https://benefit-estimator.netlify.app
Infrastructure
· 17 checks — DNS, redirects, IPv6, crawlability, URL variants, and domain intelligence rolled into one auditable list.SCORE
90
GRADE
A
FIX
0
REVIEW
8
PASS
8
INFO
1
Probed from Madrid, Spain
200 OK
Checks
178 PASS 8 REVIEW
BDNSSECUnsigned (DNSSEC not deployed)REVIEW
DNSSEC
Unsigned (DNSSEC not deployed)
Unsigned (DNSSEC not deployed)
Info::
DNSSEC is not deployed
The zone is not DNSSEC-signed. Users on validating resolvers (Cloudflare 1.1.1.1, Quad9 9.9.9.9, growing default in mobile resolvers) get no protection against DNS spoofing for this domain. Most registrars now offer DNSSEC at a single click; consider enabling it for sites where authenticity matters (banking, healthcare, government).
BCAA RecordsNo CAA records (any CA may issue certificates)REVIEW
CAA Records
No CAA records (any CA may issue certificates)
No CAA records (any CA may issue certificates)
Info::
No CAA records published
Without CAA records, any publicly-trusted CA can issue certificates for this domain. Adding a CAA record (`yourdomain. IN CAA 0 issue "letsencrypt.org"`) restricts issuance to CAs you authorize. Required by CAB Forum baseline since 2017; the default of 'any CA' is widely supported but is the broader attack surface for issuance fraud.
BReverse DNS0/4 IPs match cert SANREVIEW
Reverse DNS
0/4 IPs match cert SAN
0/4 IPs match cert SAN
Info::
PTR for 35.157.26.135 does not match any cert SAN: ec2-35-157-26-135.eu-central-1.compute.amazonaws.com
Common when behind a CDN or shared hosting (PTR points at the provider's hostname). Mismatch can also affect mail deliverability if this IP sends email -- many MTAs reject mail when forward+reverse DNS disagree.
Info::
PTR for 63.176.8.218 does not match any cert SAN: ec2-63-176-8-218.eu-central-1.compute.amazonaws.com
Common when behind a CDN or shared hosting (PTR points at the provider's hostname). Mismatch can also affect mail deliverability if this IP sends email -- many MTAs reject mail when forward+reverse DNS disagree.
Info::
PTR lookup failed for 2a05:d014:58f:6200::258: lookup 2a05:d014:58f:6200::258: no such host
No reverse DNS record set for this IP. Common on bare cloud-VM IPs without provider-side PTR; not a security issue.
Info::
PTR lookup failed for 2a05:d014:58f:6200::259: lookup 2a05:d014:58f:6200::259: no such host
No reverse DNS record set for this IP. Common on bare cloud-VM IPs without provider-side PTR; not a security issue.
BCrawlabilityno robots.txt, no sitemapREVIEW
Crawlability
no robots.txt, no sitemap
no robots.txt, no sitemap
Info::
No robots.txt found
robots.txt is optional but recommended. It tells search engine crawlers which pages to index.
Info::
No sitemap.xml found
A sitemap helps search engines discover and index your pages more efficiently.
robots.txt is optional but recommended. It tells search engine crawlers which pages to index.
Why this matters
No robots.txt — crawlers fetch /robots.txt and get 404; not breaking but means default crawl behavior with no directives or sitemap reference.
Learn more ▾ ▴
A minimal robots.txt with `User-agent: * / Allow: / / Sitemap: https://example.com/sitemap.xml` covers the basics. Without it, crawlers behave fine but lose the sitemap signal and can't be selectively blocked from crawl-traps.
Source: robotstxt.org
A sitemap helps search engines discover and index your pages more efficiently.
Why this matters
No sitemap.xml — Google relies on crawl-graph discovery alone, slowing indexing of deep or fresh URLs.
Learn more ▾ ▴
A sitemap accelerates Google's discovery of new and updated content. Most CMSes auto-generate one; static-site frameworks need a build-step plugin. Reference it from robots.txt and submit in Search Console to confirm Google can fetch it.
Source: sitemaps.org / Google Search Central
robots.txt No robots.txt found
No robots.txt found
This is fine for most sites — a missing robots.txt allows all crawling by default.
sitemap.xml No sitemap found
No sitemap found
Adding a sitemap helps search engines discover your pages.
BTLS Certificate Expiry & Recommendations312 days until leaf cert expires — 2 issues to addressREVIEW
TLS Certificate Expiry & Recommendations
312 days until leaf cert expires — 2 issues to address
Certificate validity
312
days left
0d 30d 60d 90d+
Recommended actions
- Enable DNSSEC on your domain for DNS spoofing protection
- Enable OCSP stapling on your TLS server to remove a CA roundtrip and protect user privacy
BCDN & DeliveryNetlifyREVIEW
CDN & Delivery
Netlify
Netlify
Info::
Site is served via Netlify CDN
Got: x-nf-request-id: 01KRAZC77FPM7SWB5GY9AQ5EXR
CDN Detected: Netlify
Provider Netlify Evidence x-nf-request-id: 01KRAZC77FPM7SWB5GY9AQ5EXR
BOperational Status PageNo status page link detectedREVIEW
Operational Status Page
No status page link detected
No status page link detected
Info::
No operational status page link detected
Status pages communicate planned maintenance and incidents to users -- a hallmark of operationally-mature services. Most SaaS teams publish one via Atlassian Statuspage, Instatus, BetterUptime, or a self-hosted Cachet. Smaller sites legitimately don't need one; flagged as Info, not a failure.
