Infrastructure

· 9 checks — DNS, redirects, IPv6, crawlability, URL variants, and domain intelligence rolled into one auditable list.

SCORE

GRADE

FIX

REVIEW

PASS

INFO

Probed from Amsterdam, Netherlands

301 Moved Permanently

Checks

3 PASS 4 REVIEW 2 FIX

IPv6 Readiness

Action

IPv6 records exist but unreachable

FIX

IPv6 records exist but unreachable

IPv6 DNS records exist but server is not reachable

Having AAAA records but an unreachable server is worse than no AAAA — clients may experience delays before falling back to IPv4.

Got: 2001:df0:2b7:1100:300:0:2000:26

IPv6 connection error

Got: dial tcp6 [2001:df0:2b7:1100:300:0:2000:26]:443: connect: no route to host

IPv6 Misconfigured

AAAA Records 2001:df0:2b7:1100:300:0:2000:26 Connection UNREACHABLE

Having AAAA records but an unreachable server is worse than no AAAA — clients may experience delays before falling back to IPv4.

Why this matters

Advertising IPv6 (AAAA records) without a reachable server means IPv6-preferring clients silently fail every connection.

Learn more ▾

Modern browsers prefer IPv6 if AAAA exists (Happy Eyeballs algorithm). If the IPv6 server isn't reachable, browsers fall back to IPv4 — but with seconds of added latency per request. Either fix IPv6 reachability or remove the AAAA records.

Source: RFC 8305 (Happy Eyeballs)

CDN & Delivery

Action

No CDN detected

FIX

No CDN detected

A CDN can significantly improve load times for users around the world by caching content at edge nodes closer to them.

No CDN detected

Consider using a CDN to improve global delivery speed and reduce origin load.

Redirect Chain

0 redirect(s), 1094 ms total

REVIEW

0 redirect(s), 1094 ms total

Redirect overhead: 1094 ms total

Got: 1094 ms

https://health.gov.au

1094 ms · HTTP/1.1 FINAL

#	URL	Status	Time	Protocol	Server
1	https://health.gov.au	301	1094 ms	HTTP/1.1

Crawlability

no robots.txt, no sitemap

REVIEW

no robots.txt, no sitemap

No robots.txt found

robots.txt is optional but recommended. It tells search engine crawlers which pages to index.

No sitemap.xml found

A sitemap helps search engines discover and index your pages more efficiently.

robots.txt is optional but recommended. It tells search engine crawlers which pages to index.

Why this matters

No robots.txt — crawlers fetch /robots.txt and get 404; not breaking but means default crawl behavior with no directives or sitemap reference.

Learn more ▾

A minimal robots.txt with `User-agent: * / Allow: / / Sitemap: https://example.com/sitemap.xml` covers the basics. Without it, crawlers behave fine but lose the sitemap signal and can't be selectively blocked from crawl-traps.

Source: robotstxt.org

A sitemap helps search engines discover and index your pages more efficiently.

Why this matters

No sitemap.xml — Google relies on crawl-graph discovery alone, slowing indexing of deep or fresh URLs.

Learn more ▾

A sitemap accelerates Google's discovery of new and updated content. Most CMSes auto-generate one; static-site frameworks need a build-step plugin. Reference it from robots.txt and submit in Search Console to confirm Google can fetch it.

Source: sitemaps.org / Google Search Central

robots.txt No robots.txt found

No robots.txt found

This is fine for most sites — a missing robots.txt allows all crawling by default.

sitemap.xml No sitemap found

No sitemap found

Adding a sitemap helps search engines discover your pages.

HTTP Probe Timing

Action

Total 1614 ms — DNS, TCP, TLS, TTFB, content transfer breakdown

REVIEW

DNS Lookup

785 ms

TCP Connect

274 ms

TLS Handshake

282 ms

Time to First Byte

1.61 s

Total Time

1.61 s

Connection waterfall

DNS Lookup 785 ms TCP Connect 274 ms TLS Handshake 282 ms Server Processing 274 ms Content Transfer 0 ms

TLS Certificate Expiry & Recommendations

50 days until leaf cert expires — 4 issues to address

REVIEW

Certificate validity

days left

0d 30d 60d 90d+

Recommended actions

Add includeSubDomains to the HSTS directive
Add the preload directive and submit to hstspreload.org once max-age + includeSubDomains are in place
Enable DNSSEC on your domain for DNS spoofing protection
Enable OCSP stapling on your TLS server to remove a CA roundtrip and protect user privacy

DNS Records

3 A records, 1534 ms lookup

PASS

3 A records, 1534 ms lookup

Resolves to 3 IPv4 address(es)

Got: 13.236.242.190, 54.206.239.18, 54.252.75.26

Has 1 IPv6 (AAAA) record(s)

Got: 2001:df0:2b7:1100:300:0:2000:26

4 nameserver(s) configured

Got: dns1.sge.net, dns2.sge.net, dns3.sge.net, dns4.sge.net

1 mail exchanger(s) configured

CAA records not checked

CAA record lookup requires a specialized DNS resolver. This check will be available in a future update.

SPF record present in TXT

DNS resolution is slow (1534 ms)

Slow DNS adds latency to every page load. Consider a faster DNS provider.

