| Field | Value |
|---|---|
| {{ row.label }} | {{ row.value }} |
| Endpoint | Grade | Protocols | Trust | HSTS | OCSP | Leaf expiry | Issues |
|---|---|---|---|---|---|---|---|
| {{ row.endpoint }} | {{ row.grade }} | {{ row.protocols }} | {{ row.trust }} | {{ row.hsts }} | {{ row.ocsp }} | {{ row.leafExpiry }} | {{ row.issues }} |
| Role | Subject | Issuer | Expires | Days | Key | Signature | Signals |
|---|---|---|---|---|---|---|---|
| {{ row.role }} | {{ row.subject }} | {{ row.issuer }} | {{ row.expires }} | {{ row.days }} | {{ row.keyProfile }} | {{ row.signature }} | {{ row.signals }} |
| Endpoint | Trusted | Root stores | Chain | Notes |
|---|---|---|---|---|
| {{ row.endpoint }} | {{ row.trusted }} | {{ row.rootStores }} | {{ row.chain }} | {{ row.notes }} |
| Priority | Signal | Impact | Recommended action |
|---|---|---|---|
| {{ row.priority }} | {{ row.signal }} | {{ row.impact }} | {{ row.action }} |
Public HTTPS health is not just a question of whether a certificate exists. Modern sites are judged by the whole transport picture: the certificate chain, supported TLS versions, negotiated ciphers, revocation signaling, transport policy, and the fact that one hostname can land on several endpoint IPs that do not behave the same way. This checker turns that broad surface into one host-level report.
That matters whenever a host is about to renew, has just moved behind a new load balancer, or starts producing browser trust warnings that are too vague to diagnose from the address bar alone. The page checks one hostname, waits for a live scan to finish, and then condenses the returned endpoint data into a summary you can read before drilling into the deeper evidence.
The result is useful because it keeps site-wide and endpoint-specific views together. A clean-looking hostname can still hide one stale backend with an older protocol mix or an earlier expiry date. A site that appears broken from one vantage point can also be operationally mixed rather than universally bad. This tool makes that distinction visible instead of collapsing everything into one unexplained letter grade.
People still say SSL when they mean transport security on the web, but current deployments are really using TLS, the successor protocol. The name of the tool matches common search language, while the underlying evidence it reports is transport-layer TLS behavior such as TLS 1.3 support, forward secrecy, HSTS, certificate validity timing, and endpoint-specific vulnerability flags.
It is still a live external scan, not a private local probe. The hostname is submitted to the public analyzer path used by the package, and the result depends on what that analyzer can observe from its own vantage point at that moment. That makes the tool strong for operational diagnostics and weak for confidential internal-only inventories.
The quickest reliable workflow is to run a cached check first, then decide whether a fresh scan is necessary. Cached mode is usually enough when you are confirming a known state, checking a host you reviewed recently, or comparing two runs close together in time. A fresh deep scan is more useful right after a certificate swap, a CDN rule change, or a load-balancer reconfiguration where stale analyzer results would confuse the story.
The summary strip should be read as triage, not as a verdict. It answers the first practical questions: which host was checked, how many endpoint IPs were seen, whether TLS 1.3 and forward secrecy showed up anywhere, whether OCSP stapling or HSTS appeared, whether any vulnerability labels were raised, and how soon the earliest observed certificate expires. If those badges already look wrong, the endpoint table is usually the next stop.
Full endpoint details are worth enabling when the likely problem is inconsistency. That is the setting that unlocks the deeper per-endpoint certificate, chain, protocol, and cipher views. Without it, the page can still summarize the hostname, but the later evidence is thinner and therefore less useful for explaining why one endpoint differs from another.
The biggest reading mistake is to treat the host's headline grade as an average. This package intentionally rolls the site grade from the alphabetically earliest endpoint grade, which makes the weakest returned endpoint visible quickly. That is useful for operations, because one weak edge node can still produce real customer failures. It also means the site badge should be read as a conservative warning signal, not as a balanced score.
| Question | Best starting view | Why that view matters |
|---|---|---|
| Are all endpoint IPs configured the same way? | Endpoint Grades | Shows endpoint-by-endpoint grade, TLS 1.3, forward secrecy, OCSP, HSTS, and vulnerability rollups. |
| Which certificate expires first? | Site Snapshot followed by Certificate Details | Surfaces the earliest deadline first, then lets you inspect the relevant certificate facts. |
| Is the chain itself the problem? | Chain Timeline | Separates validity timing and chain structure from the rest of the transport report. |
| Is the issue protocol or cipher support rather than the certificate? | Protocol Coverage and Cipher Suites | Expose the transport negotiation surface instead of hiding it behind a single grade. |
The package validates one hostname, then polls the public SSL Labs analyze endpoint until the scan reaches a terminal state. In cached mode it requests previously computed results up to the selected age limit. In deep mode it asks the analyzer to start a new run. The script keeps updating its loading state while the analyzer reports progress, because a multi-endpoint transport check can take long enough that a single request-response pattern would look broken.