BHealth Check EndpointNo conventional health endpoint foundREVIEW
Health Check Endpoint
No conventional health endpoint found
No conventional health endpoint found
Info::
No conventional health endpoint found
Health endpoints (/health, /healthz, /status, /ping, /api/health) let uptime monitors, load balancers, and orchestration systems (Kubernetes, ECS, Fly.io) verify the service is alive. Marketing sites and small services often skip them legitimately; flagged as Info, not a failure. Probe results: /api/health: 404, /health: 404, /healthz: 404, /ping: 404, /status: 404.
ADNS Records2 A records, 31 ms lookupPASS
DNS Records
2 A records, 31 ms lookup
2 A records, 31 ms lookup
Info::
Resolves to 2 IPv4 address(es)
Got: 35.157.26.135, 63.176.8.218
Info::
Has 2 IPv6 (AAAA) record(s)
Got: 2a05:d014:58f:6200::258, 2a05:d014:58f:6200::259
Info::
No NS records found
Info::
No MX records — email not configured via DNS
Info::
No SPF record found in TXT records
SPF helps prevent email spoofing. Add a TXT record starting with 'v=spf1'.
Info::
DNS resolution time: 31 ms
Got: 31 ms
| A | 35.157.26.135, 63.176.8.218 |
| AAAA | 2a05:d014:58f:6200::258, 2a05:d014:58f:6200::259 |
| CNAME | — |
| NS | — |
| MX | — |
| TXT | — |
| CAA | Lookup not available with standard resolver |
Resolved in 31 ms
SPF helps prevent email spoofing. Add a TXT record starting with 'v=spf1'.
Why this matters
Without SPF, receiving servers can't validate sending IPs — your domain is easier to spoof in phishing.
Learn more ▾ ▴
SPF complements DMARC. Both should be published. SPF records list authorized sending IPs (e.g., `v=spf1 include:_spf.google.com ~all` for Google Workspace). After publishing, verify in Google Postmaster Tools or mxtoolbox.
Source: RFC 7208 (SPF)
A+Subdomain TakeoverNo subdomain takeover risk detectedPASS
Subdomain Takeover
No subdomain takeover risk detected
No subdomain takeover risk detected
Info::
No CNAME record present
A+Multi-Resolver DNS SpeedMean 21ms across 3 resolvers (spread 12ms)PASS
Multi-Resolver DNS Speed
Mean 21ms across 3 resolvers (spread 12ms)
Mean 21ms across 3 resolvers (spread 12ms)
Info::
Quad9: 16ms
Got: 16ms via 9.9.9.9:53
Info::
Cloudflare: 19ms
Got: 19ms via 1.1.1.1:53
Info::
Google: 28ms
Got: 28ms via 8.8.8.8:53
A+Redirect ChainNo redirects — direct accessPASS
Redirect Chain
No redirects — direct access
No redirects — direct access
Info::
No redirects — direct access
Got: https://benefit-estimator.netlify.app
https://benefit-estimator.netlify.app
88 ms · HTTP/1.1 FINAL
| # | URL | Status | Time | Protocol | Server |
|---|---|---|---|---|---|
| 1 | https://benefit-estimator.netlify.app | 200 | 88 ms | HTTP/1.1 | Netlify |
A+IPv6 ReadinessIPv6 reachable (29 ms)PASS
IPv6 Readiness
IPv6 reachable (29 ms)
IPv6 reachable (29 ms)
Info::
IPv6 is configured and reachable at 2a05:d014:58f:6200::258, 2a05:d014:58f:6200::259
Got: 29 ms connect
IPv6 Ready
AAAA Records 2a05:d014:58f:6200::258, 2a05:d014:58f:6200::259 Connection Reachable (29 ms)
A+URL Variantswww/non-www, trailing slash, HTTP→HTTPSPASS
URL Variants
www/non-www, trailing slash, HTTP→HTTPS
www/non-www, trailing slash, HTTP→HTTPS
Info::
HTTP correctly 301-redirects to HTTPS
www / non-www
https://www.benefit-estimator.netlify.app/
200https://benefit-estimator.netlify.app/
HTTP → HTTPS
301http://benefit-estimator.netlify.app/ → https://benefit-estimator.netlify.app/
Consistent
AHTTP Probe TimingTotal 547 ms — DNS, TCP, TLS, TTFB, content transfer breakdownPASS
HTTP Probe Timing
Total 547 ms — DNS, TCP, TLS, TTFB, content transfer breakdown
DNS Lookup DNS Lookup — time to resolve the domain name to an IP address.
35 msTCP Connect TCP Connect — time to establish a TCP connection to the server.
29 msTLS Handshake TLS Handshake — time to complete the HTTPS encryption handshake.
29 msTime to First Byte Time to First Byte — how long the server takes to respond with the first byte of data.
340 msTotal Time Total request time from DNS lookup through full response.
547 msConnection waterfall
DNS Lookup 35 ms TCP Connect 29 ms TLS Handshake 29 ms Server Processing 246 ms Content Transfer 207 ms
A+CDN Cache ObservabilityCache state: fresh (Age=0)PASS
CDN Cache Observability
Cache state: fresh (Age=0)
Cache state: fresh (Age=0)
Info::
CDN cache state observable via 1 header(s)
Got: age=0
Domain IntelligenceDomain intelligence data not availableINFO
Domain Intelligence
Domain intelligence data not available
Domain intelligence data not available
RDAP and WHOIS lookup both failed
All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.