https://benefit-estimator.netlify.app
Infrastructure
· 17 checks — DNS, redirects, IPv6, crawlability, URL variants, and domain intelligence rolled into one auditable list.SCORE
90
GRADE
A
FIX
0
REVIEW
9
PASS
7
INFO
1
Probed from Madrid, Spain
200 OK
Checks
177 PASS 9 REVIEW
BDNSSECUnsigned (DNSSEC not deployed)REVIEW
DNSSEC
Unsigned (DNSSEC not deployed)
Unsigned (DNSSEC not deployed)
Info::
DNSSEC is not deployed
The zone is not DNSSEC-signed. Users on validating resolvers (Cloudflare 1.1.1.1, Quad9 9.9.9.9, growing default in mobile resolvers) get no protection against DNS spoofing for this domain. Most registrars now offer DNSSEC at a single click; consider enabling it for sites where authenticity matters (banking, healthcare, government).
BCAA RecordsNo CAA records (any CA may issue certificates)REVIEW
CAA Records
No CAA records (any CA may issue certificates)
No CAA records (any CA may issue certificates)
Info::
No CAA records published
Without CAA records, any publicly-trusted CA can issue certificates for this domain. Adding a CAA record (`yourdomain. IN CAA 0 issue "letsencrypt.org"`) restricts issuance to CAs you authorize. Required by CAB Forum baseline since 2017; the default of 'any CA' is widely supported but is the broader attack surface for issuance fraud.
BReverse DNS0/4 IPs match cert SANREVIEW
Reverse DNS
0/4 IPs match cert SAN
0/4 IPs match cert SAN
Info::
PTR for 35.157.26.135 does not match any cert SAN: ec2-35-157-26-135.eu-central-1.compute.amazonaws.com
Common when behind a CDN or shared hosting (PTR points at the provider's hostname). Mismatch can also affect mail deliverability if this IP sends email -- many MTAs reject mail when forward+reverse DNS disagree.
Info::
PTR for 63.176.8.218 does not match any cert SAN: ec2-63-176-8-218.eu-central-1.compute.amazonaws.com
Common when behind a CDN or shared hosting (PTR points at the provider's hostname). Mismatch can also affect mail deliverability if this IP sends email -- many MTAs reject mail when forward+reverse DNS disagree.
Info::
PTR lookup failed for 2a05:d014:58f:6200::259: lookup 2a05:d014:58f:6200::259: no such host
No reverse DNS record set for this IP. Common on bare cloud-VM IPs without provider-side PTR; not a security issue.
Info::
PTR lookup failed for 2a05:d014:58f:6200::258: lookup 2a05:d014:58f:6200::258: no such host
No reverse DNS record set for this IP. Common on bare cloud-VM IPs without provider-side PTR; not a security issue.
BCrawlabilityno robots.txt, no sitemapREVIEW
Crawlability
no robots.txt, no sitemap
no robots.txt, no sitemap
Info::
No robots.txt found
robots.txt is optional but recommended. It tells search engine crawlers which pages to index.
Info::
No sitemap.xml found
A sitemap helps search engines discover and index your pages more efficiently.
robots.txt is optional but recommended. It tells search engine crawlers which pages to index.
Why this matters
No robots.txt — crawlers fetch /robots.txt and get 404; not breaking but means default crawl behavior with no directives or sitemap reference.
Learn more ▾ ▴
A minimal robots.txt with `User-agent: * / Allow: / / Sitemap: https://example.com/sitemap.xml` covers the basics. Without it, crawlers behave fine but lose the sitemap signal and can't be selectively blocked from crawl-traps.
Source: robotstxt.org
A sitemap helps search engines discover and index your pages more efficiently.
Why this matters
No sitemap.xml — Google relies on crawl-graph discovery alone, slowing indexing of deep or fresh URLs.
Learn more ▾ ▴
A sitemap accelerates Google's discovery of new and updated content. Most CMSes auto-generate one; static-site frameworks need a build-step plugin. Reference it from robots.txt and submit in Search Console to confirm Google can fetch it.
Source: sitemaps.org / Google Search Central
robots.txt No robots.txt found
No robots.txt found
This is fine for most sites — a missing robots.txt allows all crawling by default.
sitemap.xml No sitemap found
No sitemap found
Adding a sitemap helps search engines discover your pages.
BHTTP Probe TimingTotal 1068 ms — DNS, TCP, TLS, TTFB, content transfer breakdownREVIEW
HTTP Probe Timing
Total 1068 ms — DNS, TCP, TLS, TTFB, content transfer breakdown
DNS Lookup DNS Lookup — time to resolve the domain name to an IP address.
31 msTCP Connect TCP Connect — time to establish a TCP connection to the server.
33 msTLS Handshake TLS Handshake — time to complete the HTTPS encryption handshake.
33 msTime to First Byte Time to First Byte — how long the server takes to respond with the first byte of data.
864 msTotal Time Total request time from DNS lookup through full response.
