Question 1

How do I set up badssl.com locally for testing my application?

Accepted Answer

Clone the repo, use Docker with 'make serve', add subdomains to your hosts file via 'make list-hosts', and trust the root certificate from 'certs/sets/test/gen/crt/ca-root.crt'—detailed steps are in the README for macOS and other systems.

Question 2

Can badssl.com be used for automated security scans in my CI pipeline?

Accepted Answer

No, it's not recommended; the project is meant for manual testing and lacks stability guarantees, so subdomains might change or become unavailable, breaking automated scripts without warning.

Question 3

badssl.com vs Qualys SSL Labs: which is better for checking SSL configurations?

Accepted Answer

badssl.com is best for hands-on client-side testing of SSL warnings and errors, while SSL Labs provides automated server-side grading and detailed reports—use badssl.com for development validation and SSL Labs for production audits.

Question 4

How to test HSTS implementation using badssl.com?

Accepted Answer

Visit 'hsts.badssl.com' in your browser; it serves HTTP Strict Transport Security headers, allowing you to verify if clients correctly enforce HTTPS and handle redirects or warnings.

Question 5

What happens if a badssl.com subdomain stops working?

Accepted Answer

Since it's offered 'AS-IS' with no warranties, you might encounter downtime or changes; for reliable testing, consider forking the project and hosting your own copy, as suggested in the disclaimer.

Question 6

Is it safe to add badssl.com certificates to my trusted store?

Accepted Answer

Only do this in isolated test environments; the certificates are intentionally misconfigured for testing, so trusting them on production machines could expose you to security risks from malicious sites.

Bad SSL

What is Bad SSL?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions