gitea.io

15-check dossier · scoreboard above, section details below

Get a pack →

Scanning…

dns

info

Open standalone →

resolving…

mx

info

Open standalone →

resolving mx…

spf

info

Open standalone →

resolving spf…

dmarc

info

Open standalone →

resolving dmarc…

dkim

info

Open standalone →

probing dkim selectors…

tls

info

Open standalone →

fetching tls cert…

redirects

info

Open standalone →

tracing redirects…

headers

info

Open standalone →

fetching headers…

cors

info

Open standalone →

sending preflight…

web-surface

info

Open standalone →

inspecting web surface…

dnssec

info

Open standalone →

checking dnssec…

mta-sts

info

Open standalone →

checking mta-sts…

tls-rpt

info

Open standalone →

checking tls-rpt…

whois

info

Open standalone →

resolving whois…

ct-log

info

Open standalone →

querying CT logs…

additional context — IP + user-agent lookups

lookups that complement a dossier — useful when investigating a finding, but not part of the dossier engine itself.

IP lookup — geolocation, ASN, ISP for any IP address surfaced by the DNS or redirect sections.
user-agent parser — the browser/OS/device the request came from.
single-record DNS lookup — drill into one record type at a time.

gitea.io

15-check dossier · scoreboard above, section details below

Get a pack →

1 high-severity finding · 6 items need attention in total

Aggregate grade across 15 checks. Auditors typically flag any High-severity finding.

Pass: 9
Warn: 5
Fail: 1

What an auditor would flag first

high
DMARC
no DMARC record — spoofing risk
SOC 2 CC6.7ISO 27001 A.13.2.1
medium
SPF
~all softfail — receivers may still accept
SOC 2 CC6.7ISO 27001 A.13.2.1
medium
Redirect chain
redirects to different domain: gitea.com
SOC 2 CC6.6

Need this as an artifact your auditor can verify?

Your gitea.io scan flagged 1 high and 3 medium and 2 low findings. A signed pack covers the apex plus up to 100 CT-discovered subdomains, Ed25519-signed and ISO-timestamped, delivered in 10–30 minutes.

Get a pack →See methodology See a sample$29

Scanning…

15-check summary

DNS recordsA/AAAA records present
MX2 MX record(s) present
SPF~all softfail — receivers may still accept
DMARCno DMARC record — spoofing risk
DKIMno DKIM selectors found — likely not configured
TLS certificatecert valid for 201 days
Redirect chainredirects to different domain: gitea.com
Security headers6 security header(s) missing
CORSno CORS headers — cross-origin requests blocked by default
Web surfaceHTTPS surface reachable (robots ✓, sitemap ✓, title ✓)
MTA-STSnot applicable: no _mta-sts TXT record
TLS-RPTnot applicable: no TLSRPT record
DNSSECDNSSEC not configured — no DS or DNSKEY records found
WHOISdomain registered until 2028-06-03
Certificate Transparencycheck failed: crt.sh: Error: crt.sh http 429; certspotter: Error: certspotter http 429

dns

info

Open standalone →

A/AAAA records present

Why it matters: Without authoritative A or AAAA records on the apex, the domain is unreachable. Missing baseline DNS shows up in vendor reviews as evidence of unmanaged infrastructure (SOC 2 CC6.6).

