https://unveilscan.com/blog/ Domain security guides, deep-dives and field notes from the UnveilScan team. TLS, DMARC, CSP, subdomain takeover, scoring methodology — what we learn while scanning the web. en-us Copyright 2026, Unveiltech support@unveiltech.com (UnveilScan team) support@unveiltech.com (UnveilScan team) Wed, 29 Apr 2026 19:00:00 +0000 https://unveilscan.com/og-image.png https://unveilscan.com/blog/ https://unveilscan.com/blog/cloudflare-top-1000-stats.html https://unveilscan.com/blog/cloudflare-top-1000-stats.html Wed, 29 Apr 2026 09:00:00 +0000 data The web's most popular sites, scored. Average is C. Apple's Chinese mirror beats Stripe. https://unveilscan.com/blog/top-10-critical-findings.html https://unveilscan.com/blog/top-10-critical-findings.html Wed, 29 Apr 2026 09:05:00 +0000 data Real numbers from our production database. Reputation listings + TLS 1.0 dominate. Each one with a fix. https://unveilscan.com/blog/89-checkers-fresh-nginx.html https://unveilscan.com/blog/89-checkers-fresh-nginx.html Wed, 29 Apr 2026 09:10:00 +0000 tutorial Vanilla nginx scored 54/D. Here's the fix-everything snippet to get to 91/A in 5 minutes. https://unveilscan.com/blog/google-tls-1-0-still-alive.html https://unveilscan.com/blog/google-tls-1-0-still-alive.html Wed, 29 Apr 2026 09:15:00 +0000 TLS Two openssl probes prove it. So does Cloudflare. Why CDNs still negotiate deprecated protocols. https://unveilscan.com/blog/lets-encrypt-ocsp-shutdown.html https://unveilscan.com/blog/lets-encrypt-ocsp-shutdown.html Wed, 29 Apr 2026 09:20:00 +0000 PKI ssl_stapling on; on a fresh LE cert is now a silent no-op. Here's what to look at instead. https://unveilscan.com/blog/caa-records-explained.html https://unveilscan.com/blog/caa-records-explained.html Wed, 29 Apr 2026 09:25:00 +0000 DNS A two-line DNS record that limits which CA can mint certs for you. Cheap, simple, real protection. https://unveilscan.com/blog/cert-47-day-lifetimes.html https://unveilscan.com/blog/cert-47-day-lifetimes.html Wed, 29 Apr 2026 09:30:00 +0000 PKI CA/B Forum vote. By 2029, every public cert renews every 6 weeks. Playbook for your renewal pipeline. https://unveilscan.com/blog/reading-ct-logs.html https://unveilscan.com/blog/reading-ct-logs.html Wed, 29 Apr 2026 09:35:00 +0000 PKI Every TLS cert ever issued is logged publicly. Attackers query crt.sh. Here's how to read your own logs. https://unveilscan.com/blog/dmarc-alignment.html https://unveilscan.com/blog/dmarc-alignment.html Wed, 29 Apr 2026 09:40:00 +0000 DMARC SPF + DKIM + DMARC set up but phishing still passes. Why? adkim=r and From: doesn't match what DKIM signed. https://unveilscan.com/blog/spf-10-dns-lookup-limit.html https://unveilscan.com/blog/spf-10-dns-lookup-limit.html Wed, 29 Apr 2026 09:45:00 +0000 SPF RFC 7208 §4.6.4 caps SPF at 10 DNS queries. Cross it and your record permerrors silently. https://unveilscan.com/blog/dkim-key-rotation.html https://unveilscan.com/blog/dkim-key-rotation.html Wed, 29 Apr 2026 09:50:00 +0000 DKIM Industry says rotate every 6 months. Modal age in our database: 4-7 years. The dual-selector dance. https://unveilscan.com/blog/mta-sts-guide.html https://unveilscan.com/blog/mta-sts-guide.html Wed, 29 Apr 2026 09:55:00 +0000 MTA-STS DMARC stops spoofing of From. MTA-STS stops downgrade attacks on the SMTP transport itself. https://unveilscan.com/blog/reading-a-csp.html https://unveilscan.com/blog/reading-a-csp.html Wed, 29 Apr 2026 10:00:00 +0000 CSP Underneath the wall of directives, exactly seven things matter. Real examples from production sites. https://unveilscan.com/blog/actuator-spring-boot-info-disclosure.html https://unveilscan.com/blog/actuator-spring-boot-info-disclosure.html Wed, 29 Apr 2026 10:05:00 +0000 Spring actuator endpoints expose JVM heap, env vars, request