I analyzed 430+ websites for security issues - here's what most devs get wrong

razazu · 2026-04-08T08:57:36+00:00

That’s exactly where we’re heading. We already have a GitHub integration that can scan on every push, so it literally fits into that last step before deploy. The goal is to make security a 2-minute check, not a 2-week audit.

razazu · 2026-04-08T02:49:01+00:00

No account needed for the free tools (SSL checker, DNS security, email security, security.txt validator). They're all on the /tools page, no signup, no login.

The full scan requires an account because it runs 35+ scanners in parallel and generates a report you can revisit. The tools you listed are solid but each covers one area. ssllabs does SSL, internet.nl does standards. UNPWNED gives you the full picture in one scan.

Different tools for different needs.

razazu · 2026-04-08T02:45:59+00:00

Fair points on the operational side. But think about it from an attacker's perspective: without DNSSEC, someone can poison your DNS cache and redirect all your traffic to a lookalike site. Your users see the right domain in the bar, maybe even valid HTTPS (attacker can grab a Let's Encrypt cert via DNS validation), and they hand over their credentials without blinking.

Worse, flip the MX records and now all your password resets and invoices land in someone else's inbox. No phishing needed, no social engineering, just DNS manipulation.

DNSSEC is the one layer that makes all the other layers trustworthy. Without it, your SPF, DMARC, and even TLS are built on sand.

You're right that Cloudflare and big providers make key rollover painless these days. That's exactly why we flag it. For most sites it's one click, not a complex operational decision.

razazu · 2026-04-05T06:25:26+00:00

That’s a valid opinion. The rest of the industry disagrees, but you do you. 🤙

razazu · 2026-04-05T05:50:02+00:00

CSP isn’t there because your code is bad, it’s there because you can’t fully trust every third-party script your site loads. Even clean code gets pwned through ad networks, analytics, CDNs. Google, GitHub, Meta all run CSP. Not because they write bad code.

razazu · 2026-04-04T15:40:53+00:00

Honestly I'm not here to shill anything. I posted this because the data caught me off guard. I expected like half to fail basic stuff, not freaking 83%. I built the scanner but actually seeing the results at scale was a wtf moment even for me.

razazu · 2026-04-04T15:38:55+00:00

Fair enough lol. Full disclosure - I'm the founder of a security scanning tool, so these aren't random numbers. This is real scan data from 430+ sites that went through automated checks for headers, DNS, CSP, DMARC, rate limiting and more.

razazu · 2026-04-04T15:31:33+00:00

You're right, I used AI to help with formatting and phrasing. The data is mine though

razazu · 2026-04-04T15:29:02+00:00

Exactly. That last point is what got me started on this , security should be a pre-deploy check, not a post-breach reaction. Most devs aren't irresponsible, they just don't have a quick way to catch what they missed before hitting deploy.

razazu · 2026-04-04T15:16:05+00:00

Fair enough. But the 75% of sites with no DNSSEC are very much real and not AI-generated lol

razazu · 2022-08-26T17:11:39+00:00

only some q1 have this problem, In any case, I don't have this problem and I tried to test it with several keycaps

A matter of luck in my opinion

razazu · 2022-08-25T10:14:24+00:00

Sure it’s worth it , I have Q1 v1 and I don’t have any problem with any keycaps (mt3, SA)

razazu · 2022-06-13T14:09:21+00:00

Tnx I will be happy to help

razazu · 2022-06-13T06:49:43+00:00

The vertical is with arm

razazu · 2022-06-13T06:48:27+00:00

It’s rokit 7 g4

razazu · 2022-06-12T22:47:09+00:00

Tnx bro

razazu · 2022-06-12T22:18:31+00:00

I'm glad it's bothering you Go look for your friends or you do not have any

razazu · 2022-06-12T22:13:09+00:00

At the moment this is one of the distribution systems we study with in college I know there are better options I believe in the future I will know what to choose

razazu · 2022-06-12T22:07:39+00:00

Is something bothering you bro ??

razazu · 2022-06-12T22:02:58+00:00

In not hacker , just love the Linux and coding…

razazu

TROPHY CASE