A: ttl=60 52.85.31.54
ttl=60 52.85.31.114
ttl=60 52.85.31.26
ttl=60 52.85.31.5
AAAA: ttl=60 2600:9000:201d:4a00:8:efb6:a680:93a1
ttl=60 2600:9000:201d:800:8:efb6:a680:93a1
ttl=60 2600:9000:201d:be00:8:efb6:a680:93a1
ttl=60 2600:9000:201d:6200:8:efb6:a680:93a1
ttl=60 2600:9000:201d:7600:8:efb6:a680:93a1
ttl=60 2600:9000:201d:0:8:efb6:a680:93a1
ttl=60 2600:9000:201d:aa00:8:efb6:a680:93a1
ttl=60 2600:9000:201d:4200:8:efb6:a680:93a1
NS: ttl=172800 ns-1454.awsdns-53.org.
ttl=172800 ns-173.awsdns-21.com.
ttl=172800 ns-2029.awsdns-61.co.uk.
ttl=172800 ns-955.awsdns-55.net.
SOA: ttl=900 ns-2029.awsdns-61.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
CAA: ttl=300 \# 20 00 05 69 73 73 75 65 61 6d 61 7a 6f 6e 61 77 73 2e 63 6f 6d
ttl=300 \# 22 00 05 69 73 73 75 65 6c 65 74 73 65 6e 63 72 79 70 74 2e 6f 72 67
ttl=300 \# 15 00 05 69 73 73 75 65 70 6b 69 2e 67 6f 6f 67
ttl=300 \# 18 00 05 69 73 73 75 65 73 65 63 74 69 67 6f 2e 63 6f 6d
TXT: ttl=3600 "_globalsign-domain-verification=78YQkZa0jUZz3fbOqCSPgGaeP8Z9Ph_y1AtqN-K6Hk"
ttl=3600 "google-site-verification=rV_zuxLtm6JlGLCYjvaVLoOhoyDIrs1TgiXMPqjIJ0E"
ttl=3600 "google-site-verification=uV9NAomy0NXbEhuAzwri4-IiY0_MgvfI7pf-5MTu2dY"
ttl=3600 "v=spf1 include:zoho.com ~all"

fetched 2026-05-23T10:39:20.478Z

dns

info

Open standalone →

resolving…

mx

info

Open standalone →

2 MX record(s) present

Why it matters: MX records direct inbound mail. Misconfiguration silently breaks email delivery and lets attackers stand up parallel MX hosts for spoofing campaigns (ISO 27001 A.8.21).

pri=10 mx.zoho.com.
pri=20 mx2.zoho.com.

fetched 2026-05-23T10:39:20.807Z

mx

info

Open standalone →

resolving mx…

spf

medium

Open standalone →

~all softfail — receivers may still accept

Why it matters: SPF tells receiving servers which hosts may send mail for the domain. Without it, any sender can forge the envelope-from — the primary mechanism behind business-email-compromise (SOC 2 CC6.7).

Recommendations

Move to -all (hardfail) once your mail flow is confirmed — softfail gives no real protection

v=spf1 include:zoho.com ~all

v=spf1
include:zoho.com
~all

fetched 2026-05-23T10:39:20.478Z

spf

info

Open standalone →

resolving spf…

dmarc

high

Open standalone →

no DMARC record — spoofing risk

Why it matters: DMARC binds SPF and DKIM into an enforceable policy (quarantine or reject) and surfaces spoofing attempts via aggregate reports. `p=none` or absent means spoofing succeeds silently (SOC 2 CC6.7).

Recommendations

Publish a DMARC TXT record at _dmarc.<domain>: v=DMARC1; p=none; rua=mailto:dmarc@<domain>
Start with p=none to collect reports, then move to p=quarantine and finally p=reject

no DMARC record

dmarc

info

Open standalone →

resolving dmarc…

dkim

low

Open standalone →

no DKIM selectors found — likely not configured

Why it matters: DKIM signs outbound mail so receivers can detect tampering. Missing selectors or rotated-away keys break DMARC alignment and let receivers downgrade trust (ISO 27001 A.8.24).

Recommendations

Enable DKIM signing in your mail provider and publish the provided TXT record
Common selectors: google._domainkey, selector1._domainkey (Microsoft), mail._domainkey

no DKIM record on probed selectors (default, google, k1, selector1, selector2, mxvault)

dkim

info

Open standalone →

probing dkim selectors…

tls

info

Open standalone →

cert valid for 201 days

Why it matters: A valid current TLS certificate is the baseline for data in transit. Expiry, weak chain, or hostname mismatch break HTTPS and fail PCI 4.2.1 / SOC 2 CC6.1.

