# certs.lol

> Fast, API-first TLS scanning.

certs.lol scans any domain or IP for its complete TLS configuration and returns a letter grade with detailed results. Same URL, content-negotiated: curl gets JSON, browsers get HTML.

## API

Scan a domain: GET https://certs.lol/{domain}
Scan an IP: GET https://certs.lol/{ip}
API docs: https://certs.lol/api/docs

No authentication required. Rate limit: 60 requests/hour per IP. Results cached for 6h. Add ?force to bypass cache.

## What it checks

- Protocol support: TLS 1.3, 1.2, 1.1, 1.0
- Certificate: chain validation, expiry, key type/size, SANs, SCTs, OCSP stapling, SHA-256 fingerprint
- Cipher suites: full enumeration with strength grading
- Post-quantum: X25519MLKEM768 hybrid key exchange
- ECH: Encrypted Client Hello
- HSTS: max-age, includeSubDomains, preload list status
- HTTP/2 and HTTP/3 (QUIC)
- DNS security: DNSSEC, CAA, DANE/TLSA
- Compliance: PCI DSS 4.0, NIST SP 800-52r2, HIPAA transport requirements

## Related

- CLI: https://certs.lol/cli — same engine, runs locally
- Full domain intelligence: https://yoke.lol
- Source code: https://github.com/yokedotlol/certs-lol
- Probe source: https://github.com/yokedotlol/yoke (fly-proxy/)