Infrastructure - https://e621.net BeaverCheck Audit

B

CAA Records

No CAA records (any CA may issue certificates)

REVIEW

No CAA records (any CA may issue certificates)

No CAA records published

Without CAA records, any publicly-trusted CA can issue certificates for this domain. Adding a CAA record (`yourdomain. IN CAA 0 issue "letsencrypt.org"`) restricts issuance to CAs you authorize. Required by CAB Forum baseline since 2017; the default of 'any CA' is widely supported but is the broader attack surface for issuance fraud.

C

Reverse DNS

Action

0/4 IPs match cert SAN

REVIEW

0/4 IPs match cert SAN

PTR lookup failed for 172.66.160.235: lookup 172.66.160.235: no such host

No reverse DNS record set for this IP. Common on bare cloud-VM IPs without provider-side PTR; not a security issue.

PTR lookup failed for 104.20.31.112: lookup 104.20.31.112: no such host

No reverse DNS record set for this IP. Common on bare cloud-VM IPs without provider-side PTR; not a security issue.

PTR lookup failed for 2606:4700:10::ac42:a0eb: lookup 2606:4700:10::ac42:a0eb: no such host

No reverse DNS record set for this IP. Common on bare cloud-VM IPs without provider-side PTR; not a security issue.

PTR lookup failed for 2606:4700:10::6814:1f70: lookup 2606:4700:10::6814:1f70: no such host

No reverse DNS record set for this IP. Common on bare cloud-VM IPs without provider-side PTR; not a security issue.

B

Crawlability

robots.txt present, no sitemap

REVIEW

robots.txt present, no sitemap

robots.txt is present

Got: 2366 bytes

No sitemap.xml found

A sitemap helps search engines discover and index your pages more efficiently.

robots.txt does not reference a sitemap

Add a 'Sitemap:' directive to robots.txt so search engines can discover your sitemap.

A sitemap helps search engines discover and index your pages more efficiently.

Why this matters

No sitemap.xml — Google relies on crawl-graph discovery alone, slowing indexing of deep or fresh URLs.

Learn more ▾

A sitemap accelerates Google's discovery of new and updated content. Most CMSes auto-generate one; static-site frameworks need a build-step plugin. Reference it from robots.txt and submit in Search Console to confirm Google can fetch it.

Source: sitemaps.org / Google Search Central

Add a 'Sitemap:' directive to robots.txt so search engines can discover your sitemap.

Why this matters

robots.txt omits Sitemap: directive — crawlers must fetch /sitemap.xml by convention; reliable but missing the explicit hint.

Source: sitemaps.org

robots.txt 200 OK

Size 2366 B Sitemaps referenced 0 User-agents Yandex, magpie-crawler, AhrefsBot, MJ12bot, HTTrack, Slurp, Baiduspider, SemrushBot, SemrushBot-SA, *, dotbot, coccocbot-web, BLEXBot Blocking No — crawling allowed

User-agent: *
Crawl-delay: 1
Disallow: /admin
Disallow: /advertisements
Disallow: /artists
Disallow: /artist_commentaries
Disallow: /artist_commentary_versions
Disallow: /artist_versions
Disallow: /avoid_postings
Disallow: /avoid_posting_versions
Disallow: /bans
Disallow: /comment_votes
Disallow: /comment/
Disallow: /comments
Disallow: /comments.atom
Disallow: /comments/*.atom
Disallow: /counts
Disallow: /data/
Disallow: /delayed_jobs
Disallow: /deleted_posts
Disallow: /dmails
Disallow: /explore
Disallow: /favorite
Disallow: /forum_topics.atom
Disallow: /forum_posts
Disallow: /forum_posts.atom
Disallow: /forum_topics/*.atom
Disallow: /forum_posts/*.atom
Disallow: /iqdb_queries
Disallow: /ip_bans
Disallow: /janitor_trials
Disallow: /maintenance
Disallow: /m/
Disallow: /mod_actions
Disallow: /moderator
Disallow: /news_updates
Disallow: /note_versions
Disallow: /notes
Disallow: /pool_elements
Disallow: /pool_orders
Disallow: /pool_versions
Disallow: /popular
Disallow: /post_appeals
Disallow: /post_flags
Disallow: /post_sets
Disallow: /post_versions
Disallow: /post_votes
Disallow: /post_events
Disallow: /post_replacements
Disallow: /post/
Disallow: /posts.atom
Disallow: /posts/random
Disallow: /posts/copy_notes
Disallow: /posts/revert
Disallow: /posts/show_seq
Disallow: /posts*?*tags=*
Disallow: /posts*?*q=*
Disallow: /posts*?*md5*
Disallow: /posts*?*limit*
Disallow: /posts*?*random*
Disallow: /posts*?*pool_id*
Disallow: /posts*?*post_set_id*
Disallow: /posts.json
Disallow: /posts.xml
Disallow: /posts/*/favorites
Disallow: /reports
Disallow: /session
Disallow: /sources
Disallow: /static
Disallow: /tag_alias_corrections
Disallow: /tag_alias_requests
Disallow: /tag_aliases
Disallow: /tag_corrections
Disallow: /tag_implication_requests
Disallow: /tag_implications
Disallow: /tags
Disallow: /tickets
Disallow: /takedowns
Disallow: /uploads
Disallow: /user_feedback
Disallow: /user/
Disallow: /users
Disallow: /wiki/
Disallow: /wiki_page_versions
Disallow: /wiki_pages*?*title=*
Disallow: /wiki_pages/new
Disallow: /wiki_pages/revert
Disallow: /wiki_pages/show_or_new

