New with improved tests for TLS and CSP

March 15, 2021
As of today you can use a new version of with improved tests for TLS and Content Security Policy. Furthermore, there are several changes, such as improved support for non-mail domains and the extension of the minimum HSTS cache validity period. Have fun with even better testing on modern Internet standards!

Latest TLS guidelines from NCSC-NL supported

The recently updated IT security guidelines for Transport Layer Security (TLS) from NCSC-NL have led to the following changes in the website and mail test:

  1. The security level of TLS 1.2 is downgraded from Good to Sufficient (guideline B1-1). TLS 1.3 is still Good. This has no impact on the test result, because we already considered Sufficient TLS versions to be enough to succeed for the subtest. However, we have included the downgrade in the test explanation of the TLS version subtest.
  2. The requirements for the ordering of algorithm selections have been simplified. Only the security level now determines the prescribed ordering (guideline B2-5). We have adjusted the cipher order subtest of accordingly.
  3. Supporting client-initiated renegotation is no longer Insufficient, but Sufficient (guideline B8-1). changed the requirement level for the client-initiated renegotation subtest into 'Optional'.

CSP settings evaluated

Content-Security-Policy (CSP) guards a website against content injection attacks including cross-site scripting (XSS). We now check for several (in)secure CSP settings (like unsafe-inline and unsafe-eval), although we do not exhaustively test the effectiveness of your CSP configuration. The requirement level of the CSP subtest has been raised from 'Optional' to 'Recommended'.

Non-mail domains better supported

We now explicitly check for non-sending and non-receiving mail configurations, and expect the following.

  • Non-sending domain: Use the most strict DMARC policy (p=reject) and SPF policy (-all) for your domain that you do not use for sending mail in order to prevent abuse ('spoofing'). Note that DKIM is not necessary in this case.
  • Non-receiving domain: In case you do not want to receive mail on your domain that has A/AAAA records, we advise you to use Null MX. In case your domain does not have A/AAAA records and you do not want to receive mail on it, we advise you to configure no MX record at all (i.e. even not an Null MX record).

Minimum max-age for HSTS extended

HTTP Strict Transport Security (HSTS) forces a web browser to connect directly via HTTPS when revisiting your website. This helps preventing man-in-the-middle attacks. We have decided to extend the mimimum HSTS cache validity period from 6 months to 1 year (max-age=31536000). This is in conformance with the common good practice.

Further details on the above improvements can be found in the test explanations of the relevant subtests of the website test and the email test.


The test tool is an initiative of the Dutch Internet Standards Platform which is a collaboration of partners from the internet community and the Dutch government. The aim of the platform is to jointly increase the use of modern Internet standards to make the Internet more accessible, safer and more reliable for everyone.

Release notes v1.3:

  • New:

    • NCSC-NL's TLS guidelines 2.1;
    • Validate CSP directives;
    • Support non email sending domains in mailtest for DKIM test;
    • Explicitly test for NULL MX;
    • Keep and display the organizational domain for DMARC;
    • 100% badges page in knowledge base;
    • Ignore nonces for IPv4 vs IPv6 comparison;
    • Accessibility statement for;
    • Use IDNA2008.
  • Changes:

    • Minimum max-age for HSTS is now 1 year;
    • Accept all 3xx+3xx and 3xx+2xx DANE rollover schemes;
    • Ignore PKIX TLSA records for email test;
    • Make X-Frame-Options optional and no longer consider ALLOW-FROM as sufficiently secure.
  • Bugfixes:

    • Detect more ciphers that are available only with the modern openssl library;
    • Better exception handling for untrusted certificate in OCSP check;
    • Better exception handling for invalid IDNs.