subject cn:: gitea.io
issuer:: Amazon RSA 2048 M01 / Amazon
valid:: Nov 11 00:00:00 2025 GMT → Dec 10 23:59:59 2026 GMT
authorized:: yes
sha256:: 2A:E8:07:13:9C:44:A8:DF:0D:FA:25:E2:A0:4B:5F:EF:DF:9A:D3:DF:2E:6F:23:95:BF:2F:29:60:52:AC:34:DA
sans: gitea.io
www.gitea.io

fetched 2026-05-23T10:39:20.442Z

tls

info

Open standalone →

fetching tls cert…

redirects

medium

Open standalone →

redirects to different domain: gitea.com

Why it matters: Bare HTTP requests must redirect to HTTPS without dropping the user mid-chain. Plain-text fallback or open redirects fail PCI 4.2.1 and feed phishing chains (SOC 2 CC6.6).

Recommendations

Verify this cross-domain redirect is intentional (e.g. domain migration or CDN)
Ensure the destination domain is owned and expected — unintended redirects can leak traffic

final status: 200 · 2 hops

[301] https://gitea.io/
[200] https://about.gitea.com/

fetched 2026-05-23T10:39:20.656Z

redirects

info

Open standalone →

tracing redirects…

headers

medium

Open standalone →

6 security header(s) missing

Why it matters: Security headers — HSTS, CSP, X-Frame-Options, Referrer-Policy — defend against XSS, clickjacking, and downgrade attacks. Absent headers map directly to OWASP ASVS V14 findings (ISO 27001 A.8.23).

Recommendations

Add response header — Strict-Transport-Security: max-age=15552000; includeSubDomains
Add response header — Content-Security-Policy: default-src 'self' (tune per app)
Add response header — X-Frame-Options: DENY (or SAMEORIGIN if framing is intended)
Add response header — X-Content-Type-Options: nosniff
Add response header — Referrer-Policy: strict-origin-when-cross-origin
Add permissions-policy response header

final url: https://about.gitea.com/

security headers

strict-transport-security: —
content-security-policy: —
x-frame-options: —
x-content-type-options: —
referrer-policy: —
permissions-policy: —

other headers

age: 57944
alt-svc: h3=":443"; ma=86400
connection: keep-alive
content-encoding: br
content-type: text/html
date: Fri, 22 May 2026 18:33:37 GMT
etag: W/"983d4100cebb26b0290d6ff4dbe09455"
last-modified: Thu, 21 May 2026 18:33:23 GMT
server: AmazonS3
transfer-encoding: chunked
vary: Accept-Encoding
via: 1.1 941f9399edc1f082afabdbb29c8909b8.cloudfront.net (CloudFront)
x-amz-cf-id: 5qT4HBi46k7nVpbLr_hcKswhunB3fEgK6nxVyi_wz34OEiAI4pgnYw==
x-amz-cf-pop: IAD55-P2
x-amz-server-side-encryption: AES256
x-amz-version-id: wA_O2MzZe4B2ipRoGEfdVEBIUhDMq.9e
x-cache: Hit from cloudfront

fetched 2026-05-23T10:39:20.628Z

headers

info

Open standalone →

fetching headers…

cors

info

Open standalone →

no CORS headers — cross-origin requests blocked by default

Why it matters: Overly permissive CORS (wildcard with credentials, or reflected origin) lets any origin read authenticated responses from this domain. OWASP A05 misconfiguration territory (NIST AC-4).

origin: https://drwho.me
method: GET
preflight status: 403

access-control-* headers

access-control-allow-origin: —
access-control-allow-methods: —
access-control-allow-headers: —
access-control-allow-credentials: —
access-control-max-age: —
access-control-expose-headers: —

no access-control-* headers returned — site does not advertise CORS to this origin

fetched 2026-05-23T10:39:20.483Z

cors

info

Open standalone →

sending preflight…

web-surface

info

Open standalone →

HTTPS surface reachable (robots ✓, sitemap ✓, title ✓)

Why it matters: Public files — robots.txt, sitemap.xml, head meta — are what attackers see first during reconnaissance. Misadvertised paths, stale sitemaps, and verbose generators leak more than intended (ISO 27001 A.8.9).

