How to Check a Website's Privacy & Security
A beginner-friendly guide to evaluating website security
When you're visiting a website, or if you run a site and want to make sure it's safe, there are several free, publicly accessible tools you can use to check how secure and privacy-respecting it is. Below, we'll walk you through some of the best ones and explain what the reports mean, what to pay attention to, and why each check is helpful.
Note: If these tests return "unable to connect to server" when you know the site is up, it means the site is deliberately blocking them, which you should treat as suspicious behavior.
Netcraft Site Report
What it is:
Netcraft's Site Report gives you a broad look at how a website is hosted, its infrastructure, and certain security risks.
Why it's useful:
- Lets you see who operates the site (or at least who provides the bandwidth (Hosting company) and more specifically who owns the netblock), what the site uses, what web trackers it has and more
- May reveal the geographic location of servers.
- Provides details of what the site is running and including.
What to look for in the Netcraft report (privacy & security):
- Hosting provider / infrastructure: If the site is hosted on a major cloud or CDN provider (e.g., Cloudflare, AWS), that may tell you something about who has access to the infrastructure. External cloud services like AWS, Azure, Cloudflare, Google, etc. may be less private.
- Web Trackers / External Resources: Netcraft shows if a site utilizes web trackers or external CDNs or resources (every external resource should be considered to be logging your visit).
- Web Browser Targeting: This shows the security headers being set by the site. You want to see Strict Transport Security, Content Security Policy, XSS Protection disabled (this may sound adverse, but the site should control XSS protection because the browser's protection can be bypassed), Browser MIME sniffing disabled, and X-Frame-Options Same Origin
Limitations / caveats:
- It doesn't deeply analyze the encryption configuration (that's what other tools are for).
- Knowing who "hosts" a site doesn't necessarily mean you know who runs it, websites often use third-party infrastructure. In addition, self-hosted sites in their own datacenter will show who provides the bandwidth (as Hosting Provider) and who owns the netblock (will likely be the site owner for self-hosted)
SSL/TLS Test – SSL Labs (Qualys SSL Test)
What it is:
The SSL Labs SSL Test is a widely used free tool to check how secure a site's SSL / TLS (i.e., HTTPS) configuration is.
Why it's useful:
- Ensures that your connection to the site is encrypted safely ("HTTPS correctly configured").
- Shows which cryptographic protocols (TLS versions) and cipher suites are used, whether there are weak ones, and whether the certificate is valid and trusted.
- Highlights vulnerabilities in the SSL/TLS setup (e.g., support for old insecure protocols, weak ciphers, certificate chain issues).
What to look for in its report:
- Overall grade: SSL Labs gives a rating (A through F). You really want A or A+ here.
- Certificate details: Make sure the certificate is valid, not expired, and signed by a trusted Certificate Authority (CA).
- Key Exchange / Cipher strength: Look for strong, modern cipher suites (e.g., TLS 1.2 or 1.3, strong key exchange). Avoid sites that support very old protocols like TLS 1.0, TLS 1.1, SSLv2 or SSLv3, or weak cipher suites.
- Protocol support: Prefer sites that support only secure protocols (TLS 1.2+ ideally); no "SSLv3," etc.
- Certificate chain: Check that the certificate chain is correctly configured and that there is no "chain building" issue.
- Compression / Renegotiation / Heartbleed etc.: The report may show various other risks; if you see warnings, that's a potential red flag.
Limitations / caveats:
- Even a good SSL/TLS setup doesn't guarantee the site is "private" in terms of what happens after encryption (tracking, analytics, cookies, etc.).
- This only tells you about the transport layer (how data is sent), not what the site does with that data once it's received.
Hardenize
What it is:
Hardenize is an in-depth security and configuration analyzer. You can point it at a domain, and it will check a variety of security-related measures (TLS, DNS, HTTP headers, and more).
Why it's useful:
- Combines many checks in one place (TLS, DNS, certificates, DANE, HTTP security headers, DNSSEC, CAA, etc.).
- Gives a clear "security posture" - how well the website is configured to resist different attack vectors.
What to look for in a Hardenize report:
- TLS / HTTPS: Similar to SSL Labs, but also more checks (e.g., session ticket reuse, renegotiation risk).
- DNS security: Look for DNSSEC (DNS Security Extensions) status - this helps prevent DNS spoofing.
- CAA records: Hardenize will often report on CAA (Certificate Authority Authorization) records, which restrict which Certificate Authorities are allowed to issue certificates for that domain - a good defense against unauthorized certificate issuance.
