOQKpo8JmOtp9n1BU
google-site-verification=rdWtMbplKjbRHGr2dNONfwkqithlUvjr3u6i8QEz_mo
ibmid=4e7cbbb3-5f12-40b4-96c7-5b064347b822
make-domain-verification=eec31159-f381-4f38-9d89-e59123dd023e
onetrust-domain-verification=0d9d67f856334905a54256085a5768b3
onetrust-domain-verification=e445562296a64c649ae3d520230b8c4c
openai-domain-verification=dv-GLNufzbWDzAq0fDXHD6jxeCK
profound-domain-verification-5p599x=hWudYd2Du6WOYOod5ko9Rwnp8
v=MCPv1; k=ed25519; p=VhBofO8RaYvTvHT7q5tTty+HQeCU8R6h5Y8k/sj20So=
SPF v=spf1 ip4:52.38.191.241 include:_spf1.stackoverflow.com ~all
CAALookup not available with standard resolver
Resolved in 5 ms

Multiple A records provide failover if one server goes down.

Why this matters

Single A record means a single point of failure — if that IP goes down, your site is unreachable until DNS TTL expires.

Learn more

Add multiple A records for round-robin failover, or use a managed DNS provider with health-checked failover (Route 53, Cloudflare, NS1). Short TTL (60-300s) lets clients recover faster on outages.

Source: SRE practice / DNS architecture

A+
Subdomain Takeover
No subdomain takeover risk detected
PASS
No subdomain takeover risk detected
Info::
No CNAME record present
A+
CAA Records
issue: comodoca.com, digicert.com, letsencrypt.org, pki.goog, sectigo.com, ssl.com | issuewild: comodoca.com, digicert.com, letsencrypt.org, pki.goog, sectigo.com, ssl.com | iodef configured
PASS
issue: comodoca.com, digicert.com, letsencrypt.org, pki.goog, sectigo.com, ssl.com | issuewild: comodoca.com, digicert.com, letsencrypt.org, pki.goog, sectigo.com, ssl.com | iodef configured
Info::
CAA issue tag present — authorized CA(s): comodoca.com, digicert.com, letsencrypt.org, pki.goog, sectigo.com, ssl.com
Info::
CAA iodef tag present (failed-issuance notifications enabled)
A+
Multi-Resolver DNS Speed
Mean 3ms across 3 resolvers (spread 10ms)
PASS
Mean 3ms across 3 resolvers (spread 10ms)
Info::
Quad9: 0ms
Got: 0ms via 9.9.9.9:53
Info::
Cloudflare: 1ms
Got: 1ms via 1.1.1.1:53
Info::
Google: 10ms
Got: 10ms via 8.8.8.8:53
A+
Redirect Chain
No redirects — direct access
PASS
No redirects — direct access
Info::
No redirects — direct access
Got: https://stackoverflow.com/users/login

https://stackoverflow.com/users/login

72 ms · HTTP/1.1 FINAL

#URLStatusTimeProtocolServer
1https://stackoverflow.com/users/login20072 msHTTP/1.1cloudflare
A+
URL Variants
www/non-www, trailing slash, HTTP→HTTPS
PASS
www/non-www, trailing slash, HTTP→HTTPS
Info::
www/non-www redirect configured correctly (preferred: non-www)
Info::
HTTP correctly 301-redirects to HTTPS

www / non-www

302https://www.stackoverflow.com/users/login
200https://stackoverflow.com/users/login

Preferred variant: non-www

Trailing Slash

307https://stackoverflow.com/users/login/
200https://stackoverflow.com/users/login

HTTP → HTTPS

301http://stackoverflow.com/users/login https://stackoverflow.com/users/login

Consistent

A+
Domain Intelligence
stackoverflow.com — via CSC Corporate Domains, Inc., 22 years, 8 months old, hosted on Cloudflare
PASS
stackoverflow.com — via CSC Corporate Domains, Inc., 22 years, 8 months old, hosted on Cloudflare
Info::
Domain registered until Feb 2, 2027 (8 months remaining)
Info::
DNSSEC is not enabled
DNSSEC protects against DNS spoofing attacks. While not required, enabling DNSSEC adds an additional layer of security. Contact your DNS provider to enable it.
Info::
Registrar: CSC Corporate Domains, Inc.
Warning::
Registrar lock is NOT enabled
The domain can be transferred without an unlock step. Enable registrar lock (clientTransferProhibited) in your registrar's control panel to protect against unauthorized or accidental transfers.
Info::
Hosting: Cloudflare
Got: AS13335
Domain expiry