Got: 1534 ms

A	13.236.242.190, 54.206.239.18, 54.252.75.26
AAAA	2001:df0:2b7:1100:300:0:2000:26
CNAME	—
NS	dns1.sge.net, dns2.sge.net, dns3.sge.net, dns4.sge.net
MX	10 health-in-132.sge.net
TXT	google-site-verification=pFoun80pA2aDOHQYZII5WSP2mV5kDfZxpaOEI8j940A Department of Health and Aged Care fW9ZbEMY dynatrace-site-verification=63d02827-c1cc-457f-83d3-2c5d1efd43c3__v2leik6vk6g4k8... MS=ms56016682 xBwsB32UPIBaw1hlICmHtgcBtm6aXymkKxHa2NcDYT0odvsfg3zUJi0uXliW42bzjw0TJqdhbcZVDZzQ... adobe-idp-site-verification=194dba71-45b0-46cc-9164-681c527ed912 cisco-ci-domain-verification=11b3ccdf38fe299c4d2502e6b1256610ccecfeb28550d7922e8... SPF v=spf1 ip4:103.140.58.0/26 ip4:167.89.43.190/32 ip4:159.183.181.113/32 include:h... amazonses:/A1rr2+85aNGAHhZ1YJj2rjFDCwdpcp5xXeZxy+yQpY= amazonses:vmQh4j2JErA7LKLrxqj9aMcsAa7qf6CBTXHav2UO2qI= amazonses:ZyCJdl2LLqvAN/Wt3Kv1WXOxvLNWo1rR2Eb+Pq+fS6U= amazonses:OXikGMnz9REJ5XdW3yoeL4xPqTSLvRb+ETR9fcWKWTw= amazonses:hS4lPYfN7MpOx4rjBjHrvaIq/4h4HcaZLAm5ihBSjAo= amazonses:Yoqkfwe0tvW+Hd/yHFs6TW/4QMk69myuTu4malRoaPc= apple-domain-verification=9XrYtzs8ENTcBffe vmware-cloud-verification-004f9e97-384d-4a56-bcf7-b725a954cee6 cloudhealth=d40f2067-db52-4f8c-8fee-0ae9f3d1b6a3 miro-verification=237ac25e1186edbba745464c5f5e7d307376e7b0 13/09/2023 heyhack-verification=d9aa27c7-3107-4fb5-b07a-d4745ba0dadd zscaler-verification-/223807-06102025-ppr5Xv0AQ0
CAA	Lookup not available with standard resolver

Resolved in 1534 ms

CAA record lookup requires a specialized DNS resolver. This check will be available in a future update.

Why this matters

Informational: CAA (Certification Authority Authorization) records weren't checked in this scan.

Slow DNS adds latency to every page load. Consider a faster DNS provider.

Why this matters

DNS resolution is slow — anycast DNS providers (Cloudflare, Route 53) typically resolve <50ms globally.

Source: DNS performance benchmarks

URL Variants

www/non-www, trailing slash, HTTP→HTTPS

PASS

www/non-www, trailing slash, HTTP→HTTPS

HTTP→HTTPS redirect uses 302 instead of 301

Got: 302 temporary redirect Expected: 301 permanent redirect

www / non-www

https://www.health.gov.au/

200https://health.gov.au/

HTTP → HTTPS

308http://health.gov.au/ → https://health.gov.au

Use 301 (permanent) instead of 302 (temporary)

A+

Domain Intelligence

health.gov.au — via Department of Finance

PASS

health.gov.au — via Department of Finance

DNSSEC is not enabled

DNSSEC protects against DNS spoofing attacks. While not required, enabling DNSSEC adds an additional layer of security. Contact your DNS provider to enable it.

Registrar: Department of Finance

Registrar lock is NOT enabled

The domain can be transferred without an unlock step. Enable registrar lock (clientTransferProhibited) in your registrar's control panel to protect against unauthorized or accidental transfers.

Domain expiry

Unknown

SSL certificate

50 days

Issued by Let's Encrypt

Domain age

Unknown

DNSSEC

Not enabled

Protects against DNS spoofing

Hosting

Unknown

2001:df0:2b7:1100:300:0:2000:26

Registrar

Department of Finance

Unlocked 4 NS records

Expiry timeline

Today

+1 year

SSL expiry Danger zone (≤30 days)

Recommended actions

Enable DNSSEC to protect visitors from DNS spoofing
Enable registrar lock (clientTransferProhibited) to block unauthorized domain transfers

Registrar Department of Finance

Last Updated April 6, 2026

Name Servers dns1.sge.net, dns2.sge.net, dns3.sge.net, dns4.sge.net

DNSSEC Not enabled

Hosting

IP Address 2001:df0:2b7:1100:300:0:2000:26

Data source: rdap (1.4s)

DNSSEC protects against DNS spoofing attacks. While not required, enabling DNSSEC adds an additional layer of security. Contact your DNS provider to enable it.

Why this matters

Without DNSSEC, an attacker who can poison your DNS can hijack your domain — and SSL certs alone don't stop them.

Learn more ▾

DNSSEC adds cryptographic signatures to DNS records, preventing forged responses from poisoning resolver caches. Without it, an attacker who controls the network path can redirect your domain to a malicious server before any HTTPS handshake happens. Most modern registrars (Cloudflare, Google Domains, Route 53) enable it with one toggle.

Source: ICANN / RFC 4033

The domain can be transferred without an unlock step. Enable registrar lock (clientTransferProhibited) in your registrar's control panel to protect against unauthorized or accidental transfers.

Why this matters

Without registrar lock, an attacker who phishes your registrar credentials can transfer the domain in minutes — total brand hijack.

Learn more ▾

Registrar lock (clientTransferProhibited, clientUpdateProhibited, clientDeleteProhibited) requires extra verification before any transfer/update/delete. Every major registrar offers it free. Combined with 2FA on your registrar account, it's the strongest defense against domain hijacking.

Source: ICANN / domain-security best practice

All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.