robots.txt

present

<!DOCTYPE html>
<html >
<head><meta charset="utf-8"><meta http-equiv="Content-Security-Policy" content="base-uri 'none'; font-src 'self' https: data:; form-action 'self'; img-src 'self' data: https: https://*.gitea.com https://js.hs-scripts.com https://www.google-analytics.com https://avatars.githubusercontent.com https://forms.hscollectedforms.net https://www.googletagmanager.com https://plausible.io https://www.google.com https://googleads.g.doubleclick.net https://*.hotjar.com https://*.hubspot.com; object-src 'none'; script-src-attr 'none'; style-src 'self' 'unsafe-inline' https://*.gitea.com https://js.hs-scripts.com https://www.google-analytics.com https://avatars.githubusercontent.com https://forms.hscollectedforms.net https://www.googletagmanager.com https://plausible.io https://www.google.com https://googleads.g.doubleclick.net https://*.hotjar.com https://*.hubspot.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.gitea.com https://js.hs-scripts.com https://www.google-analytics.com https://avatars.githubusercontent.com https://forms.hscollectedforms.net https://www.googletagmanager.com https://plausible.io https://www.google.com https://googleads.g.doubleclick.net https://*.hotjar.com https://*.hubspot.com 'sha256-C+IcDEGFRB73Ik0oQ/SKSUXuOaQfu89OeSzaEUoElDk=' 'sha384-bzJrtLtUEuqha2MoGDv839hSMW4GI2gReKzn6yHQZID49vm2ktnUXYjz7sGYteOP' 'sha384-4Lz4GZrkdyuXiYSGwHL2KYsj3oyVZcr953HGCT/IcLQJymT52WbQV/6UFD/TGHYn' 'sha384-CsAixFoIurmT5PvrPAjwHnaAj/BDqrdp+zS+AOE2qaiskmeqbhTFXMqCLFh85R8b' 'sha384-/qxfBKjHDv05oLxMry/GRGxiida+EOxQ4BjVEhrAFXCYpKwUVrXbQ/MviABI7h5s' 'sha384-wV/FyIfkoKuneA9gx32UbcC1rWydYJhlr+cMCHu0oN57ZtVcBz8nUCI/A5rPOyHo' 'sha384-XJKPf9jfTX75QKYkAPDxPMmaJmGOocYVBM0hx60h7jh77/cPDZshyi3uFmEQfxdU' 'sha384-xXiD5o6yI+90OuGaBLXhZiGBAPi2OXUd1RWMEcUAjWw3axNXqKsuSMvjAVAMjv6c' 'sha384-Y1L87SYiod6bNGZLmIEJWSPimyTX3VpwSaBxrX7CfT+uRwMe7634zHpWQoNd1p65' 'sha384-eIhjBK4qVQKlWg8QH9LUVxX1WwqnKyoG5ZvJoAhfls0wn5fWYxWyTp7rhPNbDmyJ' 'sha384-rj0GBIbehODwWK8xM9hoYmMQRgBD19MNMauj19DqMx1QQYtVz5oQEAmdvNgyRvYa' 'sha384-ghTsIyUdQPA3ryql/6dPoCaCXTL9aYyjyPeAIQyEUN2uPVzxwqIXyuPBEJtdSYDN'; upgrade-insecure-requests; default-src 'self' https://*.gitea.com https://js.hs-scripts.com https://www.google-analytics.com https://avatars.githubusercontent.com https://forms.hscollectedforms.net https://www.googletagmanager.com https://plausible.io https://www.google.com https://googleads.g.doubleclick.net https://*.hotjar.com https://*.hubspot.com; connect-src 'self' https: wss: ws: https://*.gitea.com https://js.hs-scripts.com https://www.google-analytics.com https://avatars.githubusercontent.com https://forms.hscollectedforms.net https://www.googletagmanager.com https://plausible.io https://www.google.com https://googleads.g.doubleclick.net https://*.hotjar.com https://*.hubspot.com;">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Gitea Official Website</title>
<link rel="icon" type="image/x-icon" href="/favicon.ico">
<link rel="icon" type="image/svg+xml" href="/gitea.svg">
<link rel="mask-icon" type="image/svg+xml" href="/gitea.svg" color="#000000">
<link rel="apple-touch-icon" type="image/x-icon" href="/gitea.png">
<script src="//js.hs-scripts.com/44783791.js" async defer id="hs-script-loader"></script>
<meta property="og:title" content="Gitea Official Website">
<meta name="description" content="Gitea - Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD">
<meta property="og:description" content="Gitea - Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD">
<meta property="og:logo" content="https://about.gitea.com/gitea.png">
<meta property="og:image" content="https://about.gitea.com/gitea.png">
<meta name="twitter:card" content="summary_large_image">
<link rel="preload" as="fetch" crossorigin="anonymous" href="/_payload.json">
<style>/*! tailwindcss v3.3.5 | MIT License | https:

sitemap.xml

present — 0 url(s)

head

title: Gitea Official Website
description: Gitea - Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD

social

og:title: Gitea Official Website
og:description: Gitea - Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD
og:logo: https://about.gitea.com/gitea.png
og:image: https://about.gitea.com/gitea.png
twitter:card: summary_large_image

fetched 2026-05-23T10:39:20.797Z

web-surface

info

Open standalone →

inspecting web surface…

dnssec

low

Open standalone →

DNSSEC not configured — no DS or DNSKEY records found

Why it matters: DNSSEC cryptographically signs DNS responses, blocking cache-poisoning attacks. US federal civilian agencies are required to enable it under OMB M-22-09 (NIST SC-20).

Recommendations

Enable DNSSEC in your DNS provider's control panel and add the resulting DS record at your registrar

enabled: no
DS records: —
DNSKEY records: —

fetched 2026-05-23T10:39:20.485Z

dnssec

info

Open standalone →

checking dnssec…

mta-sts

info

Open standalone →

not applicable: no _mta-sts TXT record

Why it matters: MTA-STS forces inbound SMTP to use TLS and refuse downgraded connections. Without it, an in-path attacker can strip TLS and read mail in plaintext (SOC 2 CC6.7).

no _mta-sts TXT record

mta-sts

info

Open standalone →

checking mta-sts…

tls-rpt

info

Open standalone →

not applicable: no TLSRPT record

Why it matters: TLS-RPT publishes a reporting address for SMTP-TLS failures. Without it, downgrade attacks on inbound mail go unnoticed (SOC 2 CC7.2).

no TLSRPT record

tls-rpt

info

Open standalone →

checking tls-rpt…

whois

info

Open standalone →

domain registered until 2028-06-03

Why it matters: Registrar and expiry tell auditors the domain is owned, current, and not about to lapse. An expired or about-to-expire domain fails business-continuity evidence (SOC 2 A1.2).

registrar: NameCheap, Inc.
created: 2015-06-03T09:14:40Z
expires: 2028-06-03T09:14:40Z
statuses: ok https://icann.org/epp#ok

fetched 2026-05-23T10:39:21.567Z

whois

info

Open standalone →

resolving whois…

ct-log

info

Open standalone →

check failed: crt.sh: Error: crt.sh http 502; certspotter: Error: certspotter http 429

Why it matters: Every certificate issued for this domain is published in Certificate Transparency logs — including subdomains you may have forgotten. Unknown subdomains in CT are pre-disclosed attack surface (ISO 27001 A.8.16).

crt.sh: Error: crt.sh http 502; certspotter: Error: certspotter http 429

ct-log

info

Open standalone →

querying CT logs…

additional context — IP + user-agent lookups

lookups that complement a dossier — useful when investigating a finding, but not part of the dossier engine itself.

IP lookup — geolocation, ASN, ISP for any IP address surfaced by the DNS or redirect sections.
user-agent parser — the browser/OS/device the request came from.
single-record DNS lookup — drill into one record type at a time.