Once the analyzer returns a ready payload, the page builds its own host summary from the endpoint rows rather than treating one API field as authoritative for everything. That distinction matters. The result can contain several endpoints, each with its own grade, certificate timing, protocol coverage, cipher list, and security flags. The package turns those into one site-level view by applying a few consistent rollup rules.
The earliest expiry signal is computed from the shortest remaining certificate lifetime across endpoints. Presence badges such as TLS 1.3, forward secrecy, OCSP stapling, HSTS, and vulnerability signals are promoted when at least one endpoint reports them. The overall grade is deliberately conservative: it is derived from the alphabetically earliest endpoint grade, which effectively surfaces the weakest letter-grade result in the returned set.
The deeper tabs preserve evidence at the right level of detail. The certificate table stays focused on certificate facts. The chain view is about timing and hierarchy. The protocol and cipher views stay close to transport negotiation. The JSON tab retains the normalized result so the scan can be archived or compared later without forcing you to scrape visible tables by hand.
| Output | What the package actually reports | What it does not guarantee |
|---|---|---|
| Overall grade | A conservative host rollup based on the weakest letter-grade endpoint returned by the analyzer. | A traffic-weighted or region-weighted average across all infrastructure. |
| Expires in N days | The earliest observed endpoint expiry horizon. | That every endpoint shares the same renewal date or certificate. |
| TLS 1.3, forward secrecy, OCSP, HSTS badges | Presence indicators promoted from endpoint evidence. | Uniform support on every returned endpoint. |
| Vulnerability label | A compact signal that one or more endpoints were flagged by the analyzer. | An application-security review beyond transport configuration. |
| Surface | Primary use | Exports available in the package |
|---|---|---|
| Site Snapshot | Fast host-level transport summary. | CSV copy, CSV download, DOCX export. |
| Endpoint Grades | Endpoint consistency check across IPs. | CSV copy, CSV download, DOCX export. |
| Grade Distribution and Protocol Coverage | Charted view of endpoint grades and selected endpoint protocol support. | PNG, WebP, JPEG, and CSV. |
| Certificate Details and Chain Timeline | Certificate facts and validity timing for the selected endpoint. | CSV copy, CSV download, DOCX export. |
| Cipher Suites and JSON | Negotiation details and full normalized scan record. | CSV copy, CSV download, JSON copy, JSON download. |
The most useful reading order is host summary first, endpoint evidence second. If the host summary looks strong but the endpoint table is mixed, the operational issue is inconsistency rather than universal failure. If every endpoint is weak in the same way, the problem is much more likely to be a shared certificate, policy, or transport configuration choice.
Expiry should be interpreted pessimistically on purpose. The page shows the earliest deadline it saw, because one forgotten edge node can still break customer traffic. That makes the badge a practical operations signal even when the rest of the estate renews later.
Protocol and cipher views are support surfaces, not guaranteed client outcomes. They tell you what the analyzer observed for the selected endpoint, not what every browser, every client TLS stack, or every regional route will negotiate in every case. They are still valuable because they show whether the endpoint is offering transport options that do not match your policy.
The page therefore works best as a transport diagnostics layer. It is good at surfacing renewal risk, weak endpoint parity, and protocol or cipher exposure. It is not a complete application-security assessment, and it is not a substitute for checking the actual server or load-balancer configuration that produced the result.
A hostname resolves to several endpoint IPs after a CDN change. The host summary still looks mostly healthy, but the endpoint table shows one IP with the weakest grade and an earlier expiry horizon. That is the kind of partial deployment problem the checker is built to surface quickly.
An operator first runs a cached check to see the recent known state, then runs a fresh deep scan after the replacement certificate has propagated. If the newer run changes the earliest expiry badge and certificate rows while the cached run does not, the difference is freshness rather than random analyzer noise.
A compliance review flags a host for transport weakness. Exporting the endpoint grades, chain timing, and protocol coverage gives a much clearer operational record than handing over one site-level letter grade with no supporting context.
The common label is SSL, but modern web transport security is TLS. The page reports current TLS posture while keeping the familiar search term in the tool name.
Because one hostname can map to several endpoints with different transport behavior. The endpoint table is where you confirm consistency.
Cached mode can reuse a recent analyzer result. Deep mode asks for a fresh scan, which is better after a real configuration change.
No. The hostname is submitted to the external analyzer path the package uses, so treat the target as disclosed to that scanning service.
No. It shows observed transport posture for the scanned hostname and its returned endpoints. It does not assess application logic, content security, or access control.