
What's new in SecRift 1.2
SecRift 1.2 is our biggest scan expansion yet - six new checks that cover your HTTPS setup, security headers, and DNS delegation, plus a cleaner report that puts the problems worth fixing first.
SecRift 1.1 widened what a single scan tells you about your mail. SecRift 1.2 turns that same attention on the rest of your external surface - the certificate and TLS configuration a browser negotiates, the headers your site sends back, and the DNS delegation that everything else depends on. Six new checks join every scan, and the report gets easier to read. Here's what changed.
Your web-facing surface, now scanned
Four of the new checks connect to your site on 443 and inspect what a real client sees. They run automatically on every scan.
- TLS certificate - SecRift validates the certificate your server presents: the trust chain, remaining validity, weak signatures, certificate transparency, and stapling, and it queries the CA to confirm the certificate hasn't been revoked. Read TLS certificate best practices.
- TLS configuration - the protocol versions, ciphers, and key exchanges your server actually accepts. SecRift flags legacy protocols, weak ciphers and curves, missing forward secrecy, and other settings that weaken an otherwise valid setup. Read TLS configuration best practices.
- TLS vulnerabilities - a check for the well-known weaknesses that live in the TLS layer itself, tested against your live service rather than guessed from a banner. Read what TLS vulnerabilities are.
- HTTP security headers - the response headers that harden a site in the browser, from Content-Security-Policy to HSTS. SecRift checks which ones you send and whether they're set up to do their job. Read about HTTP security headers.
Deeper scrutiny of your DNS
The other two new checks look below your records, at the delegation and issuance surface most tools skip.
- DNS quality - the health of your delegation itself: lame nameservers, inconsistent SOA data, servers that answer recursively when they shouldn't, and zones that will hand over a full transfer to anyone who asks. Read DNS delegation and exposure.
- DNS CAA - the records that decide which certificate authorities may issue for your domain. SecRift also catches a dangerous edge case: a dangling ACME validation delegation that could let someone else get a certificate issued in your name. Read CAA and your certificate issuance surface.
Sharper versions of checks you already run
We tightened two existing checks so they catch more of what matters:
- DNSSEC now grades NSEC3 iteration counts, so a zone signed with outdated, expensive parameters no longer passes silently. Read what DNSSEC is.
- SPF now flags records that lean on too many void lookups, a common cause of SPF quietly failing at the receiver. Read what SPF is.
A report that leads with what to fix
As scans surface more findings, most of them are things you already got right. So the report now hides passing and skipped results by default and leads with what needs your attention. Nothing is gone - one click brings the full picture back - but the first thing you see is the shortlist worth acting on.
Behind the scenes, we improved IPv6 support across our scanning, so IPv6-only hosts are now tested the same way as IPv4.
More on the way
This release continues the plan from day one: keep expanding the checks and the tooling behind them. There's more coming - additional checks, deeper analysis, and reporting that helps you act faster on what a scan surfaces.
Run a free scan on any domain at secrift.com and see the new checks in action.

