What is a website Security Score?

A Security Score is an A–F rating based on your website's SSL/TLS configuration, security headers, DNS setup, and Certificate Transparency logs. It gives you an instant snapshot of your security posture — like a credit score, but for your website.

How is QuietLS different from SSL Labs?

SSL Labs is an excellent one-time checker. QuietLS adds continuous monitoring and automatic SSL renewal: we re-check your site daily, alert you when something changes, and automatically reissue and install your certificates before they expire. We also cover more than just SSL — security headers, CT logs, DNS health, and uptime. Think of SSL Labs as a snapshot; QuietLS as a security camera that also fixes the lock.

What are CT Logs and why should I monitor them?

Certificate Transparency (CT) logs are public records of all SSL certificates issued for any domain. Monitoring them means you get alerted when someone issues a new certificate for your domain — including unauthorized ones. This is often the first sign of an attack.

How is this different from cron + certbot?

Cron + certbot renews certificates, but it doesn't tell you when something breaks — a misconfigured CSP, a CT log entry you didn't request, a DNS record that drifted. QuietLS does renewal and continuous monitoring in one system, with alerts that go to your inbox or your Discord channel.

Does QuietLS work with Caddy, Traefik, and nginx?

QuietLS is observability-first — it watches your origin certs and headers from the outside, regardless of what renews them. For renewal, QuietLS handles certificate issuance and renewal through ACME (DNS-01 and HTTP-01 challenges). The renewed certificate can be installed automatically via our server agent or through hooks. A dedicated Caddy plugin is on the roadmap.

Can I use QuietLS alongside Cloudflare?

Yes. Many users run Cloudflare in front of their origin server. QuietLS monitors the origin certificate (the one Cloudflare can't see) and your security headers. We recommend DNS-01 challenges when Cloudflare proxies your DNS.

Do I need to install anything on my server?

No. The basic monitoring works entirely from the outside — no installation required. If you want to see TLS config on your origin (past the CDN) or monitor certs on non-standard ports (SMTP, IMAP, internal services), you can optionally install our privacy-first agent. It reads configuration only and never touches your private data.

What happens when my SSL certificate is about to expire?

We alert you 30, 14, and 7 days before expiry via email and webhooks. On all plans, we automatically reissue and install a new certificate before the old one expires — so your site never goes dark. Free plans use Let's Encrypt; paid plans support any certificate authority.

Does QuietLS support wildcard certificates?

Yes, on Solo and Studio plans. Wildcard certificates require DNS-01 challenge validation, which QuietLS handles automatically if you delegate the relevant DNS zone via CNAME.

Can I self-host QuietLS?

Not yet. The hosted service is the fastest way to get started. Open-sourcing the core is on the roadmap once we have a stable API and enough paying customers to sustain it. If self-hosting is important to you, let us know — it helps prioritize.

Can I trust a solo-developer service?

Fair question. Here's what we do about it: your private keys never leave your servers, data export is available in standard formats (ACME keys, JSON, CSV) at any time, and there's a 90-day continuity commitment if the service ever winds down. The Honesty section on this page lays out the trade-offs openly.

Does QuietLS see my private keys?

No. Never. Our external scanner never comes into contact with your private keys. Our server agent is read-only and monitors configuration — not traffic, not logs, not private data. We designed it so we literally cannot access your secrets, even if we wanted to.

Continuous SSL & security observability

Know when your domain quietly becomes unsafe.

QuietLS continuously monitors what your reverse proxy can't see: Certificate Transparency logs, silent renewal failures, security headers drift, DNS health. Plus auto-renewal, included.

Built by D. Spivak, a developer who got tired of automation that fails quietly.

Want it watched continuously? Start free.

Hosted in Germany · Your private keys stay on your servers · Free tier, no credit card.

QuietLS dashboard showing multiple domains with their SSL and security scores

Security check

Start with a read-only scan of any domain.

Enter a domain and we'll run the same checks we run on monitored sites — SSL, TLS, headers, DNS, and Certificate Transparency. No account, no email gate.

example.comScanning…

SSL certificate—
Certificate chain—
HSTS—
Content-Security-Policy—
TLS 1.0—
TLS 1.2 · 1.3—
DNS—

Things that actually happen

Things that actually happen to indie devs.

You don’t need another dashboard. You need someone watching these four things so you don’t have to.

