https://yoast.com
Infrastructure
· 17 checks — DNS, redirects, IPv6, crawlability, URL variants, and domain intelligence rolled into one auditable list.SCORE
93
GRADE
A
FIX
0
REVIEW
6
PASS
11
INFO
0
Probed from Singapore, Singapore
429 Too Many Requests
Checks
1711 PASS 6 REVIEW
CReverse DNSAction0/4 IPs match cert SANREVIEW
Reverse DNS
Action0/4 IPs match cert SAN
0/4 IPs match cert SAN
Info::
PTR lookup failed for 172.64.155.6: lookup 172.64.155.6: no such host
No reverse DNS record set for this IP. Common on bare cloud-VM IPs without provider-side PTR; not a security issue.
Info::
PTR lookup failed for 104.18.32.250: lookup 104.18.32.250: no such host
No reverse DNS record set for this IP. Common on bare cloud-VM IPs without provider-side PTR; not a security issue.
Info::
PTR lookup failed for 2a06:98c1:3100::6812:20fa: lookup 2a06:98c1:3100::6812:20fa: no such host
No reverse DNS record set for this IP. Common on bare cloud-VM IPs without provider-side PTR; not a security issue.
Info::
PTR lookup failed for 2606:4700:440c::ac40:9b06: lookup 2606:4700:440c::ac40:9b06: no such host
No reverse DNS record set for this IP. Common on bare cloud-VM IPs without provider-side PTR; not a security issue.
BCrawlabilityno robots.txt, no sitemapREVIEW
Crawlability
no robots.txt, no sitemap
no robots.txt, no sitemap
Info::
No robots.txt found
robots.txt is optional but recommended. It tells search engine crawlers which pages to index.
Info::
No sitemap.xml found
A sitemap helps search engines discover and index your pages more efficiently.
robots.txt is optional but recommended. It tells search engine crawlers which pages to index.
Why this matters
No robots.txt — crawlers fetch /robots.txt and get 404; not breaking but means default crawl behavior with no directives or sitemap reference.
Learn more ▾ ▴
A minimal robots.txt with `User-agent: * / Allow: / / Sitemap: https://example.com/sitemap.xml` covers the basics. Without it, crawlers behave fine but lose the sitemap signal and can't be selectively blocked from crawl-traps.
Source: robotstxt.org
A sitemap helps search engines discover and index your pages more efficiently.
Why this matters
No sitemap.xml — Google relies on crawl-graph discovery alone, slowing indexing of deep or fresh URLs.
Learn more ▾ ▴
A sitemap accelerates Google's discovery of new and updated content. Most CMSes auto-generate one; static-site frameworks need a build-step plugin. Reference it from robots.txt and submit in Search Console to confirm Google can fetch it.
Source: sitemaps.org / Google Search Central
robots.txt No robots.txt found
No robots.txt found
This is fine for most sites — a missing robots.txt allows all crawling by default.
sitemap.xml No sitemap found
No sitemap found
Adding a sitemap helps search engines discover your pages.
BCDN & DeliveryCloudflareREVIEW
CDN & Delivery
Cloudflare
Cloudflare
Info::
Site is served via Cloudflare CDN (edge: SIN)
Got: cf-ray: 9f8f8359eb150b95-SIN
CDN Detected: Cloudflare
Provider Cloudflare Evidence cf-ray: 9f8f8359eb150b95-SIN
BCDN Cache ObservabilityNo CDN cache-status headers in the responseREVIEW
CDN Cache Observability
No CDN cache-status headers in the response
No CDN cache-status headers in the response
Info::
No CDN cache-status headers in the response
Without an X-Cache / CF-Cache-Status / X-Vercel-Cache / Age header, you can't tell from outside whether a request hit the cache or went to origin. Operationally important: enables debugging stale-content reports and verifying cache rules. Most managed CDN platforms emit at least one of these by default; absence often means the platform's diagnostic headers are stripped at an upstream proxy.
BOperational Status PageNo status page link detectedREVIEW
Operational Status Page
No status page link detected
No status page link detected
Info::
No operational status page link detected
Status pages communicate planned maintenance and incidents to users -- a hallmark of operationally-mature services. Most SaaS teams publish one via Atlassian Statuspage, Instatus, BetterUptime, or a self-hosted Cachet. Smaller sites legitimately don't need one; flagged as Info, not a failure.
BHealth Check EndpointNo conventional health endpoint foundREVIEW
Health Check Endpoint
No conventional health endpoint found
No conventional health endpoint found
Info::
No conventional health endpoint found
Health endpoints (/health, /healthz, /status, /ping, /api/health) let uptime monitors, load balancers, and orchestration systems (Kubernetes, ECS, Fly.io) verify the service is alive. Marketing sites and small services often skip them legitimately; flagged as Info, not a failure. Probe results: /api/health: 429, /health: 429, /healthz: 429, /ping: 429, /status: 429.
A+DNS Records2 A records, 13 ms lookupPASS
DNS Records
2 A records, 13 ms lookup
2 A records, 13 ms lookup
Info::
Resolves to 2 IPv4 address(es)
Got: 172.64.155.6, 104.18.32.250
Info::
Has 2 IPv6 (AAAA) record(s)
Got: 2a06:98c1:3100::6812:20fa, 2606:4700:440c::ac40:9b06
Info::
2 nameserver(s) configured
Got: noah.ns.cloudflare.com, michelle.ns.cloudflare.com
Info::
1 mail exchanger(s) configured
Info::
SPF record present in TXT
Info::
DNS resolution time: 13 ms
Got: 13 ms
| A | 172.64.155.6, 104.18.32.250 |
| AAAA | 2a06:98c1:3100::6812:20fa, 2606:4700:440c::ac40:9b06 |
| CNAME | — |
| NS | noah.ns.cloudflare.com, michelle.ns.cloudflare.com |
| MX | 1 yoast-com.mail.protection.outlook.com |
| TXT | MS=ms78685604 Z3qBVG59qHmN9/lxOB6rZvFnW07XoQpUr1m3NNidUTs= openai-domain-verification=dv-QVbniSWRe6FPSCd8XMkPSfGK facebook-domain-verification=86uvc5980643pknxh7zh6ubsch1be3 google-site-verification=5fk1rgHgsRBL4zF9J22BTHatklicABBD2u9PiYjG29c google-site-verification=UIM9RxPitiw_QZ6DWa-DJrgiL6xN6B8qtwTT1TzRy3k google-site-verification=VH2W1c57ncgMkRuSXwDjXWG4M6TLQNcFK0VmWsF9uyE google-site-verification=ZeQqi72uJEHU2igUGGYFqyBusMuawaAuaqzTkGO3CvQ google-site-verification=m3RQqR4eW1BsnuoNhE4cC5in3LK9H9DKv_iwhoDjEwM google-site-verification=nsTjyg2Yxp4qMZwjzE9c880aGsdXyuTVSausZY76PWs google-site-verification=omOoCAQCaPA-sw2aR2DaVaBkYf929VYJTAwOzOHFFUc google-site-verification=pokWAvijRJd6ZVb3f8xkmyJa2yyptsoMj_bqQQGY7Cc google-site-verification=vg7XQpZ7Jx981kNJlyCONodaJ1FDFvpfF3ZnMJylelQ prowly-verification=d23b5db23f86c15e0d50137c6a5fd56e4ed19210d865f4346487126e0a64... SPF v=spf1 include:_spf.google.com include:spf.mtasv.net include:helpscoutemail.com ... |
| CAA | Lookup not available with standard resolver |
Resolved in 13 ms
A+Subdomain TakeoverNo subdomain takeover risk detectedPASS
Subdomain Takeover
No subdomain takeover risk detected
No subdomain takeover risk detected
Info::
No CNAME record present
A+DNSSECSigned and validatingPASS
DNSSEC
Signed and validating
Signed and validating
Info::
DNSSEC fully signed and chain validates (ECDSAP256SHA256)
ACAA Recordsissue: comodoca.com, digicert.com, globalsign.com, letsencrypt.org, pki.goog | issuewild: comodoca.com, digicert.com, globalsign.com, letsencrypt.orgPASS
CAA Records
issue: comodoca.com, digicert.com, globalsign.com, letsencrypt.org, pki.goog | issuewild: comodoca.com, digicert.com, globalsign.com, letsencrypt.org
issue: comodoca.com, digicert.com, globalsign.com, letsencrypt.org, pki.goog | issuewild: comodoca.com, digicert.com, globalsign.com, letsencrypt.org
Info::
CAA issue tag present — authorized CA(s): comodoca.com, digicert.com, globalsign.com, letsencrypt.org, pki.goog
Info::
No CAA iodef tag — won't be notified of failed issuance attempts
Add `0 iodef "mailto:security@example.com"` to receive notifications when a CA refuses issuance because it doesn't match your CAA policy. Useful signal for detecting issuance attempts by unauthorized CAs.