User-agent: MJ12bot
User-agent: dotbot
User-agent: coccocbot-web
User-agent: BLEXBot
User-agent: HTTrack
User-agent: Slurp
User-agent: Baiduspider
User-agent: Yandex
User-agent: magpie-crawler
User-agent: SemrushBot
User-agent: SemrushBot-SA
User-agent: AhrefsBot
Disallow: /

sitemap.xml No sitemap found

No sitemap found

Adding a sitemap helps search engines discover your pages.

B

TLS Certificate Expiry & Recommendations

55 days until leaf cert expires — 2 issues to address

REVIEW

Certificate validity

55

days left

0d 30d 60d 90d+

Recommended actions

Extend HSTS max-age to at least 31536000 (1 year) to meet the preload list criteria
Add the preload directive and submit to hstspreload.org once max-age + includeSubDomains are in place

B

Operational Status Page

No status page link detected

REVIEW

No status page link detected

No operational status page link detected

Status pages communicate planned maintenance and incidents to users -- a hallmark of operationally-mature services. Most SaaS teams publish one via Atlassian Statuspage, Instatus, BetterUptime, or a self-hosted Cachet. Smaller sites legitimately don't need one; flagged as Info, not a failure.

B

Health Check Endpoint

No conventional health endpoint found

REVIEW

No conventional health endpoint found

Health endpoints (/health, /healthz, /status, /ping, /api/health) let uptime monitors, load balancers, and orchestration systems (Kubernetes, ECS, Fly.io) verify the service is alive. Marketing sites and small services often skip them legitimately; flagged as Info, not a failure. Probe results: /api/health: connection error, /health: connection error, /healthz: connection error, /ping: connection error, /status: connection error.

A+

DNS Records

2 A records, 31 ms lookup

PASS

2 A records, 31 ms lookup

Resolves to 2 IPv4 address(es)

Got: 172.66.160.235, 104.20.31.112

Has 2 IPv6 (AAAA) record(s)

Got: 2606:4700:10::ac42:a0eb, 2606:4700:10::6814:1f70

2 nameserver(s) configured

Got: dora.ns.cloudflare.com, jim.ns.cloudflare.com

5 mail exchanger(s) configured

SPF record present in TXT

DNS resolution time: 31 ms

Got: 31 ms

A	172.66.160.235, 104.20.31.112
AAAA	2606:4700:10::ac42:a0eb, 2606:4700:10::6814:1f70
CNAME	—
NS	dora.ns.cloudflare.com, jim.ns.cloudflare.com
MX	1 aspmx.l.google.com 5 alt2.aspmx.l.google.com 5 alt1.aspmx.l.google.com 10 alt3.aspmx.l.google.com 10 alt4.aspmx.l.google.com
TXT	SPF v=spf1 a mx include:mailgun.org include:_spf.google.com -all google-site-verification=qjbpkux4UDx9PCVym_KTlfPi1BuBn3NhTvfkbqLiviA google-site-verification=4Eft3hJTbdIkzOy_RrtvrtMgnhm_CnhCFnSjx05C47k
CAA	Lookup not available with standard resolver

Resolved in 31 ms

A+

Subdomain Takeover

No subdomain takeover risk detected

PASS

No subdomain takeover risk detected

No CNAME record present

A+

DNSSEC

Signed and validating

PASS

Signed and validating

DNSSEC fully signed and chain validates (ECDSAP256SHA256)

A+

Multi-Resolver DNS Speed

Mean 15ms across 3 resolvers (spread 28ms)

PASS

Mean 15ms across 3 resolvers (spread 28ms)