The silent renewal

Your reverse proxy renews SSL automatically — until it doesn't. The Cloudflare API key got rotated, the DNS-01 challenge fails silently, and you find out 14 days later when the cert is already expired and customers are calling.

QuietLS · Detects renewal failures days before expiry, regardless of what’s renewing.

The forgotten subdomain

You manage 20 domains for clients. One of them — the one nobody remembers to check — has an expired cert come Monday morning. The client sees it before you do. That’s a lost retainer.

QuietLS · Every domain on one watchlist.

The silent header drift

Someone weakened your CSP in a Friday deploy. You don’t find out until Thursday, when a security researcher emails you about it. The vulnerability was live for six days.

QuietLS · Header changes flagged the same day.

The mystery certificate

Someone — or some bot — issued a certificate for your domain from a CA you’ve never used. You never notice, because nobody reads Certificate Transparency logs at 2 AM. That’s the earliest attack signal you’re missing.

QuietLS · CT logs scanned for you, under a minute.

QuietLS watches all four — quietly, on a schedule, with a deterministic A–F score. No black box, no dashboards you have to remember to open.

Example detection

[CT log] QuietLS detected a Sectigo certificate issued for stripe-api.example.com — a subdomain the team never authorized.

[alert] customer notified in 47 seconds via Discord webhook · investigation link attached

Most CT log monitoring is one of those things you mean to set up. By the time you do, the unauthorized cert has been valid for weeks. We watch every CT log entry for every domain you own — automatically.

What QuietLS actually does

Observability first. Renewal when you need it.

External monitoring your reverse proxy can’t see, silent-failure detection, and auto-renewal — in that order of priority.

Continuous external monitoring

CT logs, security headers drift, DNS health, and a deterministic A–F score — continuously, not just when you remember to check. The thing your reverse proxy can’t see.

CT logs — real-time unknown CA alerts
Security headers — HSTS, CSP, X-Frame-Options
DNS health — CAA, DNSSEC, nameserver drift
Deterministic A–F score, no black box

Silent failure detection

Your reverse proxy renews automatically — until it doesn't. We detect renewal breakage days before expiry, regardless of what's renewing.

Catches DNS-01 challenge failures
Catches expired or rotated CA credentials
Independent of your ACME client
Alerts via Discord, Telegram, Slack, webhooks

Auto-renew when you need it

No reverse proxy doing renewal? We do it. Let’s Encrypt, ZeroSSL, Sectigo, DigiCert — ACME DNS-01 and HTTP-01, in-place install via agent or hooks.

Let’s Encrypt, ZeroSSL, Sectigo, DigiCert
ACME DNS-01 and HTTP-01 challenges
In-place install via server agent or hooks
Docker image, GitHub Action, public badge SVG
Caddy plugin, Terraform, cert-manager (coming)

QuietLS domain detail view showing TLS, headers, DNS, and CT log scores with fix recommendations

For the full check catalogue and scoring methodology, see the documentation.

Why not the obvious alternatives

What QuietLS does that the other tools don’t.

Most self-hosters reach for Uptime Kuma, SSL Labs, or cron + certbot first. Each solves part of the problem. Here’s the gap.

Capability	Uptime Kuma	SSL Labs	cron + certbot	QuietLS
Cert expiry tracking	basic		manual	continuous
CT log monitoring
Headers drift		one-off
DNS health
Auto-renewal			manual
A–F security score		one-off		deterministic

Uptime Kuma

Cert expiry trackingbasic
CT log monitoring
Headers drift
DNS health
Auto-renewal
A–F security score

SSL Labs

Cert expiry tracking
CT log monitoring
Headers driftone-off
DNS health
Auto-renewal
A–F security scoreone-off

cron + certbot

Cert expiry trackingmanual
CT log monitoring
Headers drift
DNS health
Auto-renewalmanual
A–F security score

QuietLS

Cert expiry trackingcontinuous
CT log monitoring
Headers drift
DNS health
Auto-renewal
A–F security scoredeterministic

Who uses QuietLS

Who uses QuietLS — and why.

Built for developers who already automated SSL — and want to know when the automation lies to them.

Indie SaaS founder

1–5 domains · Vercel / Railway / Fly.io

Vercel, Railway, and Fly handle SSL. We watch what they don't: who else is issuing certs on your domain, whether your headers got weakened in last Friday's deploy, whether your DNS is drifting.

