SSL Certificate Checker
Grade your SSL/TLS configuration with checks for TLS version, cipher suites, certificate details, HSTS, and security headers. Get actionable recommendations for an A+ security rating.
Your SSL Configuration
Why SSL/TLS Configuration Matters
SSL/TLS encryption is the foundation of web security. It encrypts data in transit between the user's browser and your server, preventing eavesdropping, tampering, and impersonation. A properly configured SSL setup does more than just show the padlock icon — it ensures that your encryption actually protects against modern attacks, that your certificate chain is valid and trusted, and that security headers prevent common web vulnerabilities like XSS, clickjacking, and downgrade attacks.
Misconfigured SSL is surprisingly common and can be worse than no SSL at all, because it creates a false sense of security. A site using TLS 1.0 with RC4 ciphers is technically encrypted but trivially breakable. A site with a valid certificate but no HSTS header is vulnerable to SSL stripping attacks on public WiFi. A site with HTTPS but no Content-Security-Policy is still vulnerable to cross-site scripting. This tool evaluates your complete security posture, not just certificate validity.
TLS Version Matters
TLS 1.3, standardized in 2018, is a significant security and performance improvement over TLS 1.2. It removed all legacy cipher suites (including those vulnerable to BEAST, POODLE, and Sweet32 attacks), reduced the handshake from 2 round-trips to 1, and added 0-RTT resumption for repeat connections. With 97%+ browser support in 2026, TLS 1.3 should be your primary protocol. TLS 1.2 is an acceptable fallback for the remaining 3% of clients, but configure it with only AEAD cipher suites (AES-GCM, ChaCha20-Poly1305). TLS 1.0 and 1.1 should be disabled entirely — they have known vulnerabilities and are rejected by all modern browsers.
Certificate Types Explained
Domain Validated (DV): Verifies only that you control the domain. Let's Encrypt provides these for free. DV certificates are sufficient for 99% of websites. They provide the same level of encryption as EV certificates.
Organization Validated (OV): Verifies domain ownership plus the organization's legal existence. Costs $50-200/year. Provides slightly more trust for business sites but browsers do not display OV status differently from DV. The practical benefit over DV is minimal.
Extended Validation (EV): Verifies domain, organization, and physical address. Costs $100-500/year. Previously displayed the organization name in a green address bar, but Chrome and Firefox removed this UI in 2019. EV certificates no longer provide a visible trust indicator. They are not recommended for most websites — the cost and validation time are not justified by any user-visible or SEO benefit.
Self-Signed: Never use self-signed certificates on public websites. Browsers display scary security warnings that most users cannot bypass. Use Let's Encrypt for free, trusted certificates.
Essential Security Headers
Strict-Transport-Security (HSTS): Tells browsers to only use HTTPS for your domain. Prevents SSL stripping attacks and eliminates the HTTP-to-HTTPS redirect on subsequent visits (saving 100-300ms). Use max-age=31536000; includeSubDomains. For maximum protection, submit your domain to the HSTS preload list at hstspreload.org.
Content-Security-Policy (CSP): The most powerful security header. Specifies which sources of content (scripts, styles, images, fonts) are allowed on your page. A strict CSP prevents XSS attacks by blocking inline scripts and unauthorized external resources. Start with report-only mode to identify violations, then enforce once clean.
X-Content-Type-Options: nosniff: Prevents browsers from MIME-sniffing a response away from the declared content type. This stops attacks where a malicious file is uploaded with a misleading extension. Always include this header — it is a single line with no configuration complexity.
X-Frame-Options: DENY: Prevents your page from being embedded in an iframe, protecting against clickjacking attacks. Use DENY unless you specifically need iframe embedding, in which case use SAMEORIGIN. Modern CSP's frame-ancestors directive supersedes X-Frame-Options but include both for backwards compatibility.
Referrer-Policy: Controls how much referrer information is sent when navigating away from your site. strict-origin-when-cross-origin is the recommended value: it sends the full URL for same-origin requests and only the origin (domain) for cross-origin requests, balancing privacy with analytics functionality.
Permissions-Policy: Controls which browser features (camera, microphone, geolocation, payment) your page can use. Disable features you do not need to reduce your attack surface. Example: Permissions-Policy: camera=(), microphone=(), geolocation=() disables all three features.
Frequently Asked Questions
What TLS version should I use in 2026?
TLS 1.3 exclusively if possible, TLS 1.2 minimum. TLS 1.3 is faster and more secure with 97%+ browser support. Disable TLS 1.0 and 1.1 entirely.
Is an SSL certificate necessary for SEO?
Yes — HTTPS is a Google ranking signal and Chrome marks HTTP sites as "Not Secure." Free certificates from Let's Encrypt eliminate cost barriers.
What is HSTS and should I enable it?
HSTS forces browsers to use HTTPS only. It prevents SSL stripping attacks and eliminates redirect latency. Yes, enable it on all HTTPS sites.
What security headers should every website have?
HSTS, Content-Security-Policy, X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy, and Permissions-Policy.
How do I get a free SSL certificate?
Let's Encrypt via Certbot: "sudo certbot --nginx". Free, automated, auto-renewing. Cloudflare also provides free SSL through its proxy.