How to Evaluate Domain Security

A 6-point checklist for assessing domain security posture, from tracker inventory to historical pattern analysis.

The Domain Security Checklist

Evaluating a domain's security requires looking beyond surface-level indicators. The following six-point checklist covers the observable signals that reveal a domain's true security posture.

1

Tracker Inventory

Catalog all third-party scripts loading on the domain. Identify which are advertising trackers, which are analytics, and which are functional dependencies. A domain loading 15+ trackers from ad networks presents a fundamentally different risk profile than one loading 2 analytics scripts. Cross-reference detected trackers against known databases like EasyPrivacy and WhoTracks.me to classify their purpose and data collection scope.

2

Configuration Stability

Check whether security settings remain consistent across scans. A domain that fluctuates between having and missing CSP headers, or that intermittently drops HSTS, may indicate unstable deployment processes or inconsistent infrastructure. Stable configuration is a prerequisite for reliable security — a header that appears 50% of the time provides 0% protection.

3

Infrastructure Reliability

Verify TLS configuration, certificate validity, and protocol version. Domains should use TLS 1.3 (or at minimum TLS 1.2 with strong cipher suites), have valid certificates from trusted authorities, and enforce HSTS to prevent downgrade attacks. Mixed content (loading HTTP resources on HTTPS pages) is a red flag that undermines the entire encryption chain.

4

Volatility Score

Measure how much the domain's security posture fluctuates over time. High volatility — large score swings between scans — suggests operational instability, frequent configuration changes, or inconsistent deployment practices. Low volatility with a high score indicates mature, well-maintained security infrastructure. GeckoAdvisor calculates a volatility index for domains with multiple scans, helping distinguish genuinely secure domains from those that happen to look good on a single check.

5

Privacy Posture

Assess fingerprinting detection, cookie practices, and data collection scope. Canvas fingerprinting, WebGL probing, and audio context analysis allow tracking without cookies and are nearly invisible to users. Cookie security flags (HttpOnly, Secure, SameSite) determine whether session data can be intercepted. The combination of fingerprinting with extensive tracking scripts indicates aggressive data collection beyond what most users expect.

6

Historical Pattern

Review the domain's security history for regressions and improvements. A domain that has steadily improved its score over months demonstrates investment in security. One that shows sudden drops may have experienced configuration drift, infrastructure changes, or deliberate relaxation of privacy controls. Historical patterns also reveal whether changes are sustained or temporary — a brief improvement followed by regression suggests one-time fixes rather than systematic practice.

How to Automate This

Running this checklist manually against every domain is impractical at scale. The Domain Intelligence API provides programmatic access to all six checklist dimensions:

  • Scan endpoints return tracker counts, fingerprinting detection, cookie analysis, and security header status in a single request
  • Stability endpoints provide volatility index, trend classification (IMPROVING, STABLE, DECLINING, VOLATILE), and confidence tier
  • Change detection tracks score deltas, tracker additions and removals, and fingerprinting status changes between scans
  • Historical data enables trend analysis over weeks and months, not just point-in-time snapshots

Integrate these endpoints into your security monitoring pipeline to run continuous domain assessments without manual intervention.

What GeckoAdvisor Checks

GeckoAdvisor's automated scanner covers all six checklist items through a single scan. The scanner loads the target domain in a real browser environment, captures all network requests, analyzes cookies and headers, checks TLS configuration, and detects fingerprinting scripts.

Results are scored using a deterministic algorithm with published category weights and penalty caps. Every finding includes specific evidence — the exact tracker URL, the missing header name, the insecure cookie — so you can verify findings independently.

For the full scoring breakdown, see the methodology page.