Browse & Analyze

Browse recent website audits and performance trends

Explore technology stacks detected across the web

Side-by-side technology comparisons and market share

Curated technology stacks and the sites that use them

Editorial deep-dives on the state of web performance

Browse and download favicons from analyzed websites

Learn

Common questions about BeaverCheck scores and checks

How we calculate scores across 100+ checks

The story behind BeaverCheck and the team

Practical guides to fix common web performance issues

Migration Guides

Step-by-step guides for moving between web technologies

Definitions for performance, SEO, and web platform terms

Contrast Checker

Check WCAG color contrast ratios between any two colors

Inspect HTTP response headers for any URL

Analyze SSL/TLS certificate details and chain

Look up DNS records for any domain

Redirect Checker

Trace the full redirect chain for any URL

Real-user INP and Core Web Vitals from Google's Chrome UX Report.

RESTful API for programmatic website audits

Embed an auto-updating health score badge on your site

https://zalando.com

Infrastructure

· 14 checks — DNS, redirects, IPv6, crawlability, URL variants, and domain intelligence rolled into one auditable list.

SCORE

91

GRADE

A

FIX

0

REVIEW

6

PASS

8

INFO

0

Probed from Madrid, Spain

302 Found

Checks

14

8 PASS 6 REVIEW

B

DNSSEC

Unsigned (DNSSEC not deployed)

REVIEW

Unsigned (DNSSEC not deployed)

DNSSEC is not deployed

The zone is not DNSSEC-signed. Users on validating resolvers (Cloudflare 1.1.1.1, Quad9 9.9.9.9, growing default in mobile resolvers) get no protection against DNS spoofing for this domain. Most registrars now offer DNSSEC at a single click; consider enabling it for sites where authenticity matters (banking, healthcare, government).

B

CAA Records

No CAA records (any CA may issue certificates)

REVIEW

No CAA records (any CA may issue certificates)

No CAA records published

Without CAA records, any publicly-trusted CA can issue certificates for this domain. Adding a CAA record (`yourdomain. IN CAA 0 issue "letsencrypt.org"`) restricts issuance to CAs you authorize. Required by CAB Forum baseline since 2017; the default of 'any CA' is widely supported but is the broader attack surface for issuance fraud.

B

Reverse DNS

0/12 IPs match cert SAN

REVIEW

0/12 IPs match cert SAN

PTR for 18.244.28.97 does not match any cert SAN: server-18-244-28-97.cdg52.r.cloudfront.net

Common when behind a CDN or shared hosting (PTR points at the provider's hostname). Mismatch can also affect mail deliverability if this IP sends email -- many MTAs reject mail when forward+reverse DNS disagree.

PTR for 18.244.28.92 does not match any cert SAN: server-18-244-28-92.cdg52.r.cloudfront.net

Common when behind a CDN or shared hosting (PTR points at the provider's hostname). Mismatch can also affect mail deliverability if this IP sends email -- many MTAs reject mail when forward+reverse DNS disagree.

PTR for 18.244.28.50 does not match any cert SAN: server-18-244-28-50.cdg52.r.cloudfront.net

Common when behind a CDN or shared hosting (PTR points at the provider's hostname). Mismatch can also affect mail deliverability if this IP sends email -- many MTAs reject mail when forward+reverse DNS disagree.

PTR for 18.244.28.82 does not match any cert SAN: server-18-244-28-82.cdg52.r.cloudfront.net

Common when behind a CDN or shared hosting (PTR points at the provider's hostname). Mismatch can also affect mail deliverability if this IP sends email -- many MTAs reject mail when forward+reverse DNS disagree.

PTR lookup failed for 2600:9000:262b:3200:14:68:5500:93a1: lookup 2600:9000:262b:3200:14:68:5500:93a1: no such host

No reverse DNS record set for this IP. Common on bare cloud-VM IPs without provider-side PTR; not a security issue.

PTR lookup failed for 2600:9000:262b:e600:14:68:5500:93a1: lookup 2600:9000:262b:e600:14:68:5500:93a1: no such host

No reverse DNS record set for this IP. Common on bare cloud-VM IPs without provider-side PTR; not a security issue.

PTR lookup failed for 2600:9000:262b:4000:14:68:5500:93a1: lookup 2600:9000:262b:4000:14:68:5500:93a1: no such host

No reverse DNS record set for this IP. Common on bare cloud-VM IPs without provider-side PTR; not a security issue.

PTR lookup failed for 2600:9000:262b:6600:14:68:5500:93a1: lookup 2600:9000:262b:6600:14:68:5500:93a1: no such host

No reverse DNS record set for this IP. Common on bare cloud-VM IPs without provider-side PTR; not a security issue.

