https://risk-score-1.preview.emergentagent.com

Infrastructure

· 17 checks — DNS, redirects, IPv6, crawlability, URL variants, and domain intelligence rolled into one auditable list.

SCORE

GRADE

FIX

REVIEW

PASS

INFO

Probed from Madrid, Spain

200 OK

Checks

7 PASS 8 REVIEW 1 FIX

HTTP Probe Timing

Action

Total 3882 ms — DNS, TCP, TLS, TTFB, content transfer breakdown

FIX

DNS Lookup

49 ms

TCP Connect

17 ms

TLS Handshake

24 ms

Time to First Byte

3.87 s

Total Time

3.88 s

Connection waterfall

DNS Lookup 49 ms TCP Connect 17 ms TLS Handshake 24 ms Server Processing 3.78 s Content Transfer 12 ms

DNSSEC

Unsigned (DNSSEC not deployed)

REVIEW

Unsigned (DNSSEC not deployed)

DNSSEC is not deployed

The zone is not DNSSEC-signed. Users on validating resolvers (Cloudflare 1.1.1.1, Quad9 9.9.9.9, growing default in mobile resolvers) get no protection against DNS spoofing for this domain. Most registrars now offer DNSSEC at a single click; consider enabling it for sites where authenticity matters (banking, healthcare, government).

CAA Records

No CAA records (any CA may issue certificates)

REVIEW

No CAA records (any CA may issue certificates)

No CAA records published

Without CAA records, any publicly-trusted CA can issue certificates for this domain. Adding a CAA record (`yourdomain. IN CAA 0 issue "letsencrypt.org"`) restricts issuance to CAs you authorize. Required by CAB Forum baseline since 2017; the default of 'any CA' is widely supported but is the broader attack surface for issuance fraud.

Reverse DNS

Action

0/2 IPs match cert SAN

REVIEW

0/2 IPs match cert SAN

PTR lookup failed for 104.18.10.243: lookup 104.18.10.243: no such host

No reverse DNS record set for this IP. Common on bare cloud-VM IPs without provider-side PTR; not a security issue.

PTR lookup failed for 104.18.11.243: lookup 104.18.11.243: no such host

No reverse DNS record set for this IP. Common on bare cloud-VM IPs without provider-side PTR; not a security issue.

IPv6 Readiness

Action

No IPv6 support

REVIEW

No IPv6 support

No IPv6 (AAAA) records found

IPv6 support is increasingly important for global accessibility. About 40% of internet users have IPv6 connectivity.

No IPv6 Support

About 40% of internet users have IPv6. Consider adding AAAA records.

IPv6 support is increasingly important for global accessibility. About 40% of internet users have IPv6 connectivity.

Why this matters

No AAAA records — same impact as 'no IPv6 (AAAA) records'; IPv6-preferring clients pay extra latency falling back to IPv4.

Source: Google IPv6 stats

Crawlability

robots.txt present, no sitemap

REVIEW

robots.txt present, no sitemap

robots.txt is present

Got: 1738 bytes

No sitemap.xml found

A sitemap helps search engines discover and index your pages more efficiently.

robots.txt does not reference a sitemap

Add a 'Sitemap:' directive to robots.txt so search engines can discover your sitemap.

A sitemap helps search engines discover and index your pages more efficiently.

Why this matters

No sitemap.xml — Google relies on crawl-graph discovery alone, slowing indexing of deep or fresh URLs.

Learn more ▾

A sitemap accelerates Google's discovery of new and updated content. Most CMSes auto-generate one; static-site frameworks need a build-step plugin. Reference it from robots.txt and submit in Search Console to confirm Google can fetch it.

Source: sitemaps.org / Google Search Central

Add a 'Sitemap:' directive to robots.txt so search engines can discover your sitemap.

Why this matters

robots.txt omits Sitemap: directive — crawlers must fetch /sitemap.xml by convention; reliable but missing the explicit hint.

Source: sitemaps.org

robots.txt 200 OK

Size 1738 B Sitemaps referenced 0 User-agents meta-externalagent, Amazonbot, ClaudeBot, Google-Extended, *, Applebot-Extended, Bytespider, CCBot, CloudflareBrowserRenderingCrawler, GPTBot Blocking No — crawling allowed

# As a condition of accessing this website, you agree to abide by the following
# content signals:

# (a)  If a Content-Signal = yes, you may collect content for the corresponding
#      use.
# (b)  If a Content-Signal = no, you may not collect content for the
#      corresponding use.
# (c)  If the website operator does not include a Content-Signal for a
#      corresponding use, the website operator neither grants nor restricts
#      permission via Content-Signal with respect to the corresponding use.

# The content signals and their meanings are:

# search:   building a search index and providing search results (e.g., returning
#           hyperlinks and short excerpts from your website's contents). Search does not
#           include providing AI-generated search summaries.
# ai-input: inputting content into one or more AI models (e.g., retrieval
#           augmented generation, grounding, or other real-time taking of content for
#           generative AI search answers).
# ai-train: training or fine-tuning AI models.

# ANY RESTRICTIONS EXPRESSED VIA CONTENT SIGNALS ARE EXPRESS RESERVATIONS OF
# RIGHTS UNDER ARTICLE 4 OF THE EUROPEAN UNION DIRECTIVE 2019/790 ON COPYRIGHT
# AND RELATED RIGHTS IN THE DIGITAL SINGLE MARKET.