- HTTP security headers: Check for headers like HSTS (HTTP Strict Transport Security), CSP (Content Security Policy), X-Frame-Options, Referrer-Policy, etc. These headers help defend against clickjacking, cross-site scripting, and other web attacks.
- Certificate details & validity: As with SSL Labs.
- Other features: Hardenize may show things like DANE / TLSA (if used, we set it, but we only allow TLS connections anyway, and do not allow opportunistic TLS, which can be utilized in a man-in-the-middle attack), which provide even stronger TLS verification, or whether the domain supports modern features like OCSP stapling.
What a "good" Hardenize result looks like (for privacy & security):
- As many green boxes as possible, no yellow or red boxes. Some mail servers, like ours, do rate limiting and so some tests will show as incomplete.
- DNSSEC: enabled and correctly configured.
- CAA: present and restrictive (only trusted CAs allowed).
- Strong TLS: modern protocol, good cipher suites.
- Security headers: present and correctly configured (HSTS, CSP, etc.).
- Certificate: valid, with correct chain.
Mozilla HTTP Observatory
What it is:
Originally developed by Mozilla, the HTTP Observatory (via MDN) tests a wide variety of HTTP-level security settings. You can scan a website and get a grade (A+ to F) and detailed info about security headers.
Visit Mozilla HTTP Observatory
Why it's useful:
- Focuses specifically on HTTP security headers, which are often overlooked but very important for protecting users.
- Gives actionable suggestions for improving your site security.
- Easy to use: just enter a URL into their web interface (or advanced users can use their CLI).
What to look for in its report:
- Grade (A+ down to F): B+ or better.
- Specific findings: The report breaks down things like:
- HSTS: ensures the site forces HTTPS.
- Content Security Policy (CSP): helps prevent cross-site scripting.
- X-Frame-Options: helps prevent clickjacking.
- X-Content-Type-Options: stops "MIME sniffing" vulnerabilities.
- Cookies: looks at their security flags (Secure, HttpOnly) if detectable.
- Redirections: whether HTTP → HTTPS redirect is properly set.
Why these matter (privacy & security):
- HTTP headers help tell the browser how to handle content safely, reducing risk of malicious scripts running, preventing iframe-based attacks, and more.
- Secure cookies (flagged HttpOnly, Secure) help protect user sessions.
- HSTS ensures that once you've visited over HTTPS, your browser will remember to use HTTPS, reducing downgrade attacks.
Cookie Scanner - Termly
What it is:
Termly's Cookie Scanner finds and categorizes cookies on a website.
Why it's useful:
- Reveals what cookies a site sets: not just secure flags, but what kind of cookies are there (essential, analytics, advertising, etc.).
- Helps you evaluate the privacy risk: are there third-party cookies, tracking cookies, or just essential ones?
What to look for in the report:
- Cookie categories: Are there analytics, advertising, social networking cookies? If yes, it suggests the site is tracking users or using third-party scripts.
- Secure / HttpOnly / SameSite flags: These reduce risks like session hijacking (if
SecureandHttpOnlyare set) and CSRF (ifSameSiteis used). - Unclassified cookies: Sometimes the scanner can't immediately recognize what a cookie is for - that could be a place to dig deeper or ask the site owner.
Putting It All Together: How to Use These Tools Effectively
1. Start broad, then drill down:
- Run the Netcraft report to get a bird's-eye view of who runs the site (hosting, infrastructure).
- Use SSL Labs to check encryption.
- Use Hardenize for more detailed security posture.
- Use Mozilla Observatory to check HTTP security headers.
- Use Termly to audit cookies and tracking.
2. Look for patterns:
- Good TLS + good headers + cookie security + DNS security = strong baseline.
- If any one piece is weak (e.g., cookies or headers), that doesn't necessarily mean the site is malicious, but it's a risk.
3. Ask questions (or demand transparency):
- If a site is important (financial, personal data, business), and its security score is low, it's OK to ask the administrators: "Why don't you have HSTS?" or "Can you restrict which CAs can issue certs for your domain?"
- For sites you don't control: use these reports to decide how much trust to give them (or how careful to be).
4. Repeat or monitor if needed:
- Security configurations change. If you check a site once and it looks good, you might want to re-scan later.
Why These Checks Matter - In Plain Language
- Encryption (TLS) ensures that when you send data (like login details), it's scrambled and hard for attackers to eavesdrop.
- DNS security (DNSSEC, CAA) helps prevent "fake websites" or hijacked domains.
- HTTP security headers help protect your browser from malicious things (like clickjacking or cross-site scripting).
- Cookie security affects how easily your session can be stolen or misused.
- Third-party cookies / analytics indicate tracking: the more of those, the less "private" your experience might be.