Start a scan

ComplianceLayer — Sun, 12 Apr 2026 20:33:48 +0000

When was the last time you checked what the internet actually sees when it looks at your domain?

Not your firewall logs. Not your SIEM. The external attack surface — the stuff anyone can scan without credentials.

I'm talking about:

Is your SSL certificate properly configured? What cipher suites are you advertising?
Are your DNS records leaking information (open zone transfers, missing SPF/DMARC)?
Are your HTTP security headers (CSP, HSTS, X-Frame-Options) actually set?
What ports are publicly reachable from the internet right now?
Are you on any blacklists or reputation databases?

This is exactly what an attacker checks before they target you. It's also what cyber insurance underwriters check before they quote you a premium.

The 4 layers that matter

1. SSL/TLS

This isn't just "does the padlock show." Real SSL security means:

Protocol version (TLS 1.2+ only, no SSLv3 or TLS 1.0)
Cipher strength (no RC4, DES, or export-grade ciphers)
Certificate validity and expiry buffer
HSTS header with appropriate max-age
Certificate transparency logs

A quick win: if you're still accepting TLS 1.0 connections, you're vulnerable to POODLE and BEAST attacks. Most modern CDNs will help, but bare-metal configs often miss this.

2. DNS Configuration

DNS is the phonebook of the internet and it's a goldmine for attackers:

SPF (Sender Policy Framework): Without it, anyone can send email as your domain
DMARC: Even with SPF, without DMARC you have no enforcement or visibility
DNSSEC: Protects against DNS poisoning and cache hijacking
Open zone transfers: Should be restricted to authorized nameservers only
Dangling DNS: Old DNS records pointing to decommissioned resources (a very common takeover vector)

3. HTTP Security Headers

These are one-line config changes that provide significant protection:

Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'self'
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), camera=(), microphone=()

Most sites are missing at least 3-4 of these.

4. Open Ports

What's publicly accessible on your server? Port 22 (SSH) exposed to the world? MongoDB on 27017? Redis on 6379?

The Shodan graveyard is full of companies who forgot about a dev server, a VPN concentrator, or a forgotten service.

How to check this automatically (for free)

The fastest way I've found is ComplianceLayer — it's an external security scanning API that runs all of these checks and returns an A-F grade with specific remediation steps.

# Start a scan
curl -X POST https://compliancelayer.net/v1/scan/ \
  -H "X-API-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"domain": "yourdomain.com"}'

# Returns a job_id, then poll for results:
curl https://compliancelayer.net/v1/scan/jobs/{job_id} \
  -H "X-API-Key: YOUR_API_KEY"

The response gives you:

Overall grade (A-F)
Score (0-100)
Module-by-module breakdown: ssl, dns_email, headers, ports, dnssec, blacklists, waf, etc.
Specific findings with severity (critical/high/medium/low)
Remediation steps for each issue

Free tier is 10 scans/month — more than enough to audit your key domains.

Building it into your workflow

If you're an MSP or developer, the API is what makes this powerful:

// Example: automated domain health check in Node.js
const axios = require('axios');

async function checkDomain(domain) {
  const { data } = await axios.post('https://compliancelayer.net/v1/scan/', 
    { domain },
    { headers: { 'X-API-Key': process.env.COMPLIANCE_API_KEY } }
  );

  // Poll until complete
  let result;
  do {
    await new Promise(r => setTimeout(r, 5000));
    const poll = await axios.get(
      `https://compliancelayer.net/v1/scan/jobs/${data.job_id}`,
      { headers: { 'X-API-Key': process.env.COMPLIANCE_API_KEY } }
    );
    result = poll.data;
  } while (result.status !== 'completed');

  return result.result;
}

You can use this to:

Onboard clients: Scan their domain before engagement, show them their grade
Continuous monitoring: Weekly automated reports
Pre-sales: Build a free tool that shows prospects their grade → captures email
Insurance prep: Document your security posture before renewal

The bottom line

Your external security posture is publicly visible. Attackers are already scanning you. The question is whether you know what they see.

Running a free scan takes 30 seconds. Go check your domain at compliancelayer.net.

Have questions about reading your scan results? Drop them in the comments.

Built by ComplianceLayer — scan any domain for security compliance in seconds. Get your free API key.

How to check your domain's external security posture for free

ComplianceLayer — Mon, 23 Mar 2026 22:56:47 +0000

When was the last time you checked what the internet actually sees when it looks at your domain?

Not your firewall logs. Not your SIEM. The external attack surface — the stuff anyone can scan without credentials.

I'm talking about:

Is your SSL certificate properly configured? What cipher suites are you advertising?
Are your DNS records leaking information (open zone transfers, missing SPF/DMARC)?
Are your HTTP security headers (CSP, HSTS, X-Frame-Options) actually set?
What ports are publicly reachable from the internet right now?
Are you on any blacklists or reputation databases?

This is exactly what an attacker checks before they target you. It's also what cyber insurance underwriters check before they quote you a premium.

The 4 layers that matter

1. SSL/TLS

This isn't just "does the padlock show." Real SSL security means:

Protocol version (TLS 1.2+ only, no SSLv3 or TLS 1.0)
Cipher strength (no RC4, DES, or export-grade ciphers)
Certificate validity and expiry buffer
HSTS header with appropriate max-age

A quick win: if you're still accepting TLS 1.0 connections, you're vulnerable to POODLE and BEAST attacks.

2. DNS Configuration

SPF: Without it, anyone can send email as your domain
DMARC: Even with SPF, without DMARC you have no enforcement or visibility
DNSSEC: Protects against DNS poisoning and cache hijacking
Dangling DNS: Old DNS records pointing to decommissioned resources

3. HTTP Security Headers

Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'self'
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin

Most sites are missing at least 3-4 of these.

4. Open Ports

What's publicly accessible on your server? Port 22 (SSH) exposed to the world? MongoDB on 27017? Redis on 6379?

The Shodan graveyard is full of companies who forgot about a dev server or forgotten service.

How to check this automatically (for free)

The fastest way I've found is ComplianceLayer — it's an external security scanning API that runs all of these checks and returns an A-F grade with specific remediation steps.

# Start a scan
curl -X POST https://compliancelayer.net/v1/scan/ \
  -H "X-API-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"domain": "yourdomain.com"}'

# Poll for results:
curl https://compliancelayer.net/v1/scan/jobs/{job_id} \
  -H "X-API-Key: YOUR_API_KEY"

Free tier is 10 scans/month — more than enough to audit your key domains.

Real-world example

I scanned acehardware.com:

Grade: A | Score: 96
0 critical issues, 1 high (headers), 4 medium

Compare that with a typical SMB — they usually score C-D range with missing HSTS, no DMARC, and open admin ports.

The bottom line

Your external security posture is publicly visible. Attackers are already scanning you. The question is whether you know what they see.

Running a free scan takes 30 seconds. Go check your domain at compliancelayer.net.

Have questions about reading your scan results? Drop them in the comments.

DEV Community: ComplianceLayer

Start a scan

The 4 layers that matter

1. SSL/TLS

2. DNS Configuration

3. HTTP Security Headers

4. Open Ports

How to check this automatically (for free)

Building it into your workflow

The bottom line

How to check your domain's external security posture for free

The 4 layers that matter

1. SSL/TLS

2. DNS Configuration

3. HTTP Security Headers

4. Open Ports

How to check this automatically (for free)

Real-world example

The bottom line