Quad9: 0ms

Got: 0ms via 9.9.9.9:53

Cloudflare: 17ms

Got: 17ms via 1.1.1.1:53

Google: 28ms

Got: 28ms via 8.8.8.8:53

A+

Redirect Chain

No redirects — direct access

PASS

No redirects — direct access

Got: https://e621.net

https://e621.net

531 ms · HTTP/1.1 FINAL

#	URL	Status	Time	Protocol	Server
1	https://e621.net	200	531 ms	HTTP/1.1	cloudflare

A+

IPv6 Readiness

IPv6 reachable (17 ms)

PASS

IPv6 reachable (17 ms)

IPv6 is configured and reachable at 2606:4700:10::ac42:a0eb, 2606:4700:10::6814:1f70

Got: 17 ms connect

IPv6 Ready

AAAA Records 2606:4700:10::ac42:a0eb, 2606:4700:10::6814:1f70 Connection Reachable (17 ms)

A+

URL Variants

www/non-www, trailing slash, HTTP→HTTPS

PASS

www/non-www, trailing slash, HTTP→HTTPS

www/non-www redirect configured correctly (preferred: non-www)

HTTP correctly 301-redirects to HTTPS

www / non-www

302https://www.e621.net/

200https://e621.net/

Preferred variant: non-www

HTTP → HTTPS

301http://e621.net/ → https://e621.net/

Consistent

A

Domain Intelligence

e621.net — via NameCheap, Inc., 20 years old

PASS

e621.net — via NameCheap, Inc., 20 years old

Domain expires in 83 days

Consider enabling auto-renewal to prevent accidental expiration.

Got: Expires Aug 1, 2026

DNSSEC is enabled

Registrar: NameCheap, Inc.

Registrar lock is NOT enabled

The domain can be transferred without an unlock step. Enable registrar lock (clientTransferProhibited) in your registrar's control panel to protect against unauthorized or accidental transfers.

Domain expiry

76 days

August 1, 2026

SSL certificate

55 days

Issued by Google Trust Services

Domain age

20 years

Registered August 1, 2006

DNSSEC

Enabled

Protects against DNS spoofing

Hosting

Unknown

2606:4700:10::6814:1f70

Registrar

NameCheap, Inc.

Unlocked 2 NS records

Expiry timeline

Today

+1 year

Domain expiry SSL expiry Danger zone (≤30 days)

Recommended actions

Renew the domain or enable auto-renewal to prevent accidental expiry
Enable registrar lock (clientTransferProhibited) to block unauthorized domain transfers

Registrar NameCheap, Inc.

Created August 1, 2006 (20 years ago)

Expires August 1, 2026 (2 months)

Last Updated September 22, 2025

Name Servers dora.ns.cloudflare.com, jim.ns.cloudflare.com

DNSSEC Enabled

Hosting

IP Address 2606:4700:10::6814:1f70

Data source: rdap (0.2s)

Consider enabling auto-renewal to prevent accidental expiration.

Why this matters

Domain expiry approaching — renew immediately and ensure auto-renew + alerting are configured.

Source: ICANN renewal policy

The domain can be transferred without an unlock step. Enable registrar lock (clientTransferProhibited) in your registrar's control panel to protect against unauthorized or accidental transfers.

Why this matters

Without registrar lock, an attacker who phishes your registrar credentials can transfer the domain in minutes — total brand hijack.

Learn more ▾

Registrar lock (clientTransferProhibited, clientUpdateProhibited, clientDeleteProhibited) requires extra verification before any transfer/update/delete. Every major registrar offers it free. Combined with 2FA on your registrar account, it's the strongest defense against domain hijacking.

Source: ICANN / domain-security best practice

A

HTTP Probe Timing

Total 544 ms — DNS, TCP, TLS, TTFB, content transfer breakdown

PASS

DNS Lookup

31 ms

TCP Connect

17 ms

TLS Handshake

22 ms

Time to First Byte

401 ms

Total Time

545 ms

Connection waterfall

DNS Lookup 31 ms TCP Connect 17 ms TLS Handshake 22 ms Server Processing 331 ms Content Transfer 144 ms

A

CDN & Delivery

Cloudflare (DYNAMIC)

PASS

Cloudflare (DYNAMIC)

Site is served via Cloudflare CDN (edge: CDG)

Got: cf-ray: 9f9990e218ef7879-CDG

CDN cache status: DYNAMIC

CDN Detected: Cloudflare

Provider Cloudflare Cache Status DYNAMIC Evidence cf-ray: 9f9990e218ef7879-CDG

A+

CDN Cache Observability

Cache state: DYNAMIC

PASS

Cache state: DYNAMIC

CDN cache state observable via 1 header(s)

Got: cf-cache-status=DYNAMIC