1.07 sConnection waterfall
DNS Lookup 31 ms TCP Connect 33 ms TLS Handshake 33 ms Server Processing 767 ms Content Transfer 204 ms
BTLS Certificate Expiry & Recommendations313 days until leaf cert expires — 2 issues to addressREVIEW
TLS Certificate Expiry & Recommendations
313 days until leaf cert expires — 2 issues to address
Certificate validity
313
days left
0d 30d 60d 90d+
Recommended actions
- Enable DNSSEC on your domain for DNS spoofing protection
- Enable OCSP stapling on your TLS server to remove a CA roundtrip and protect user privacy
BCDN & DeliveryNetlifyREVIEW
CDN & Delivery
Netlify
Netlify
Info::
Site is served via Netlify CDN
Got: x-nf-request-id: 01KR94FQWZN3CS5YG0CX7GRAF7
CDN Detected: Netlify
Provider Netlify Evidence x-nf-request-id: 01KR94FQWZN3CS5YG0CX7GRAF7
BOperational Status PageNo status page link detectedREVIEW
Operational Status Page
No status page link detected
No status page link detected
Info::
No operational status page link detected
Status pages communicate planned maintenance and incidents to users -- a hallmark of operationally-mature services. Most SaaS teams publish one via Atlassian Statuspage, Instatus, BetterUptime, or a self-hosted Cachet. Smaller sites legitimately don't need one; flagged as Info, not a failure.
BHealth Check EndpointNo conventional health endpoint foundREVIEW
Health Check Endpoint
No conventional health endpoint found
No conventional health endpoint found
Info::
No conventional health endpoint found
Health endpoints (/health, /healthz, /status, /ping, /api/health) let uptime monitors, load balancers, and orchestration systems (Kubernetes, ECS, Fly.io) verify the service is alive. Marketing sites and small services often skip them legitimately; flagged as Info, not a failure. Probe results: /api/health: 404, /health: 404, /healthz: 404, /ping: 404, /status: 404.
ADNS Records2 A records, 29 ms lookupPASS
DNS Records
2 A records, 29 ms lookup
2 A records, 29 ms lookup
Info::
Resolves to 2 IPv4 address(es)
Got: 35.157.26.135, 63.176.8.218
Info::
Has 2 IPv6 (AAAA) record(s)
Got: 2a05:d014:58f:6200::259, 2a05:d014:58f:6200::258
Info::
No NS records found
Info::
No MX records — email not configured via DNS
Info::
No SPF record found in TXT records
SPF helps prevent email spoofing. Add a TXT record starting with 'v=spf1'.
Info::
DNS resolution time: 29 ms
Got: 29 ms
| A | 35.157.26.135, 63.176.8.218 |
| AAAA | 2a05:d014:58f:6200::259, 2a05:d014:58f:6200::258 |
| CNAME | — |
| NS | — |
| MX | — |
| TXT | — |
| CAA | Lookup not available with standard resolver |
Resolved in 29 ms
SPF helps prevent email spoofing. Add a TXT record starting with 'v=spf1'.
Why this matters
Without SPF, receiving servers can't validate sending IPs — your domain is easier to spoof in phishing.
Learn more ▾ ▴
SPF complements DMARC. Both should be published. SPF records list authorized sending IPs (e.g., `v=spf1 include:_spf.google.com ~all` for Google Workspace). After publishing, verify in Google Postmaster Tools or mxtoolbox.
Source: RFC 7208 (SPF)
A+Subdomain TakeoverNo subdomain takeover risk detectedPASS
Subdomain Takeover
No subdomain takeover risk detected
No subdomain takeover risk detected
Info::
No CNAME record present
A+Multi-Resolver DNS SpeedMean 20ms across 3 resolvers (spread 10ms)PASS
Multi-Resolver DNS Speed
Mean 20ms across 3 resolvers (spread 10ms)
Mean 20ms across 3 resolvers (spread 10ms)
Info::
Quad9: 17ms
Got: 17ms via 9.9.9.9:53
Info::
Cloudflare: 18ms
Got: 18ms via 1.1.1.1:53
Info::
Google: 27ms
Got: 27ms via 8.8.8.8:53
A+Redirect ChainNo redirects — direct accessPASS
Redirect Chain
No redirects — direct access
No redirects — direct access
Info::
No redirects — direct access
Got: https://benefit-estimator.netlify.app
https://benefit-estimator.netlify.app
101 ms · HTTP/1.1 FINAL
| # | URL | Status | Time | Protocol | Server |
|---|---|---|---|---|---|
| 1 | https://benefit-estimator.netlify.app | 200 | 101 ms | HTTP/1.1 | Netlify |
A+IPv6 ReadinessIPv6 reachable (34 ms)PASS
IPv6 Readiness
IPv6 reachable (34 ms)
IPv6 reachable (34 ms)
Info::
IPv6 is configured and reachable at 2a05:d014:58f:6200::259, 2a05:d014:58f:6200::258
Got: 34 ms connect
IPv6 Ready
AAAA Records 2a05:d014:58f:6200::259, 2a05:d014:58f:6200::258 Connection Reachable (34 ms)
A+URL Variantswww/non-www, trailing slash, HTTP→HTTPSPASS
URL Variants
www/non-www, trailing slash, HTTP→HTTPS
www/non-www, trailing slash, HTTP→HTTPS
Info::
HTTP correctly 301-redirects to HTTPS
www / non-www
https://www.benefit-estimator.netlify.app/
200https://benefit-estimator.netlify.app/
HTTP → HTTPS
301http://benefit-estimator.netlify.app/ → https://benefit-estimator.netlify.app/
Consistent
A+CDN Cache ObservabilityCache state: Age=1sPASS
CDN Cache Observability
Cache state: Age=1s
Cache state: Age=1s
Info::
CDN cache state observable via 1 header(s)
Got: age=1
Domain IntelligenceDomain intelligence data not availableINFO
Domain Intelligence
Domain intelligence data not available
Domain intelligence data not available
RDAP and WHOIS lookup both failed
All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.