Three free tools to test website security

Last updated on: June 6, 2016, Author: R Sahota

Three free tools to check web server security, SSL/TLS and whether your site is vulnerable to phishing and cybersquatting. A Swiss web security company called High-Tech Bridge has launched three really useful tools in the last few months to help us check whether our websites are at risk to cyber attacks. Here are the products:

Web server security test

Simply input your URL and the service will try to detect and analyse a list of 6 headers that are known to improve security for users:

  • Server – X-Frame-Options
  • Strict-Transport-Security (also known as HSTS) – X-XSS-Protection
  • Public-Key-Pins (also known as HPKP) – X-Content-Type-Options
  • Content-Security-Policy (also known as CSP)

For each header several checks are made if applicable:

  • Syntax
  • Validity
  • Trustworthness

They deliberately chose not to analyse Report-Only headers, that only provide monitoring, and deprecated headers, to encourage people to implement the ones that are compatible with the most recent browsers. We also test if the server accepts the most commonly supported HTTP Methods (HTTP verbs), as some may introduce security issues.

SSL/TLS security test

This service enables anyone to assess how secure and reliable a site’s SSL/TLS connection to a server (on any port) is, the service performs four distinct tests:

  •   Test for compliance with NIST Guidelines
  •   Test for compliance with PCI DSS Requirements
  •   Test for the most recent SSL/TLS vulnerabilities and weaknesses
  •   Test for insecure third-party content that may expose user’s privacy.

Domain Security Radar

This free online service enables anyone to detect malicious domain activities targeting a website, domain name or brand. The service searches for:

  • Potential Cybersquatting – domains registered in different TLDs and owned by a third party; domains imitating domain names or business identity and owned by a third party
  • Potential Typosquatting – domains with typos in body and owned by a third party; domains with typos in body and TLD and owned by a third party
  • Potential Phishing – domains that try to visually impersonate your domain or brand and owned by a third party; domains that contain phishing content targeting your domain or brand users; domains that contain malicious content targeting your domain or brand users

Related Stories