Skip to content
https://benefit-estimator.netlify.app

Infrastructure

· 17 checks — DNS, redirects, IPv6, crawlability, URL variants, and domain intelligence rolled into one auditable list.
SCORE
90
GRADE
A
FIX
1
REVIEW
9
PASS
6
INFO
1
Probed from Madrid, Spain
500 Internal Server Error
Checks
17
6 PASS 9 REVIEW 1 FIX
F
HTTP Probe Timing
Action
Total 3096 ms — DNS, TCP, TLS, TTFB, content transfer breakdown
FIX
DNS Lookup DNS Lookup — time to resolve the domain name to an IP address.
29 ms
TCP Connect TCP Connect — time to establish a TCP connection to the server.
33 ms
TLS Handshake TLS Handshake — time to complete the HTTPS encryption handshake.
34 ms
Time to First Byte Time to First Byte — how long the server takes to respond with the first byte of data.
3.10 s
Total Time Total request time from DNS lookup through full response.
3.10 s

Connection waterfall

DNS Lookup 29 ms TCP Connect 33 ms TLS Handshake 34 ms Server Processing 3.00 s Content Transfer 0 ms
B
DNSSEC
Unsigned (DNSSEC not deployed)
REVIEW
Unsigned (DNSSEC not deployed)
Info::
DNSSEC is not deployed
The zone is not DNSSEC-signed. Users on validating resolvers (Cloudflare 1.1.1.1, Quad9 9.9.9.9, growing default in mobile resolvers) get no protection against DNS spoofing for this domain. Most registrars now offer DNSSEC at a single click; consider enabling it for sites where authenticity matters (banking, healthcare, government).
B
CAA Records
No CAA records (any CA may issue certificates)
REVIEW
No CAA records (any CA may issue certificates)
Info::
No CAA records published
Without CAA records, any publicly-trusted CA can issue certificates for this domain. Adding a CAA record (`yourdomain. IN CAA 0 issue "letsencrypt.org"`) restricts issuance to CAs you authorize. Required by CAB Forum baseline since 2017; the default of 'any CA' is widely supported but is the broader attack surface for issuance fraud.
B
Reverse DNS
0/4 IPs match cert SAN
REVIEW
0/4 IPs match cert SAN
Info::
PTR for 63.176.8.218 does not match any cert SAN: ec2-63-176-8-218.eu-central-1.compute.amazonaws.com
Common when behind a CDN or shared hosting (PTR points at the provider's hostname). Mismatch can also affect mail deliverability if this IP sends email -- many MTAs reject mail when forward+reverse DNS disagree.
Info::
PTR for 35.157.26.135 does not match any cert SAN: ec2-35-157-26-135.eu-central-1.compute.amazonaws.com
Common when behind a CDN or shared hosting (PTR points at the provider's hostname). Mismatch can also affect mail deliverability if this IP sends email -- many MTAs reject mail when forward+reverse DNS disagree.
Info::
PTR lookup failed for 2a05:d014:58f:6200::258: lookup 2a05:d014:58f:6200::258: no such host
No reverse DNS record set for this IP. Common on bare cloud-VM IPs without provider-side PTR; not a security issue.
Info::
PTR lookup failed for 2a05:d014:58f:6200::259: lookup 2a05:d014:58f:6200::259: no such host
No reverse DNS record set for this IP. Common on bare cloud-VM IPs without provider-side PTR; not a security issue.
B
Crawlability
no robots.txt, no sitemap
REVIEW
no robots.txt, no sitemap
Info::
No robots.txt found
robots.txt is optional but recommended. It tells search engine crawlers which pages to index.
Info::
No sitemap.xml found
A sitemap helps search engines discover and index your pages more efficiently.

robots.txt is optional but recommended. It tells search engine crawlers which pages to index.

Why this matters

No robots.txt — crawlers fetch /robots.txt and get 404; not breaking but means default crawl behavior with no directives or sitemap reference.

Learn more

A minimal robots.txt with `User-agent: * / Allow: / / Sitemap: https://example.com/sitemap.xml` covers the basics. Without it, crawlers behave fine but lose the sitemap signal and can't be selectively blocked from crawl-traps.

Source: robotstxt.org

A sitemap helps search engines discover and index your pages more efficiently.

Why this matters

No sitemap.xml — Google relies on crawl-graph discovery alone, slowing indexing of deep or fresh URLs.

Learn more

A sitemap accelerates Google's discovery of new and updated content. Most CMSes auto-generate one; static-site frameworks need a build-step plugin. Reference it from robots.txt and submit in Search Console to confirm Google can fetch it.

Source: sitemaps.org / Google Search Central

robots.txt No robots.txt found

No robots.txt found

This is fine for most sites — a missing robots.txt allows all crawling by default.

sitemap.xml No sitemap found

No sitemap found

Adding a sitemap helps search engines discover your pages.