logs to anyone. Default config exposes more than people realise. https://unveilscan.com/blog/source-maps-prod.html https://unveilscan.com/blog/source-maps-prod.html Wed, 29 Apr 2026 10:10:00 +0000 build A .map file alongside your bundle.min.js gives anyone with browser dev tools your unminified source. https://unveilscan.com/blog/sri-2026.html https://unveilscan.com/blog/sri-2026.html Wed, 29 Apr 2026 10:15:00 +0000 SRI The integrity attribute that protects you from compromised CDNs. Useful when, theatre when. https://unveilscan.com/blog/cookie-flags-audit.html https://unveilscan.com/blog/cookie-flags-audit.html Wed, 29 Apr 2026 10:20:00 +0000 cookies Three flags should be on every auth cookie. Plus the __Host- prefix. Audit + fixes for major frameworks. https://unveilscan.com/blog/subdomain-takeover-guide.html https://unveilscan.com/blog/subdomain-takeover-guide.html Wed, 29 Apr 2026 10:25:00 +0000 DNS Forgotten blog.example.com still points to a dead Heroku app. An attacker registers the freed slug. https://unveilscan.com/blog/origin-behind-cdn.html https://unveilscan.com/blog/origin-behind-cdn.html Wed, 29 Apr 2026 10:30:00 +0000 DNS You put your site behind Cloudflare. Meanwhile mail.yourdomain.com still resolves to your real OVH IP. https://unveilscan.com/blog/typosquatting-detection.html https://unveilscan.com/blog/typosquatting-detection.html Wed, 29 Apr 2026 10:35:00 +0000 brand The 6 mutation strategies attackers use to register your domain typo'd. Detection, response, prevention. https://unveilscan.com/blog/bulletproof-asn-list.html https://unveilscan.com/blog/bulletproof-asn-list.html Wed, 29 Apr 2026 10:40:00 +0000 reputation A curated list of ASNs that abuse researchers consistently flag as bulletproof. https://unveilscan.com/blog/pci-dss-4-vs-ssl-labs.html https://unveilscan.com/blog/pci-dss-4-vs-ssl-labs.html Wed, 29 Apr 2026 10:45:00 +0000 compliance A domain that gets A+ on SSL Labs can drop to D on UnveilScan. Same handshake, different yardstick. https://unveilscan.com/blog/pci-dss-4-changes.html https://unveilscan.com/blog/pci-dss-4-changes.html Wed, 29 Apr 2026 10:50:00 +0000 compliance Engineer's-eye summary of relevant deltas for web and email. TLS 1.2+, MFA, CSP on payment pages. https://unveilscan.com/blog/anssi-reco-tls-r1.html https://unveilscan.com/blog/anssi-reco-tls-r1.html Wed, 29 Apr 2026 10:55:00 +0000 ANSSI The French national cybersecurity agency's TLS recommendations distilled for engineers. https://unveilscan.com/blog/nis-2-directive.html https://unveilscan.com/blog/nis-2-directive.html Wed, 29 Apr 2026 11:00:00 +0000 NIS-2 The EU NIS 2 directive expands cybersecurity obligations across 18 sectors. Are you in scope? https://unveilscan.com/blog/scoring-methodology.html https://unveilscan.com/blog/scoring-methodology.html Wed, 29 Apr 2026 11:05:00 +0000 scoring Documenting our weighting (DNS 20 / TLS 30 / WEB 30 / EMAIL 20), severity penalties, exclusions. https://unveilscan.com/blog/scan-to-remediation-walkthrough.html https://unveilscan.com/blog/scan-to-remediation-walkthrough.html Wed, 29 Apr 2026 11:10:00 +0000 walkthrough A real production domain, every finding fixed live. Score 64 → 92 in two hours. https://unveilscan.com/blog/ci-integration-github-action.html https://unveilscan.com/blog/ci-integration-github-action.html Wed, 29 Apr 2026 11:15:00 +0000 CI unveilscan-cli + GitHub Action that blocks a PR if it introduces new HIGH+ findings. https://unveilscan.com/blog/findings-csv-exec-reporting.html https://unveilscan.com/blog/findings-csv-exec-reporting.html Wed, 29 Apr 2026 11:20:00 +0000 reporting 11 columns, paste-into-spreadsheet ready. Mapping severity to priority, compliance, monthly trend. https://unveilscan.com/blog/tls13-0rtt-replay.html https://unveilscan.com/blog/tls13-0rtt-replay.html