DEV Community

ComplianceLayer
ComplianceLayer

Posted on

Start a scan

#security #python #msp #cybersecurity

When was the last time you checked what the internet actually sees when it looks at your domain?

Not your firewall logs. Not your SIEM. The external attack surface — the stuff anyone can scan without credentials.

I'm talking about:

  • Is your SSL certificate properly configured? What cipher suites are you advertising?
  • Are your DNS records leaking information (open zone transfers, missing SPF/DMARC)?
  • Are your HTTP security headers (CSP, HSTS, X-Frame-Options) actually set?
  • What ports are publicly reachable from the internet right now?
  • Are you on any blacklists or reputation databases?

This is exactly what an attacker checks before they target you. It's also what cyber insurance underwriters check before they quote you a premium.

The 4 layers that matter

1. SSL/TLS

This isn't just "does the padlock show." Real SSL security means:

  • Protocol version (TLS 1.2+ only, no SSLv3 or TLS 1.0)
  • Cipher strength (no RC4, DES, or export-grade ciphers)
  • Certificate validity and expiry buffer
  • HSTS header with appropriate max-age
  • Certificate transparency logs

A quick win: if you're still accepting TLS 1.0 connections, you're vulnerable to POODLE and BEAST attacks. Most modern CDNs will help, but bare-metal configs often miss this.

2. DNS Configuration

DNS is the phonebook of the internet and it's a goldmine for attackers:

  • SPF (Sender Policy Framework): Without it, anyone can send email as your domain
  • DMARC: Even with SPF, without DMARC you have no enforcement or visibility
  • DNSSEC: Protects against DNS poisoning and cache hijacking
  • Open zone transfers: Should be restricted to authorized nameservers only
  • Dangling DNS: Old DNS records pointing to decommissioned resources (a very common takeover vector)

3. HTTP Security Headers

These are one-line config changes that provide significant protection:

Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'self'
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), camera=(), microphone=()
Enter fullscreen mode Exit fullscreen mode

Most sites are missing at least 3-4 of these.

4. Open Ports

What's publicly accessible on your server? Port 22 (SSH) exposed to the world? MongoDB on 27017? Redis on 6379?

The Shodan graveyard is full of companies who forgot about a dev server, a VPN concentrator, or a forgotten service.

How to check this automatically (for free)

The fastest way I've found is ComplianceLayer — it's an external security scanning API that runs all of these checks and returns an A-F grade with specific remediation steps.

# Start a scan
curl -X POST https://compliancelayer.net/v1/scan/ \
  -H "X-API-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"domain": "yourdomain.com"}'

# Returns a job_id, then poll for results:
curl https://compliancelayer.net/v1/scan/jobs/{job_id} \
  -H "X-API-Key: YOUR_API_KEY"
Enter fullscreen mode Exit fullscreen mode

The response gives you:

  • Overall grade (A-F)
  • Score (0-100)
  • Module-by-module breakdown: ssl, dns_email, headers, ports, dnssec, blacklists, waf, etc.
  • Specific findings with severity (critical/high/medium/low)
  • Remediation steps for each issue

Free tier is 10 scans/month — more than enough to audit your key domains.

Building it into your workflow

If you're an MSP or developer, the API is what makes this powerful:

// Example: automated domain health check in Node.js
const axios = require('axios');

async function checkDomain(domain) {
  const { data } = await axios.post('https://compliancelayer.net/v1/scan/', 
    { domain },
    { headers: { 'X-API-Key': process.env.COMPLIANCE_API_KEY } }
  );

  // Poll until complete
  let result;
  do {
    await new Promise(r => setTimeout(r, 5000));
    const poll = await axios.get(
      `https://compliancelayer.net/v1/scan/jobs/${data.job_id}`,
      { headers: { 'X-API-Key': process.env.COMPLIANCE_API_KEY } }
    );
    result = poll.data;
  } while (result.status !== 'completed');

  return result.result;
}
Enter fullscreen mode Exit fullscreen mode

You can use this to:

  • Onboard clients: Scan their domain before engagement, show them their grade
  • Continuous monitoring: Weekly automated reports
  • Pre-sales: Build a free tool that shows prospects their grade → captures email
  • Insurance prep: Document your security posture before renewal

The bottom line

Your external security posture is publicly visible. Attackers are already scanning you. The question is whether you know what they see.

Running a free scan takes 30 seconds. Go check your domain at compliancelayer.net.

Have questions about reading your scan results? Drop them in the comments.

Built by ComplianceLayer — scan any domain for security compliance in seconds. Get your free API key.

Top comments (0)