# BEGIN Cloudflare Managed content

User-agent: *
Content-Signal: search=yes,ai-train=no
Allow: /

User-agent: Amazonbot
Disallow: /

User-agent: Applebot-Extended
Disallow: /

User-agent: Bytespider
Disallow: /

User-agent: CCBot
Disallow: /

User-agent: ClaudeBot
Disallow: /

User-agent: CloudflareBrowserRenderingCrawler
Disallow: /

User-agent: Google-Extended
Disallow: /

User-agent: GPTBot
Disallow: /

User-agent: meta-externalagent
Disallow: /

# END Cloudflare Managed Content

sitemap.xml No sitemap found

No sitemap found

Adding a sitemap helps search engines discover your pages.

TLS Certificate Expiry & Recommendations

50 days until leaf cert expires — 2 issues to address

REVIEW

Certificate validity

days left

0d 30d 60d 90d+

Recommended actions

Enable HSTS: Strict-Transport-Security: max-age=31536000; includeSubDomains
Enable DNSSEC on your domain for DNS spoofing protection

Operational Status Page

No status page link detected

REVIEW

No status page link detected

No operational status page link detected

Status pages communicate planned maintenance and incidents to users -- a hallmark of operationally-mature services. Most SaaS teams publish one via Atlassian Statuspage, Instatus, BetterUptime, or a self-hosted Cachet. Smaller sites legitimately don't need one; flagged as Info, not a failure.

Health Check Endpoint

No conventional health endpoint found

REVIEW

No conventional health endpoint found

Health endpoints (/health, /healthz, /status, /ping, /api/health) let uptime monitors, load balancers, and orchestration systems (Kubernetes, ECS, Fly.io) verify the service is alive. Marketing sites and small services often skip them legitimately; flagged as Info, not a failure. Probe results: /api/health: connection error, /health: connection error, /healthz: connection error, /ping: connection error, /status: connection error.

DNS Records

2 A records, 39 ms lookup

PASS

2 A records, 39 ms lookup

Resolves to 2 IPv4 address(es)

Got: 104.18.10.243, 104.18.11.243

No IPv6 (AAAA) records

No NS records found

No MX records — email not configured via DNS

No SPF record found in TXT records

SPF helps prevent email spoofing. Add a TXT record starting with 'v=spf1'.

DNS resolution time: 39 ms

Got: 39 ms

A	104.18.10.243, 104.18.11.243
AAAA	—
CNAME	—
NS	—
MX	—
TXT	—
CAA	Lookup not available with standard resolver

Resolved in 39 ms

SPF helps prevent email spoofing. Add a TXT record starting with 'v=spf1'.

Why this matters

Without SPF, receiving servers can't validate sending IPs — your domain is easier to spoof in phishing.

Learn more ▾

SPF complements DMARC. Both should be published. SPF records list authorized sending IPs (e.g., `v=spf1 include:_spf.google.com ~all` for Google Workspace). After publishing, verify in Google Postmaster Tools or mxtoolbox.

Source: RFC 7208 (SPF)

A+

Subdomain Takeover

No subdomain takeover risk detected

PASS

No subdomain takeover risk detected

No CNAME record present

Multi-Resolver DNS Speed

Mean 49ms across 3 resolvers (spread 62ms)

PASS

Mean 49ms across 3 resolvers (spread 62ms)

Cloudflare: 22ms

Got: 22ms via 1.1.1.1:53

Google: 42ms

Got: 42ms via 8.8.8.8:53

Quad9: 84ms

Got: 84ms via 9.9.9.9:53

A+

Redirect Chain

No redirects — direct access

PASS

No redirects — direct access

Got: https://risk-score-1.preview.emergentagent.com

https://risk-score-1.preview.emergentage...

3271 ms · HTTP/1.1 FINAL

#	URL	Status	Time	Protocol	Server
1	https://risk-score-1.preview.emergentage...	200	3271 ms	HTTP/1.1	cloudflare

A+

URL Variants

www/non-www, trailing slash, HTTP→HTTPS

PASS

www/non-www, trailing slash, HTTP→HTTPS

HTTP correctly 301-redirects to HTTPS

www / non-www

https://www.risk-score-1.preview.emergentagent.com/

200https://risk-score-1.preview.emergentagent.com/

HTTP → HTTPS

301http://risk-score-1.preview.emergentagent.com/ → https://risk-score-1.preview.emergentagent.com:443/

Consistent

CDN & Delivery

Cloudflare (DYNAMIC)

PASS

Cloudflare (DYNAMIC)

Site is served via Cloudflare CDN (edge: CDG)

Got: cf-ray: 9fee03537c702a5f-CDG

CDN cache status: DYNAMIC

CDN Detected: Cloudflare

Provider Cloudflare Cache Status DYNAMIC Evidence cf-ray: 9fee03537c702a5f-CDG

A+

CDN Cache Observability

Cache state: DYNAMIC

PASS

Cache state: DYNAMIC

CDN cache state observable via 1 header(s)

Got: cf-cache-status=DYNAMIC

Domain Intelligence

Domain intelligence data not available

INFO

Domain intelligence data not available

RDAP and WHOIS lookup both failed

All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.