Wed, 29 Apr 2026 12:00:00 +0000 TLS 0-RTT saves a round trip but accepts replayable application data. Attack model, real-world bypasses, why most teams should disable it. https://unveilscan.com/blog/mtls-service-to-service.html https://unveilscan.com/blog/mtls-service-to-service.html Wed, 29 Apr 2026 12:05:00 +0000 TLS SPIFFE/SPIRE landscape, certificate rotation patterns, failure modes nobody warns you about. Two years of production mTLS. https://unveilscan.com/blog/post-quantum-tls.html https://unveilscan.com/blog/post-quantum-tls.html Wed, 29 Apr 2026 12:10:00 +0000 crypto ML-KEM, hybrid key exchange, X25519MLKEM768. What Chrome and Cloudflare turned on. Harvest-now-decrypt-later threat model. https://unveilscan.com/blog/dnssec-contrarian.html https://unveilscan.com/blog/dnssec-contrarian.html Wed, 29 Apr 2026 12:15:00 +0000 opinion DNSSEC failures take you offline. Real outages from .nl, Slack, Microsoft. The threat model it protects vs the one that hits you. https://unveilscan.com/blog/dane-smtp-binding.html https://unveilscan.com/blog/dane-smtp-binding.html Wed, 29 Apr 2026 12:20:00 +0000 EMAIL TLSA records bind your mail server cert to DNS via DNSSEC. Why MTA-STS isn't enough, the rotation gotchas. https://unveilscan.com/blog/wildcard-dns-attack-surface.html https://unveilscan.com/blog/wildcard-dns-attack-surface.html Wed, 29 Apr 2026 12:25:00 +0000 recon A *.example.com hides hundreds of subdomains from CT logs and routes attacker-chosen labels to your origin. Detection and cleanup. https://unveilscan.com/blog/http-request-smuggling.html https://unveilscan.com/blog/http-request-smuggling.html Wed, 29 Apr 2026 12:30:00 +0000 WEB CL.TE, TE.CL, the ambiguity between front-end and back-end parsers. Why we don't probe and what to run instead. https://unveilscan.com/blog/ssrf-defense.html https://unveilscan.com/blog/ssrf-defense.html Wed, 29 Apr 2026 12:35:00 +0000 WEB Why allowlists fail. Layered defense from Slack, Stripe, Vercel. IMDSv2, egress proxies, network namespaces. https://unveilscan.com/blog/open-redirect-2026.html https://unveilscan.com/blog/open-redirect-2026.html Wed, 29 Apr 2026 12:40:00 +0000 WEB Low impact until it isn't. OAuth flow chaining, phishing pretext stamping, the right validation pattern. https://unveilscan.com/blog/dependency-confusion.html https://unveilscan.com/blog/dependency-confusion.html Wed, 29 Apr 2026 12:45:00 +0000 supply-chain Birsan's 2021 attack still works. Scoped packages, private registry isolation, what we surface during scans. https://unveilscan.com/blog/webauthn-passkeys.html https://unveilscan.com/blog/webauthn-passkeys.html Wed, 29 Apr 2026 12:50:00 +0000 auth Synced passkeys, attestation, RP ID scoping, account recovery. State of WebAuthn for consumer + enterprise apps. https://unveilscan.com/blog/trusted-types-dom-xss.html https://unveilscan.com/blog/trusted-types-dom-xss.html Wed, 29 Apr 2026 12:55:00 +0000 CSP The CSP directive that makes innerHTML throw unless minted by a server-controlled policy. Migration plan and gotchas. https://unveilscan.com/blog/coop-coep-corp.html https://unveilscan.com/blog/coop-coep-corp.html Wed, 29 Apr 2026 13:00:00 +0000 WEB Three headers that unlock SharedArrayBuffer and protect against Spectre. Deployment order, third-party-resource gotchas. https://unveilscan.com/blog/bimi-vmc.html https://unveilscan.com/blog/bimi-vmc.html Wed, 29 Apr 2026 13:05:00 +0000 EMAIL BIMI displays your logo next to authenticated emails. Requires DMARC enforcement and a $1500-$3000/year VMC. https://unveilscan.com/blog/wordpress-scoring-lower.html https://unveilscan.com/blog/wordpress-scoring-lower.html Wed, 29 Apr 2026 13:10:00 +0000 case study WordPress installs cluster at 50-65/100. Static sites at 70-85. The 6-finding checklist that gets you to a B.