A+Multi-Resolver DNS SpeedMean 6ms across 3 resolvers (spread 5ms)PASS
Multi-Resolver DNS Speed
Mean 6ms across 3 resolvers (spread 5ms)
Mean 6ms across 3 resolvers (spread 5ms)
Info::
Cloudflare: 4ms
Got: 4ms via 1.1.1.1:53
Info::
Quad9: 6ms
Got: 6ms via 9.9.9.9:53
Info::
Google: 9ms
Got: 9ms via 8.8.8.8:53
A+Redirect Chain0 redirect(s), 23 ms totalPASS
Redirect Chain
0 redirect(s), 23 ms total
0 redirect(s), 23 ms total
https://yoast.com
23 ms · HTTP/1.1 FINAL
| # | URL | Status | Time | Protocol | Server |
|---|---|---|---|---|---|
| 1 | https://yoast.com | 429 | 23 ms | HTTP/1.1 | cloudflare |
A+IPv6 ReadinessIPv6 reachable (2 ms)PASS
IPv6 Readiness
IPv6 reachable (2 ms)
IPv6 reachable (2 ms)
Info::
IPv6 is configured and reachable at 2a06:98c1:3100::6812:20fa, 2606:4700:440c::ac40:9b06
Got: 2 ms connect
IPv6 Ready
AAAA Records 2a06:98c1:3100::6812:20fa, 2606:4700:440c::ac40:9b06 Connection Reachable (2 ms)
A+URL Variantswww/non-www, trailing slash, HTTP→HTTPSPASS
URL Variants
www/non-www, trailing slash, HTTP→HTTPS
www/non-www, trailing slash, HTTP→HTTPS
Info::
www/non-www redirect configured correctly (preferred: non-www)
Info::
HTTP correctly 301-redirects to HTTPS
www / non-www
301https://www.yoast.com/
200https://yoast.com/
Preferred variant: non-www
HTTP → HTTPS
301http://yoast.com/ → https://yoast.com/
Consistent
A+Domain Intelligenceyoast.com — via NameCheap, Inc., 26 years, 6 months oldPASS
Domain Intelligence
yoast.com — via NameCheap, Inc., 26 years, 6 months old
yoast.com — via NameCheap, Inc., 26 years, 6 months old
Info::
Domain registered until Mar 22, 2027 (10 months remaining)
Info::
DNSSEC is enabled
Info::
Registrar: NameCheap, Inc.
Warning::
Registrar lock is NOT enabled
The domain can be transferred without an unlock step. Enable registrar lock (clientTransferProhibited) in your registrar's control panel to protect against unauthorized or accidental transfers.
Domain expiry
311 days
March 22, 2027
SSL certificate
73 days
Issued by Google Trust Services
Domain age
26 years, 6 months
Registered March 22, 2000
DNSSEC
Enabled
Protects against DNS spoofing
Hosting
Unknown
2a06:98c1:3100::6812:20fa
Registrar
NameCheap, Inc.
Unlocked 2 NS records
Expiry timeline
Today
+1 year
Domain expiry SSL expiry Danger zone (≤30 days)
Recommended actions
- Enable registrar lock (clientTransferProhibited) to block unauthorized domain transfers
Registrar NameCheap, Inc.
Created March 22, 2000 (26 years, 6 months ago)
Expires March 22, 2027 (10 months)
Last Updated February 20, 2026
Name Servers michelle.ns.cloudflare.com, noah.ns.cloudflare.com
DNSSEC Enabled
Hosting
IP Address 2a06:98c1:3100::6812:20fa
Data source: rdap (0.0s)
The domain can be transferred without an unlock step. Enable registrar lock (clientTransferProhibited) in your registrar's control panel to protect against unauthorized or accidental transfers.
Why this matters
Without registrar lock, an attacker who phishes your registrar credentials can transfer the domain in minutes — total brand hijack.
Learn more ▾ ▴
Registrar lock (clientTransferProhibited, clientUpdateProhibited, clientDeleteProhibited) requires extra verification before any transfer/update/delete. Every major registrar offers it free. Combined with 2FA on your registrar account, it's the strongest defense against domain hijacking.
Source: ICANN / domain-security best practice
A+HTTP Probe TimingTotal 24 ms — DNS, TCP, TLS, TTFB, content transfer breakdownPASS
HTTP Probe Timing
Total 24 ms — DNS, TCP, TLS, TTFB, content transfer breakdown
DNS Lookup DNS Lookup — time to resolve the domain name to an IP address.
3 msTCP Connect TCP Connect — time to establish a TCP connection to the server.
1 msTLS Handshake TLS Handshake — time to complete the HTTPS encryption handshake.
9 msTime to First Byte Time to First Byte — how long the server takes to respond with the first byte of data.
24 msTotal Time Total request time from DNS lookup through full response.
24 msConnection waterfall
DNS Lookup 3 ms TCP Connect 1 ms TLS Handshake 9 ms Server Processing 10 ms Content Transfer 0 ms
A+TLS Certificate Expiry & Recommendations73 days until leaf cert expiresPASS
TLS Certificate Expiry & Recommendations
73 days until leaf cert expires
Certificate validity
73
days left
0d 30d 60d 90d+
Recommended actions
No action required — TLS configuration looks healthy.
All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.