DEV Community

ComplianceLayer
ComplianceLayer

Posted on

How to check your domain's external security posture for free

#security #webdev

When was the last time you checked what the internet actually sees when it looks at your domain?

Not your firewall logs. Not your SIEM. The external attack surface — the stuff anyone can scan without credentials.

I'm talking about:

  • Is your SSL certificate properly configured? What cipher suites are you advertising?
  • Are your DNS records leaking information (open zone transfers, missing SPF/DMARC)?
  • Are your HTTP security headers (CSP, HSTS, X-Frame-Options) actually set?
  • What ports are publicly reachable from the internet right now?
  • Are you on any blacklists or reputation databases?

This is exactly what an attacker checks before they target you. It's also what cyber insurance underwriters check before they quote you a premium.

The 4 layers that matter

1. SSL/TLS

This isn't just "does the padlock show." Real SSL security means:

  • Protocol version (TLS 1.2+ only, no SSLv3 or TLS 1.0)
  • Cipher strength (no RC4, DES, or export-grade ciphers)
  • Certificate validity and expiry buffer
  • HSTS header with appropriate max-age

A quick win: if you're still accepting TLS 1.0 connections, you're vulnerable to POODLE and BEAST attacks.

2. DNS Configuration

  • SPF: Without it, anyone can send email as your domain
  • DMARC: Even with SPF, without DMARC you have no enforcement or visibility
  • DNSSEC: Protects against DNS poisoning and cache hijacking
  • Dangling DNS: Old DNS records pointing to decommissioned resources

3. HTTP Security Headers 

Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'self'
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Enter fullscreen mode Exit fullscreen mode

Most sites are missing at least 3-4 of these.

4. Open Ports

What's publicly accessible on your server? Port 22 (SSH) exposed to the world? MongoDB on 27017? Redis on 6379?

The Shodan graveyard is full of companies who forgot about a dev server or forgotten service.

How to check this automatically (for free)

The fastest way I've found is ComplianceLayer — it's an external security scanning API that runs all of these checks and returns an A-F grade with specific remediation steps.

# Start a scan
curl -X POST https://compliancelayer.net/v1/scan/ \
  -H "X-API-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"domain": "yourdomain.com"}'

# Poll for results:
curl https://compliancelayer.net/v1/scan/jobs/{job_id} \
  -H "X-API-Key: YOUR_API_KEY"
Enter fullscreen mode Exit fullscreen mode

Free tier is 10 scans/month — more than enough to audit your key domains.

Real-world example

I scanned acehardware.com:

  • Grade: A | Score: 96
  • 0 critical issues, 1 high (headers), 4 medium

Compare that with a typical SMB — they usually score C-D range with missing HSTS, no DMARC, and open admin ports.

The bottom line

Your external security posture is publicly visible. Attackers are already scanning you. The question is whether you know what they see.

Running a free scan takes 30 seconds. Go check your domain at compliancelayer.net.

Have questions about reading your scan results? Drop them in the comments.

Top comments (0)