FREE — NO SIGNUP

Free Website Security Tools

Verify your SSL chain is valid, your security headers are in place, your IP isn't on a spam blacklist, and your ports are configured correctly. One-off checks; no signup.

Why this matters

Web security regressions usually arrive silently. A CDN config change strips a security header. An auto-renewal cron quietly fails and the SSL certificate slides into expiry. A neighbour on shared hosting gets your IP listed on Spamhaus, and your transactional email starts bouncing.

These four tools catch the most common regressions in seconds. SSL chain validation goes deeper than "is the cert valid?". The headers checker grades you on six baseline controls. The blacklist checker queries the four most-trusted DNSBLs. The port checker confirms the only ports open are the ones you intended.

Free tools in this category

SSL Certificate CheckerPopular

Issuer, expiry, chain validity, TLS version. Color-coded warnings for expiring certificates.

Use this tool →
Security Headers Checker

Grade your HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.

Use this tool →
Blacklist (DNSBL) Checker

Check your domain or IP against Spamhaus, SpamCop, SORBS, Barracuda. Identify deliverability issues.

Use this tool →
Port Checker

Test if any TCP port is open — SSH, SMTP, MySQL, Postgres, Redis, custom ports.

Use this tool →

Want continuous monitoring instead of one-off?

Each tool above runs a one-off check. To get alerted whenever something changes, set up a continuous monitor:

Continuous version of SSL Checker. Get warned 30, 14, and 3 days before expiry — across every subdomain — even if your auto-renew cron silently fails.

Headers like HSTS and CSP can disappear after a CDN config change. Continuous checking catches the regression within minutes, not at the next pen test.

Getting listed on Spamhaus tanks email deliverability instantly. Continuous monitoring alerts you before customers report missing emails.

A closed database or SMTP port silently breaks app functionality. Continuous port checks catch it the moment it goes down.

Or browse all 24 monitor types · run a one-off Website Health Score · see all free monitoring tools.

Stop running one-off checks. Start monitoring.
Free plan · 3 monitors · No credit card required
Start Free →

Frequently asked questions

What grade do I need on Security Headers?
Aim for "A" — all six baseline headers present (HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy). "C" or below means your site is exposed to clickjacking, MIME sniffing, or data leakage that a tightened CSP would prevent. The checker shows exactly which header is missing.
How do I know if my SSL certificate is set up correctly?
Run the SSL Checker. It validates the entire chain (root, intermediates, leaf), confirms days-to-expiry, checks for HSTS, and warns on self-signed or incomplete chain configurations. If the chain is broken, browser users will see a warning even though the cert itself is valid.
My IP is on a blacklist — what should I do?
Each blacklist has a delisting process. Spamhaus and Barracuda have web forms. SORBS and SpamCop expect you to fix the underlying spam/abuse issue first. The Blacklist Checker tells you which list flagged you and links to its delisting page.
Why are my mandatory security headers disappearing?
Most common causes: a CDN config change (stripping or proxying through), a framework update that removed a default header, a reverse-proxy reconfig, or a deploy that overrode your custom headers config. Continuous monitoring catches all four — see the matching monitor types below.
Is the Port Checker safe to run on my own server?
Yes. It performs an outgoing TCP connection from our edge — same as any anonymous internet user. It can't access anything beyond what an open port exposes. Most servers will see it as ordinary external traffic.