🛡️ GuardFoxCopilot Documentation

Defensive Tools

TLS scanner, email security checker (SPF/DKIM/DMARC), HTTP security headers, and password audit via HaveIBeenPwned.

Route: /defensive-tools

TLS / SSL Scanner

How to use

TLS / SSL Scanner

Tests your domain's TLS configuration and grades it A–F.

What is checked

  • Certificate — expiry date, issuer, SANs, validity
  • Protocol versions — TLS 1.0/1.1 (should be disabled), 1.2, 1.3
  • Cipher suites — classified as strong, weak, or insecure
  • HSTS — whether Strict-Transport-Security header is present
  • OCSP Stapling — whether the server staples the certificate status

Grading

  • A — All modern protocols, strong ciphers, HSTS enabled, cert valid >60 days
  • B — Minor issues (e.g., TLS 1.2 without 1.3, HSTS missing)
  • C — TLS 1.1 enabled or weak ciphers present
  • F — TLS 1.0 enabled, expired certificate, or critical cipher issues

How to improve your grade

  1. Disable TLS 1.0 and 1.1 in your web server config
  2. Add HSTS header: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  3. Remove weak cipher suites (RC4, 3DES, export-grade)
  4. Enable TLS 1.3

Email Security Checker

How to use

Email Security Checker

Validates your domain's email authentication configuration.

SPF (Sender Policy Framework)

Specifies which mail servers are allowed to send email for your domain.

Good SPF record: v=spf1 include:_spf.google.com ~all

Bad SPF record: v=spf1 +all — allows any server to send as your domain

DKIM (DomainKeys Identified Mail)

Adds a cryptographic signature to emails. Requires a TXT record at selector._domainkey.yourdomain.com.

Your email provider (Google Workspace, M365) generates the keys and gives you the DNS record to add.

DMARC (Domain-based Message Authentication)

Tells receiving servers what to do when SPF/DKIM fails.

v=DMARC1; p=reject; rua=mailto:dmarc@company.com; pct=100
  • p=none — monitor only (start here)
  • p=quarantine — send to spam
  • p=reject — reject the email (final goal)

BIMI (Brand Indicators for Message Identification)

Shows your logo in supporting email clients. Requires DMARC p=reject or p=quarantine at 100%.

Password Audit

How to use

Password Audit (HaveIBeenPwned)

Checks passwords against the HaveIBeenPwned breach database using k-anonymity — your full password never leaves the browser.

How k-anonymity works

  1. The password is hashed with SHA-1 in the browser
  2. Only the first 5 characters of the hash are sent to the HIBP API
  3. The API returns all hashes matching those 5 characters
  4. The browser checks if the full hash is in the list
  5. Result: exposed count displayed without the server ever seeing your password

Password strength scoring

Points are awarded for:

  • Length ≥ 12 characters (+1)
  • Uppercase letters (+1)
  • Lowercase letters (+1)
  • Numbers (+1)
  • Special characters (+1)

Score 5/5 = Very Strong. Score ≤ 2/5 = Weak.

Recommendations

  • Use a password manager (Bitwarden, 1Password, KeePass)
  • Enable MFA on all accounts
  • Any password found in HIBP should be changed immediately, regardless of strength score