Free OCSP Stapling Checker
Free tool
Check if your server staples OCSP responses, validates revocation status, and serves fresh responses. Speeds up TLS handshakes and stops CA leaks.
- OCSP stapling configuration validation
- Certificate revocation status check
- Performance optimization verification
No credit card requiredProduction-safe (100% passive)No setup or code required
Trusted by 3,500+ security & engineering teams
What you get for free
18 core security checks via this tool, passive scans, step-by-step remediation, security score on every result.
What Essential adds at $39/mo
+17 advanced checks, continuous monitoring, daily security score history, email alerts, GitHub SAST, board-ready PDFs, SOC 2 / ISO 27001 / PCI reports.
What this checker validates
- OCSP stapling configuration on your server
- Certificate revocation status and response validity
- OCSP response freshness and caching
- Performance impact and optimization opportunities
What is OCSP Stapling?
OCSP stapling allows your web server to provide certificate revocation status directly to clients, eliminating the need for clients to contact the Certificate Authority's OCSP server. This improves both performance and privacy.
How to enable OCSP Stapling
- Apache: Enable mod_ssl and set SSLUseStapling on
- Nginx: Add ssl_stapling on and ssl_stapling_verify on
- Cloudflare: Automatically enabled for all SSL certificates
- CDN providers: Usually enabled by default on modern platforms
Benefits of OCSP Stapling
- Faster SSL/TLS handshakes by eliminating OCSP lookups
- Improved privacy by not exposing client IPs to CAs
- Better reliability by reducing dependency on CA OCSP servers
- Enhanced security through real-time revocation checking
Implementation examples
Once you've identified the gap, applying the fix is straightforward. Here are the three configurations developers reach for most often.
Nginx
server {
listen 443 ssl;
ssl_certificate /etc/ssl/fullchain.pem;
ssl_certificate_key /etc/ssl/privkey.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/chain.pem;
resolver 1.1.1.1 8.8.8.8 valid=300s;
resolver_timeout 5s;
}Apache
# httpd.conf / ssl.conf
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)Node.js (Express + https)
import https from "node:https"
import fs from "node:fs"
import express from "express"
import ocsp from "ocsp"
const app = express()
const cache = new ocsp.Cache()
const server = https.createServer(
{
cert: fs.readFileSync("fullchain.pem"),
key: fs.readFileSync("privkey.pem"),
},
app,
)
server.on("OCSPRequest", (cert, issuer, cb) => {
ocsp.getOCSPURI(cert, (err, uri) => {
if (err) return cb(err)
if (uri === null) return cb()
const req = ocsp.request.generate(cert, issuer)
cache.request(req.id, { url: uri, ocsp: req.data }, cb)
})
})
server.listen(443)Tool-specific questions
Is OCSP stapling required for security?
While not strictly required, OCSP stapling is a security best practice that improves both performance and privacy. It's especially important for high-traffic websites.
What happens if OCSP stapling fails?
Clients will fall back to traditional OCSP lookups, which may slow down SSL handshakes and expose client IPs to Certificate Authorities.
Can I use OCSP stapling with Let's Encrypt?
Yes, Let's Encrypt supports OCSP stapling. