UnveilTech

UnveilScan Blog

Domain security guides, deep-dives, field notes

Try UnveilScan free

Subscribe

Most read

By category

📊 Data & stats

📊We scanned the Cloudflare Top 1000 — here's what we found

2026-04-29 · 6 min · data
The web's most popular sites, scored. Average grade is C. Apple's Chinese mirror beats Stripe. Instagram and Baidu are at 20/100.

🔥The 10 most common CRITICAL findings across 5 200 scans

2026-04-29 · 8 min · data
Real numbers from our production database. Reputation listings + TLS 1.0 dominate. Each one explained with the fix.

What 89 checkers actually return on a fresh nginx server

2026-04-29 · 8 min · tutorial
Vanilla nginx on Debian 13, point UnveilScan at it. Score 54/D. Here's the fix-everything snippet that gets to 91/A in 5 minutes.

🔒 TLS & PKI

🔒Why google.com still serves TLS 1.0 in 2026

2026-04-29 · 6 min · TLS
Two openssl probes prove it. So does Cloudflare. Here's why the world's biggest CDNs still negotiate deprecated protocols.

🪪Let's Encrypt killed OCSP — now what?

2026-04-29 · 5 min · PKI
Mid-2025 LE shut down their OCSP responder. ssl_stapling on; on a fresh LE cert is now a silent no-op.

🛂CAA records: who can issue certs for your domain

2026-04-29 · 5 min · DNS
A two-line DNS record that tells the world's CAs which one is allowed to issue certs for you. Cheap, simple, real protection.

47-day cert lifetimes: what changes for ACME automation

2026-04-29 · 5 min · PKI
CA/B Forum voted, Apple and Google sponsored. By 2029, every public cert renews every 6 weeks. Here's the playbook.

📜Reading a CT log: your domain's certificate history

2026-04-29 · 6 min · PKI
Every TLS cert ever issued for your domain is logged publicly. Attackers query crt.sh. Here's how to read your own logs.

✉ Email security

DMARC alignment: the field everyone misconfigures

2026-04-29 · 6 min · DMARC
You set up DMARC, SPF and DKIM. You think you're done. Then a phishing campaign sails through anyway because adkim=r.

🔢The 10-DNS-lookup limit in SPF (and how to stay under)

2026-04-29 · 6 min · SPF
RFC 7208 §4.6.4 caps SPF at 10 DNS queries. Cross it and your record permerrors silently. Here's how to count and flatten.

🔑DKIM key rotation: why nobody does it

2026-04-29 · 6 min · DKIM
Industry guidance says rotate every 6 months. Modal age in our database: 4-7 years. Here's the dual-selector dance.

📨MTA-STS: the email TLS cousin nobody talks about

2026-04-29 · 5 min · MTA-STS
DMARC stops spoofing of From. MTA-STS stops downgrade attacks on the SMTP transport itself. ~3% of domains deploy it.

📜 Web security

📜Reading a CSP header without crying

2026-04-29 · 8 min · CSP
CSP looks like a wall of directives. Underneath there are exactly seven things that matter. Real examples from production.

🛢The forgotten /actuator endpoint

2026-04-29 · 6 min · Spring
Spring Boot's actuator endpoints expose JVM heap, env vars, request logs to anyone. Two CRITICAL findings in our DB came from /actuator/heapdump.

🗺Source maps in production

2026-04-29 · 5 min · build
A .map file alongside your bundle.min.js gives anyone with browser dev tools your unminified source. Webpack/Vite default to this.

🔗Subresource Integrity (SRI) in 2026

2026-04-29 · 5 min · SRI
The integrity attribute that protects you from compromised CDNs. Useful when, theatre when. Practical guide.

🍪Cookie flags audit: Secure / HttpOnly / SameSite

2026-04-29 · 5 min · cookies
Three flags should be on every auth cookie. Plus the __Host- prefix. Audit + fixes for nginx, Apache, Express, Django.

⚠ Attack surface

Subdomain takeover: a 5-minute guide

2026-04-29 · 7 min · DNS
Forgotten blog.example.com still points to a dead Heroku app. An attacker registers the freed slug and serves whatever they want.

🛡Origin behind CDN: when your WAF doesn't matter

2026-04-29 · 7 min · DNS
You put your site behind Cloudflare. Meanwhile mail.yourdomain.com still resolves to your real OVH IP, and your SPF lists it.

🎭Typosquatting: how attackers register your-bank-typ0.com

2026-04-29 · 6 min · brand
The 6 mutation strategies attackers use to register your domain typo'd. Detection, response, prevention.

🚩Bulletproof hosting: which ASNs are red flags

2026-04-29 · 5 min · reputation
A curated list of ASNs that abuse researchers consistently flag as bulletproof. Sources, criteria, sanctioned countries.

🛡 Compliance

🎯PCI-DSS 4.0 vs SSL Labs: why our scores diverge

2026-04-29 · 5 min · compliance
A domain that gets A+ on SSL Labs can drop to D on UnveilScan. Same handshake, same cert. Different yardstick.

📑What changed in PCI-DSS 4.0 vs 3.2.1

2026-04-29 · 6 min · compliance
The engineer's-eye summary of relevant PCI-DSS 4.0 deltas for web and email. TLS 1.2+, MFA enforced, CSP on payment pages.

🇫🇷ANSSI Reco-TLS R1 in plain English

2026-04-29 · 5 min · ANSSI
The French national cybersecurity agency's TLS recommendations, distilled for engineers. R1 through R20+ that matter.

🇪🇺NIS 2: cybersecurity for organizations who didn't sign up

2026-04-29 · 6 min · NIS-2
The EU NIS 2 directive expands cybersecurity obligations to medium and large entities across 18 sectors. Are you in scope?

🛠 Operations

📊How we benchmark domains: scoring methodology

2026-04-29 · 6 min · scoring
Weights (DNS 20 / TLS 30 / WEB 30 / EMAIL 20), severity penalties (5/15/30/60), what we ignore on purpose.

🔧From scan to remediation: a walkthrough

2026-04-29 · 9 min · walkthrough
A real production domain, every finding fixed live. Score 64 → 92 in two hours. Each fix is a copy-paste snippet.

🤖CI integration: blocking PRs on score regression

2026-04-29 · 6 min · CI
unveilscan-cli + GitHub Action that blocks a PR if it introduces new HIGH+ findings. 5 minutes to set up.

📈Reading our findings.csv for executive reporting

2026-04-29 · 5 min · reporting
11 columns, structured, paste-into-spreadsheet ready. Mapping severity to priority, compliance, monthly trend tracking.
UnveilScan is a product of Unveiltech  ·  Home  ·  Pricing  ·  API docs  ·  support@unveiltech.com