Open source release including 'security headers'

February 21, 2019
As of today the source code of is available under an open source license, making it possible to verify its workings and run your own local instance. Furthermore we added a new test category for application security options or security headers.

Open source

The software source code of is published under the Apache License, version 2.0 on Github. was made possible by using and combining other open source software. The main open source building blocks of are Python 3, Django, PostgreSQL, Celery, Redis, RabbitMQ, nassl, unbound/libunbound and Postfix. Please see copyright page for further information.

Test for application security options

The website test has a new test category for application security options. These settings can be sent to the browser via HTTP headers and are often referred to as 'security headers'. The new category contains tests for X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Content-Security-Policy and Referrer-Policy. For the latter two we check for their existence but do not evaluate the effectivenes of the configured policy. Currently the results of the new tests do not impact the overall score.


The test tool is an initiative of the Dutch Internet Standards Platform which is a collaboration of partners from the internet community and the Dutch government. The platform's mission is to jointly promote the use of modern internet standards keeping the internet reliable and accessible for everybody. ECP provides for the administrative home of the platform. NLnet Labs is responsible for the technical realisation and implementation of the test tool.

Release notes

  • New features:
    • New "Security Options" for the website test to check security HTTP headers;
  • Changes:
    • DMARC verification now uses Mozilla's public suffix list for finding the organizational domain;
    • DMARC validation now gives a warning if rua/ruf is not valid;
    • Added link to test explanation on connection results;
    • New way of showing verdict for failed categories;
  • Bug fixes:
    • Fixed DMARC external report addresses and validation when multiple URIs;
    • Ignore MX records that include 'localhost';
    • Home page statistics numbers sometimes weren't adding up;
    • Several content improvements.