PTR lookup failed for 2600:9000:262b:7a00:14:68:5500:93a1: lookup 2600:9000:262b:7a00:14:68:5500:93a1: no such host

No reverse DNS record set for this IP. Common on bare cloud-VM IPs without provider-side PTR; not a security issue.

PTR lookup failed for 2600:9000:262b:1a00:14:68:5500:93a1: lookup 2600:9000:262b:1a00:14:68:5500:93a1: no such host

No reverse DNS record set for this IP. Common on bare cloud-VM IPs without provider-side PTR; not a security issue.

PTR lookup failed for 2600:9000:262b:ce00:14:68:5500:93a1: lookup 2600:9000:262b:ce00:14:68:5500:93a1: no such host

No reverse DNS record set for this IP. Common on bare cloud-VM IPs without provider-side PTR; not a security issue.

PTR lookup failed for 2600:9000:262b:ee00:14:68:5500:93a1: lookup 2600:9000:262b:ee00:14:68:5500:93a1: no such host

No reverse DNS record set for this IP. Common on bare cloud-VM IPs without provider-side PTR; not a security issue.

B

Crawlability

robots.txt present, no sitemap

REVIEW

robots.txt present, no sitemap

robots.txt is present

Got: 351 bytes

No sitemap.xml found

A sitemap helps search engines discover and index your pages more efficiently.

robots.txt does not reference a sitemap

Add a 'Sitemap:' directive to robots.txt so search engines can discover your sitemap.

A sitemap helps search engines discover and index your pages more efficiently.

Why this matters

No sitemap.xml — Google relies on crawl-graph discovery alone, slowing indexing of deep or fresh URLs.

Learn more ▾

A sitemap accelerates Google's discovery of new and updated content. Most CMSes auto-generate one; static-site frameworks need a build-step plugin. Reference it from robots.txt and submit in Search Console to confirm Google can fetch it.

Source: sitemaps.org / Google Search Central

Add a 'Sitemap:' directive to robots.txt so search engines can discover your sitemap.

Why this matters

robots.txt omits Sitemap: directive — crawlers must fetch /sitemap.xml by convention; reliable but missing the explicit hint.

Source: sitemaps.org

robots.txt 200 OK

Size 351 B Sitemaps referenced 0 User-agents *, Pinterestbot Blocking No — crawling allowed

User-agent: Pinterestbot
Crawl-delay: 0.2

User-agent: *
Allow: /trend-rewind/*
Disallow: /*&*&*&*
Disallow: /cart/*
Disallow: /wardrobe/*
Disallow: /myaccount/*
Disallow: /opinions*
Allow: /api/navigation
Allow: /api/graphql/
Disallow: /api/navigation/*
Disallow: /api/*
Disallow: /consent/api/ucversion
Disallow: /reco-catalog/
Disallow: /assistant

sitemap.xml No sitemap found

No sitemap found

Adding a sitemap helps search engines discover your pages.

B

TLS Certificate Expiry & Recommendations

199 days until leaf cert expires — 2 issues to address

REVIEW

Certificate validity

199

days left

0d 30d 60d 90d+

Recommended actions

Enable HSTS: Strict-Transport-Security: max-age=31536000; includeSubDomains
Enable DNSSEC on your domain for DNS spoofing protection

B

CDN & Delivery

AWS CloudFront (FunctionGeneratedResponse from cloudfront)

REVIEW

AWS CloudFront (FunctionGeneratedResponse from cloudfront)

Site is served via AWS CloudFront CDN (edge: CDG52-P5)

Got: x-amz-cf-id: tkcJz_bX_IH87_xZq7oS88xH11pOvagnf8rbgZvrqtv6S-FIRtKEHw==

CDN cache status: FunctionGeneratedResponse from cloudfront

CDN Detected: AWS CloudFront

Provider AWS CloudFront Cache Status FunctionGeneratedResponse from cloudfront Evidence x-amz-cf-id: tkcJz_bX_IH87_xZq7oS88xH11pOvagnf8rbgZvrqtv6S-FIRtKEHw==

A+

DNS Records

4 A records, 2 ms lookup

PASS

4 A records, 2 ms lookup

Resolves to 4 IPv4 address(es)

Got: 18.244.28.97, 18.244.28.92, 18.244.28.50, 18.244.28.82

Has 8 IPv6 (AAAA) record(s)

