SSL/TLS Checker
Checks HTTPS configuration, HSTS header and preload status, mixed-content risks, HTTP→HTTPS redirect chain, and certificate transparency. Fast alternative to SSL Labs for quick site audits.
How to Use SSL/TLS Checker
- 1Enter the website URL or domain.
- 2The tool checks HTTPS connectivity, HSTS header, redirect chain, and mixed content.
- 3Review HSTS preload status and certificate transparency.
- 4Follow recommendations to fix any SSL/TLS configuration issues.
Zenovay
Track your website performance
Real-time analytics, session replay, heatmaps, and AI insights. 2-minute setup, privacy-first.
Related Tools
Password GeneratorGenerate strong, random passwords with customizable length, characters, and complexity.
Password Strength CheckerCheck how strong your password is. Get an estimated crack time and improvement suggestions.
HMAC GeneratorGenerate HMAC signatures using SHA-256, SHA-384, or SHA-512 with the Web Crypto API.
AES Encryption/DecryptionEncrypt and decrypt text using AES-GCM with PBKDF2 key derivation. Runs entirely in your browser.
Frequently Asked Questions
What does this SSL/TLS checker test?▾
It checks: (1) whether HTTPS is reachable and the connection succeeds, (2) whether HTTP redirects to HTTPS with a 301/302 redirect, (3) the HSTS header (max-age, includeSubDomains, preload directives), (4) HSTS preload list status via hstspreload.org, (5) mixed content — HTTP resources on an HTTPS page, and (6) the HTTP→HTTPS redirect chain.
What is HSTS and why does my site need it?▾
HTTP Strict Transport Security (HSTS) tells browsers that your site must always be accessed via HTTPS, even if the user types http://. Without HSTS, an attacker on the same WiFi network can perform SSL stripping — intercepting the initial HTTP request before the redirect and serving a fake HTTP version of your site. HSTS prevents this by making browsers always use HTTPS from the first request.
What is the HSTS preload list?▾
The HSTS preload list is a list of domains hardcoded into browsers (Chrome, Firefox, Safari, Edge) that are always accessed via HTTPS, before any HTTP request is ever made. This eliminates even the first-visit vulnerability. To be eligible, your site needs HSTS with max-age≥31536000, includeSubDomains, and preload. You can submit at hstspreload.org.
What is mixed content and why is it blocked?▾
Mixed content occurs when an HTTPS page loads resources (images, scripts, stylesheets, iframes) over HTTP. Modern browsers block "active" mixed content (scripts, stylesheets, iframes) that could be tampered with. "Passive" mixed content (images, audio, video) may show a security warning. Even passive mixed content can leak data — HTTP requests reveal what HTTPS page the user is on.
My HTTPS works — why is my score not A?▾
HTTPS connectivity alone is just the baseline. A high score also requires: HSTS header with a long max-age (≥1 year), includeSubDomains to cover subdomains, a 301 redirect from HTTP, no mixed content, and ideally HSTS preload status. Each missing element reduces the score.
Does this tool check my SSL certificate expiry date?▾
This tool checks whether HTTPS is currently working (which requires a valid, unexpired certificate) but does not show the specific expiry date. For detailed certificate information (expiry date, issuer, SANs, cipher suite), use SSL Labs' SSL Test at ssllabs.com/ssltest — it provides a comprehensive cryptographic audit though it takes longer to run.
What is the "upgrade-insecure-requests" CSP directive?▾
The CSP directive `upgrade-insecure-requests` tells browsers to automatically convert HTTP subrequests (images, scripts, API calls) to HTTPS before making them. This is a quick fix for mixed content issues caused by hardcoded http:// URLs in your HTML or CSS. It doesn't fix the root cause (the wrong URLs), but prevents browser warnings.