260 days

February 2, 2027

SSL certificate

70 days

Issued by Let's Encrypt

Domain age

22 years, 8 months

Registered December 26, 2003

DNSSEC

Not enabled

Protects against DNS spoofing

Hosting

Cloudflare

ASN AS13335

198.252.206.1

Registrar

CSC Corporate Domains, Inc.

Unlocked 2 NS records
Expiry timeline
Today
+1 year
Domain expiry SSL expiry Danger zone (≤30 days)
Recommended actions
  • Enable DNSSEC to protect visitors from DNS spoofing
  • Enable registrar lock (clientTransferProhibited) to block unauthorized domain transfers
Registrar CSC Corporate Domains, Inc.
Created December 26, 2003 (22 years, 8 months ago)
Expires February 2, 2027 (8 months)
Last Updated January 29, 2026
Name Servers damian.ns.cloudflare.com, sureena.ns.cloudflare.com
DNSSEC Not enabled
Hosting
IP Address 198.252.206.1
ASN AS13335 (CLOUDFLARENET - Cloudflare, Inc., US)
Provider Cloudflare
Data source: rdap (0.7s)

DNSSEC protects against DNS spoofing attacks. While not required, enabling DNSSEC adds an additional layer of security. Contact your DNS provider to enable it.

Why this matters

Without DNSSEC, an attacker who can poison your DNS can hijack your domain — and SSL certs alone don't stop them.

Learn more

DNSSEC adds cryptographic signatures to DNS records, preventing forged responses from poisoning resolver caches. Without it, an attacker who controls the network path can redirect your domain to a malicious server before any HTTPS handshake happens. Most modern registrars (Cloudflare, Google Domains, Route 53) enable it with one toggle.

Source: ICANN / RFC 4033

The domain can be transferred without an unlock step. Enable registrar lock (clientTransferProhibited) in your registrar's control panel to protect against unauthorized or accidental transfers.

Why this matters

Without registrar lock, an attacker who phishes your registrar credentials can transfer the domain in minutes — total brand hijack.

Learn more

Registrar lock (clientTransferProhibited, clientUpdateProhibited, clientDeleteProhibited) requires extra verification before any transfer/update/delete. Every major registrar offers it free. Combined with 2FA on your registrar account, it's the strongest defense against domain hijacking.

Source: ICANN / domain-security best practice

A+
HTTP Probe Timing
Total 79 ms — DNS, TCP, TLS, TTFB, content transfer breakdown
PASS
DNS Lookup DNS Lookup — time to resolve the domain name to an IP address.
3 ms
TCP Connect TCP Connect — time to establish a TCP connection to the server.
1 ms
TLS Handshake TLS Handshake — time to complete the HTTPS encryption handshake.
6 ms
Time to First Byte Time to First Byte — how long the server takes to respond with the first byte of data.
78 ms
Total Time Total request time from DNS lookup through full response.
79 ms

Connection waterfall

DNS Lookup 3 ms TCP Connect 1 ms TLS Handshake 6 ms Server Processing 67 ms Content Transfer 2 ms
A
CDN & Delivery
Cloudflare (DYNAMIC)
PASS
Cloudflare (DYNAMIC)
Info::
Site is served via Cloudflare CDN (edge: EWR)
Got: cf-ray: 9f8fe34dead47d8a-EWR
Info::
CDN cache status: DYNAMIC
CDN Detected: Cloudflare
Provider Cloudflare Cache Status DYNAMIC Evidence cf-ray: 9f8fe34dead47d8a-EWR
A+
CDN Cache Observability
Cache state: DYNAMIC
PASS
Cache state: DYNAMIC
Info::
CDN cache state observable via 1 header(s)
Got: cf-cache-status=DYNAMIC
All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.

Send Feedback