Got: 2600:9000:262b:3200:14:68:5500:93a1, 2600:9000:262b:e600:14:68:5500:93a1, 2600:9000:262b:4000:14:68:5500:93a1, 2600:9000:262b:6600:14:68:5500:93a1, 2600:9000:262b:7a00:14:68:5500:93a1, 2600:9000:262b:1a00:14:68:5500:93a1, 2600:9000:262b:ce00:14:68:5500:93a1, 2600:9000:262b:ee00:14:68:5500:93a1

4 nameserver(s) configured

Got: ns-1337.awsdns-39.org, ns-578.awsdns-08.net, ns-1818.awsdns-35.co.uk, ns-456.awsdns-57.com

1 mail exchanger(s) configured

SPF record present in TXT

DNS resolution time: 2 ms

Got: 2 ms

A	18.244.28.97, 18.244.28.92, 18.244.28.50, 18.244.28.82
AAAA	2600:9000:262b:3200:14:68:5500:93a1, 2600:9000:262b:e600:14:68:5500:93a1, 2600:9000:262b:4000:14:68:5500:93a1, 2600:9000:262b:6600:14:68:5500:93a1, 2600:9000:262b:7a00:14:68:5500:93a1, 2600:9000:262b:1a00:14:68:5500:93a1, 2600:9000:262b:ce00:14:68:5500:93a1, 2600:9000:262b:ee00:14:68:5500:93a1
CNAME	—
NS	ns-1337.awsdns-39.org, ns-578.awsdns-08.net, ns-1818.awsdns-35.co.uk, ns-456.awsdns-57.com
MX	1 smtp.google.com
TXT	facebook-domain-verification=91v041mbqqze167es1w24ja4qj96h5 github-verification=bDQKg8MbDvYwZms6btrWxxFmqzfVHXcXxsTCJLkh MS=ms31863815 SPF v=spf1 include:_spf.google.com ip4:80.237.155.68 ip4:195.71.68.47 ip4:149.96.14.... figma-domain-verification=600059c02c8f9330d8215ff97cbea3e6c079adefa6bff91eae765b... openai-domain-verification=dv-4sVY6t1iE79IPToTxeVLHU6o google-site-verification=BER9CXK3xkVm2RqIvjSNn7Uqnl29B0xVywNcMd4xwrg
CAA	Lookup not available with standard resolver

Resolved in 2 ms

A+

Subdomain Takeover

No subdomain takeover risk detected

PASS

No subdomain takeover risk detected

No CNAME record present

A+

Multi-Resolver DNS Speed

Mean 15ms across 3 resolvers (spread 26ms)

PASS

Mean 15ms across 3 resolvers (spread 26ms)

Quad9: 1ms

Got: 1ms via 9.9.9.9:53

Cloudflare: 17ms

Got: 17ms via 1.1.1.1:53

Google: 27ms

Got: 27ms via 8.8.8.8:53

A

Redirect Chain

1 redirect(s), 224 ms total

PASS

1 redirect(s), 224 ms total

Single redirect

Got: https://zalando.com → https://www.zalando.fr/ (302)

WWW normalization redirect

Uses 302 (temporary) redirect

If permanent, use 301 instead.

Got: https://zalando.com

Cross-domain redirect detected

https://zalando.com

53 ms · HTTP/1.1

302

https://www.zalando.fr/

172 ms · HTTP/1.1 FINAL

#	URL	Status	Time	Protocol	Server
1	https://zalando.com	302	53 ms	HTTP/1.1	CloudFront
2	https://www.zalando.fr/	200	172 ms	HTTP/1.1	rendering-engine/gender-split-stackset/main-5284

See the visual redirect chain in the HTTP Probe tab →

If permanent, use 301 instead.

Why this matters

302 (Found) is for genuinely temporary redirects — if this redirect is permanent, switch to 301 to preserve SEO equity.

Learn more ▾

Search engines treat 302 as temporary, keeping the original URL indexed and not transferring full link equity to the destination. Use 301 (Moved Permanently) for permanent redirects (HTTP→HTTPS, www-vs-non-www, URL restructures).