B
TLS Certificate Expiry & Recommendations
309 days until leaf cert expires — 2 issues to address
REVIEW

Certificate validity

309
days left
0d 30d 60d 90d+

Recommended actions

  • Enable DNSSEC on your domain for DNS spoofing protection
  • Enable OCSP stapling on your TLS server to remove a CA roundtrip and protect user privacy
B
CDN & Delivery
Netlify
REVIEW
Netlify
Info::
Site is served via Netlify CDN
Got: x-nf-request-id: 01KRK00RXA7CYQDFPGXBWJQ5EX
CDN Detected: Netlify
Provider Netlify Evidence x-nf-request-id: 01KRK00RXA7CYQDFPGXBWJQ5EX
B
CDN Cache Observability
No CDN cache-status headers in the response
REVIEW
No CDN cache-status headers in the response
Info::
No CDN cache-status headers in the response
Without an X-Cache / CF-Cache-Status / X-Vercel-Cache / Age header, you can't tell from outside whether a request hit the cache or went to origin. Operationally important: enables debugging stale-content reports and verifying cache rules. Most managed CDN platforms emit at least one of these by default; absence often means the platform's diagnostic headers are stripped at an upstream proxy.
B
Operational Status Page
No status page link detected
REVIEW
No status page link detected
Info::
No operational status page link detected
Status pages communicate planned maintenance and incidents to users -- a hallmark of operationally-mature services. Most SaaS teams publish one via Atlassian Statuspage, Instatus, BetterUptime, or a self-hosted Cachet. Smaller sites legitimately don't need one; flagged as Info, not a failure.
B
Health Check Endpoint
No conventional health endpoint found
REVIEW
No conventional health endpoint found
Info::
No conventional health endpoint found
Health endpoints (/health, /healthz, /status, /ping, /api/health) let uptime monitors, load balancers, and orchestration systems (Kubernetes, ECS, Fly.io) verify the service is alive. Marketing sites and small services often skip them legitimately; flagged as Info, not a failure. Probe results: /api/health: 404, /health: 404, /healthz: 404, /ping: 404, /status: 404.
A
DNS Records
2 A records, 29 ms lookup
PASS
2 A records, 29 ms lookup
Info::
Resolves to 2 IPv4 address(es)
Got: 63.176.8.218, 35.157.26.135
Info::
Has 2 IPv6 (AAAA) record(s)
Got: 2a05:d014:58f:6200::258, 2a05:d014:58f:6200::259
Info::
No NS records found
Info::
No MX records — email not configured via DNS
Info::
No SPF record found in TXT records
SPF helps prevent email spoofing. Add a TXT record starting with 'v=spf1'.
Info::
DNS resolution time: 29 ms
Got: 29 ms
A63.176.8.218, 35.157.26.135
AAAA2a05:d014:58f:6200::258, 2a05:d014:58f:6200::259
CNAME
NS
MX
TXT
CAALookup not available with standard resolver
Resolved in 29 ms

SPF helps prevent email spoofing. Add a TXT record starting with 'v=spf1'.

Why this matters

Without SPF, receiving servers can't validate sending IPs — your domain is easier to spoof in phishing.

Learn more

SPF complements DMARC. Both should be published. SPF records list authorized sending IPs (e.g., `v=spf1 include:_spf.google.com ~all` for Google Workspace). After publishing, verify in Google Postmaster Tools or mxtoolbox.

Source: RFC 7208 (SPF)

A+
Subdomain Takeover
No subdomain takeover risk detected
PASS
No subdomain takeover risk detected
Info::
No CNAME record present
A+
Multi-Resolver DNS Speed
Mean 20ms across 3 resolvers (spread 10ms)
PASS
Mean 20ms across 3 resolvers (spread 10ms)
Info::
Quad9: 16ms
Got: 16ms via 9.9.9.9:53
Info::
Cloudflare: 20ms
Got: 20ms via 1.1.1.1:53
Info::
Google: 26ms
Got: 26ms via 8.8.8.8:53
A+
Redirect Chain
No redirects — direct access
PASS
No redirects — direct access
Info::
No redirects — direct access
Got: https://benefit-estimator.netlify.app

https://benefit-estimator.netlify.app

314 ms · HTTP/1.1 FINAL

#URLStatusTimeProtocolServer
1https://benefit-estimator.netlify.app200314 msHTTP/1.1Netlify
A+
IPv6 Readiness
IPv6 reachable (33 ms)
PASS
IPv6 reachable (33 ms)
Info::
IPv6 is configured and reachable at 2a05:d014:58f:6200::258, 2a05:d014:58f:6200::259
Got: 33 ms connect
IPv6 Ready
AAAA Records 2a05:d014:58f:6200::258, 2a05:d014:58f:6200::259 Connection Reachable (33 ms)
A+
URL Variants
www/non-www, trailing slash, HTTP→HTTPS
PASS
www/non-www, trailing slash, HTTP→HTTPS
Info::
HTTP correctly 301-redirects to HTTPS

www / non-www

https://www.benefit-estimator.netlify.app/
200https://benefit-estimator.netlify.app/

HTTP → HTTPS

301http://benefit-estimator.netlify.app/ https://benefit-estimator.netlify.app/

Consistent

Domain Intelligence
Domain intelligence data not available
INFO
Domain intelligence data not available

RDAP and WHOIS lookup both failed

All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.

Send Feedback