Self-hoster

5–15 domains · Homelab

Caddy and Traefik renew your certs. We tell you when something silent breaks — your CT log shows an unauthorized cert, your subdomain CNAME is drifting toward a takeover, your headers regressed after an update. One A–F score, no Uptime Kuma sledgehammer.

Independent developer

Personal sites · Portfolio

A handful of domains you care about but don't want to babysit. Predictable cost, no surprises, the same monitoring quality as the larger plans.

Small agency

1–5 people · Client domains

Automatic renewals so a missed expiry never becomes a lost contract. Per-domain reports you can attach to a deliverable. One less thing to track across clients.

QuietLS CT log alert showing an unauthorized certificate detection with investigation actions

Said by users, not customers

The pain we built for, in their own words.

Adapted quotes from r/selfhosted threads — the segment we’re aiming at, before they ever heard of QuietLS.

“I wanted a self-hosted CT log monitor without the Uptime Kuma overhead.”

r/selfhosted

“35 LXCs and VMs, certs are pets not cattle, getssl works but I’m tired of checking on it.”

r/selfhosted

Hi, I'm Dmytro.

I've been shipping code professionally since 2018 — building distributed services for large platforms by day, indie SaaS on the side. Mostly TypeScript, Node.js, and PostgreSQL, often wrestling with infrastructure other people should have owned but didn't. QuietLS exists because I was tired of automation that fails quietly — silent renewal breakage, CT logs nobody watches, headers that drift after a deploy. I built it for people like me — who ship their own thing and want SSL + security monitoring to just work.

Twitter / X LinkedIn Blog

Honesty

What it means that one person built this.

Transparency builds trust. Here is what you are really getting.

I read every support message personally. No ticket queues.
Features ship fast. No procurement, no committees.
My salary overhead doesn't price you out.

Honestly: this is not enterprise-grade. If you need SOC 2 Type II, audit trails for regulators, or a vendor risk assessment form — go to Keyfactor or Venafi. They are excellent products built for that world.

If you need SSL to quietly work while you focus on your product — I built this for you.

Pricing

Priced by scope, not by feature gates.

Every plan includes the full set of monitoring checks. Plans differ by domain count, certificate authorities, and history depth.

Free

$0forever

Watch one domain. CT logs, headers, DNS, TLS — all checks. Renewal included if you need it.

1 domain
All core checks — SSL, headers, CT, DNS
Let's Encrypt auto-renewal
7 days of incident history
Discord and Telegram webhooks
Server security agent

Start free

Solo

$9per month

$90 billed annually

For indie devs who want commercial CAs, longer history, and the same observability across more domains.

Up to 5 domains
Everything in Free
Commercial CA — Sectigo, ZeroSSL, DigiCert
30 days of incident history
Public security score badge
GitHub Action for CI gates

Studio

$29per month

$290 billed annually

For teams that need white-label dashboards, webhooks, and multi-domain reports.

Up to 25 domains
Everything in Solo
White-label dashboard
Slack and webhook alerts
Multi-domain PDF reports
Client share links

Team

$99per month

$990 billed annually

For agencies and MSPs managing many clients with on-call integrations.

Up to 100 domains
Everything in Studio
PagerDuty and Opsgenie integrations
Priority support
Multi-team management

Need more than 100 domains or a DPA? Talk to the founder

Monthly or annual billing. No credit card on Free. Cancel anytime — I'll even help you export your data.

FAQ

Common questions about QuietLS.

Still have questions? Contact support or browse the documentation.

Start

Find out before your customers do.

Free forever for 1 domain. No credit card. Upgrade when you need more.

Run a security check

Know when your domain quietly becomes unsafe.

QuietLS continuously monitors what your reverse proxy can't see: Certificate Transparency logs, silent renewal failures, security headers drift, DNS health. Plus auto-renewal, included.

Built by D. Spivak, a developer who got tired of automation that fails quietly.

Want it watched continuously? Start free.

Hosted in Germany · Your private keys stay on your servers · Free tier, no credit card.

Capability

Uptime Kuma

SSL Labs

cron + certbot

QuietLS

Cert expiry tracking

basic

manual

continuous

CT log monitoring

Headers drift

one-off

DNS health

Auto-renewal

manual

A–F security score

one-off

deterministic

Hi, I'm Dmytro.