Tooling
Use multiple tools; each sees different issues.
CLI scanners
- testssl.sh: deep TLS scan.
- sslscan/sslyze: protocol/cipher analysis.
- nmap scripts (ssl-enum-ciphers, http-security-headers).
Header/CSP helpers
- Mozilla Observatory (scanner + guidance).
- OWASP Dependency-Check/ZAProxy for broader testing.
Workflow
- Automate scans in CI; fail on regressions.
- Keep a baseline and track changes after deploys.
In brief
Combine a few well-known open-source tools to cover TLS, headers, and app checks without breaking the bank.
5-minute checklist
- TLS scan:
nmap --script ssl-enum-ciphers -p 443 domain.tld - Headers: fetch and review with
curl -I - Certificate chain/expiry:
openssl s_client -connect domain.tld:443 - Basic crawler for broken links:
linkcheckeror similar - Automate in CI: run on every deploy and keep reports