HTTPS / SSL checker. Reach + cert + CAA.
Enter a domain. We test HTTPS reachability live, fetch recent certificates from Certificate Transparency (crt.sh), and check CAA DNS records (Cloudflare DoH) — composite TLS posture verdict.
Enter a domain. The checker runs three live tests: HTTPS reachability via direct fetch, recent TLS certs via crt.sh Certificate Transparency log, and CAA DNS records via Cloudflare DoH. Composite TLS-posture verdict.
Sources used
- crt.sh — free public Certificate Transparency log search
- RFC 6962 — Certificate Transparency
- RFC 8659 — DNS CAA Resource Record
- RFC 8446 — TLS 1.3
- Cloudflare DNS-over-HTTPS — used for CAA lookup
- SSL Labs SSL Test — for deeper cipher + chain analysis (no CORS, run direct)
- Mozilla Observatory — for security-headers grade (no CORS, run direct)
The domain is sent to three public APIs: a direct fetch (HTTPS reach), crt.sh (cert history), Cloudflare DoH (CAA records). Digital Heroes does not log queries. Each upstream has its own privacy policy.
Privacy: queries go to crt.sh + Cloudflare DoH + the target domain only. Digital Heroes does not log.
HTTPS plus CAA hardening.
Modern TLS posture is more than just "the green padlock." Three layers matter: HTTPS reachability (does the cert validate), certificate transparency hygiene (every issued cert is in crt.sh's public log), and CAA records (RFC 8659 DNS-level authorization that prevents rogue CAs from issuing certs for your domain). The composite checker above tests all three and produces a TLS posture grade. For deeper cipher + chain analysis, the result panel links out to SSL Labs and Mozilla Observatory.
Three TLS hardening steps every site should ship. One, HTTPS-only with HSTS — the HTTP Strict Transport Security header tells browsers never to attempt HTTP for the domain (max-age=63072000; includeSubDomains; preload). Two, CAA DNS records — limit issuance to your CA of record (Let's Encrypt for most; DigiCert/Sectigo for enterprise). Three, TLS 1.3 only on origin and CDN — disable TLS 1.0/1.1/1.2 where possible (modern browsers all support 1.3 since ~2020).
Tools in the same cluster: DNS Lookup for the broader DNS view (CAA + DNSSEC + MX). SPF/DKIM/DMARC Checker for email-side TLS hardening. HTTP Headers Checker for HSTS verification.
Five answers.
What does this checker actually verify?
Three composite checks. One, live HTTPS reachability — does the browser successfully fetch https://yourdomain (covers TLS handshake + cert validity + chain trust). Two, recent certificates from Certificate Transparency log (crt.sh) — every TLS cert issued for the domain in the last few months, including issuer (Let's Encrypt, DigiCert, Sectigo, etc.) and validity dates. Three, CAA DNS record lookup via Cloudflare DoH — confirms which Certificate Authorities are authorized to issue certs for the domain (a critical hardening control).
Why does HTTPS matter for SEO in 2026?
Google has required HTTPS for indexing since 2014 and penalizes mixed-content pages. Browsers (Chrome, Firefox, Safari, Edge) display HTTP pages with prominent 'Not Secure' warnings since 2018. Users on HTTP-only checkout flows see security warnings that drop conversion. The composite ranking + UX + conversion impact makes HTTPS table-stakes; the 1% of sites still on HTTP are leaving substantial revenue on the table.
What's a CAA record and why care?
CAA (Certification Authority Authorization, RFC 8659) is a DNS record that says only specific Certificate Authorities are allowed to issue certs for your domain. Without CAA, any CA can issue a cert for any domain (subject to ownership verification). With CAA, an attacker who tricks a different CA into issuing a fraudulent cert is blocked. Adding CAA to your DNS (e.g., 'CAA 0 issue "letsencrypt.org"') is a 5-minute hardening step that materially improves your TLS posture.
Why use crt.sh instead of just connecting to the cert?
Browsers do not expose certificate details to JavaScript via the fetch API — there's no programmatic way to read the cert chain from a client-side script. Certificate Transparency (RFC 6962) requires every public CA to log every cert it issues; crt.sh aggregates these logs into a free queryable API. Querying crt.sh by domain returns the full cert history (when issued, who issued, when expires) without needing to parse the live TLS handshake.
Does this tool save my data?
The domain you enter is sent to three public APIs: a fetch to https://yourdomain (the actual reach test), a query to crt.sh for cert history, and a Cloudflare DoH query for CAA records. Nothing is logged on Digital Heroes servers. Each upstream API has its own privacy policy linked in the Sources panel.
TLS grade below A?
Our web development engagements ship full TLS hardening — HTTPS-only with HSTS preload, CAA DNS records, TLS 1.3 origin + CDN, OCSP stapling, security-headers grade A on Mozilla Observatory.
Published · Last updated .