Welcome to Hardenize!

We'd like to show you an early version of a new tool we're working on. As you're playing with it, please remember this:

  • Ignore any bugs you encounter. This is only a proof-of-concept release that we will be refining in the following months.
  • We wanted to show the wide range of functionality that want to cover, but most of the tests that we have today are incomplete.
  • This is just our public report; our commercial product will reuse the core technology, but it will focus on continuous assessment and collaborative features.

The problem we want to solve is this...

Less than 1% of all
web sites use modern
security features

Whichever way you look at it, there are many effective security technologies that we can use today, and yet only a small number of deployments do.

WHOIS, DNS, DNSSEC, DANE, CAA, SMTP, STARTTLS, CAs, X.509, SPF, DKIM, DMARC, IPv4, IPv6, HTTP/2, SSL, TLS, HSTS, CSP, HPKP, RC4, SHA, cookies, mixed content, SRI, privacy, ...

As it stands today,
security is too complex

Few people can dedicate themselves to understand all the technologies individually and also how they work together.

As a result, we have to work hard to secure systems only after they have been deployed. This approach is not only inefficient, but also doesn't work very well. We need to try something else.

Hardenize helps organizations deploy the latest security standards

Our goal is to build security in, engage developers and
system administrators from the start, and make security fun.

Thank you!

Please have a look around and
let us know what you think.

Hardenize Roadmap

Current status: Alpha

We’re currently reasonably happy with the report design, user interface, and overall usability. Although we’re planning to continue with UI improvements in the future, our primary focus now is on improving the assessments. Most tests we’re currently showing need further refinement. We’re planning additional tests, but generally not until we substantially improve the ones that are already covered.

In parallel, we’re working on our “real” application. What you can now see is our a public report, which sacrifices detail for brevity. Our complete application will provide much more detail as well as support continuous assessment and reporting.

Version 1.0 Alpha (Almost done!)

In this section you can see the implementation status of our assessment features. Our plan is to stay in alpha until all the features listed below are implemented. Once in beta, we will continue to polish the user interface and start to work on our grading algorithm.

Name servers Show the name server configuration obtained during assessment.
DNSSEC In this first release, we're testing if DNSSEC is supported and correctly configured.
CAA Show CAA configuration for the domain name.
TLS Thorough TLS assessment: supported protocols, cipher suites, and order preference.
Certificates Show all certificates used for SMTP.
DANE Show DANE information for SMTP. Verify configuration and show pinned certificates.
SPF Fetch, validate, and display SPF policy. At the moment, we're showing only the main SPF configuration; we will recursively fetch all referenced policies and provide configuration advice.
DMARC Fetch, validate, and display DMARC policy.
HTTP (80) Show full HTTP transaction information, including redirects.
HTTPS (443) Show full HTTP transaction information, including redirects.
TLS Thorough TLS assessment: supported protocols, cipher suites, order preference, etc.
Certificates Show all certificates used for HTTP. Need better indication of self-signed certificates as well as better presentation of the root store tests.
DANE Show DANE information for HTTP. Verify configuration and show pinned certificates.
Cookies Show all cookies. Detect insecure session cookies. Planning to add support for same-site cookies and name prefixes.
Mixed content Inspect web page HTML to detect mixed content.
HSTS Fetch, validate, and display active HSTS policy. Check if the hostname is preload-ready. Check for preloading, including the waiting list. Check for inconsistent HSTS policies and policies delivered over plaintext.
HPKP Fetch, validate, and display HPKP policy. Show pinned certificates.
CSP Fetch, validate, and display all provided CSP policies.
Subresource Integrity Inspect web page HTML to dicover remote resources. Detect and validate SRI usage.
Frame Options Show and check the X-Frame-Options header.
XSS Protection Show and check the X-XSS-Protection header.
Content Type Options Show and check the X-Content-Type-Options header.

Version 1.0 Beta

Once in beta, we expect that will give access to Hardenize to wider audiences. We will then focus on the following of the product:

  • Fine-tuning of the assessments
  • User interface polish
  • Quality control and regression testing
  • Development of grading criteria
  • Documentation (e.g., remediation guidance)
Alpha Preview