Source: Google Search Central

A+

IPv6 Readiness

IPv6 reachable (16 ms)

PASS

IPv6 reachable (16 ms)

IPv6 is configured and reachable at 2600:9000:262b:3200:14:68:5500:93a1, 2600:9000:262b:e600:14:68:5500:93a1, 2600:9000:262b:4000:14:68:5500:93a1, 2600:9000:262b:6600:14:68:5500:93a1, 2600:9000:262b:7a00:14:68:5500:93a1, 2600:9000:262b:1a00:14:68:5500:93a1, 2600:9000:262b:ce00:14:68:5500:93a1, 2600:9000:262b:ee00:14:68:5500:93a1

Got: 16 ms connect

IPv6 Ready

AAAA Records 2600:9000:262b:3200:14:68:5500:93a1, 2600:9000:262b:e600:14:68:5500:93a1, 2600:9000:262b:4000:14:68:5500:93a1, 2600:9000:262b:6600:14:68:5500:93a1, 2600:9000:262b:7a00:14:68:5500:93a1, 2600:9000:262b:1a00:14:68:5500:93a1, 2600:9000:262b:ce00:14:68:5500:93a1, 2600:9000:262b:ee00:14:68:5500:93a1 Connection Reachable (16 ms)

A+

URL Variants

www/non-www, trailing slash, HTTP→HTTPS

PASS

www/non-www, trailing slash, HTTP→HTTPS

www/non-www redirect configured correctly (preferred: non-www)

HTTP correctly 301-redirects to HTTPS

www / non-www

302https://www.zalando.com/

200https://zalando.com/

Preferred variant: non-www

HTTP → HTTPS

301http://zalando.com/ → https://zalando.com/

Consistent

A+

Domain Intelligence

zalando.com — via Key-Systems GmbH, 18 years, 2 months old

PASS

zalando.com — via Key-Systems GmbH, 18 years, 2 months old

Domain registered until May 22, 2035 (9 years, 2 months remaining)

DNSSEC is not enabled

DNSSEC protects against DNS spoofing attacks. While not required, enabling DNSSEC adds an additional layer of security. Contact your DNS provider to enable it.

Registrar: Key-Systems GmbH

Registrar lock is NOT enabled

The domain can be transferred without an unlock step. Enable registrar lock (clientTransferProhibited) in your registrar's control panel to protect against unauthorized or accidental transfers.

Domain expiry

3282 days

May 22, 2035

SSL certificate

199 days

Issued by Amazon

Domain age

18 years, 2 months

Registered May 22, 2008

DNSSEC

Not enabled

Protects against DNS spoofing

Hosting

Unknown

2600:9000:262b:ee00:14:68:5500:93a1

Registrar

Key-Systems GmbH

Unlocked 4 NS records

Expiry timeline

Today

+1 year

Domain expiry SSL expiry Danger zone (≤30 days)

Recommended actions

Enable DNSSEC to protect visitors from DNS spoofing
Enable registrar lock (clientTransferProhibited) to block unauthorized domain transfers

Registrar Key-Systems GmbH

Created May 22, 2008 (18 years, 2 months ago)

Expires May 22, 2035 (9 years, 2 months)

Last Updated February 18, 2026

Name Servers ns-1337.awsdns-39.org, ns-1818.awsdns-35.co.uk, ns-456.awsdns-57.com, ns-578.awsdns-08.net

DNSSEC Not enabled

Hosting

IP Address 2600:9000:262b:ee00:14:68:5500:93a1

Data source: rdap (0.2s)

DNSSEC protects against DNS spoofing attacks. While not required, enabling DNSSEC adds an additional layer of security. Contact your DNS provider to enable it.

Why this matters

Without DNSSEC, an attacker who can poison your DNS can hijack your domain — and SSL certs alone don't stop them.

Learn more ▾

DNSSEC adds cryptographic signatures to DNS records, preventing forged responses from poisoning resolver caches. Without it, an attacker who controls the network path can redirect your domain to a malicious server before any HTTPS handshake happens. Most modern registrars (Cloudflare, Google Domains, Route 53) enable it with one toggle.

Source: ICANN / RFC 4033

The domain can be transferred without an unlock step. Enable registrar lock (clientTransferProhibited) in your registrar's control panel to protect against unauthorized or accidental transfers.

Why this matters

Without registrar lock, an attacker who phishes your registrar credentials can transfer the domain in minutes — total brand hijack.

Learn more ▾

Registrar lock (clientTransferProhibited, clientUpdateProhibited, clientDeleteProhibited) requires extra verification before any transfer/update/delete. Every major registrar offers it free. Combined with 2FA on your registrar account, it's the strongest defense against domain hijacking.

Source: ICANN / domain-security best practice

A+

HTTP Probe Timing

Total 53 ms — DNS, TCP, TLS, TTFB, content transfer breakdown

PASS

DNS Lookup

1 ms

TCP Connect

16 ms

TLS Handshake

19 ms

Time to First Byte

53 ms

Total Time

53 ms

Connection waterfall

DNS Lookup 1 ms TCP Connect 16 ms TLS Handshake 19 ms Server Processing 18 ms Content Transfer 0 ms

All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.

Send Feedback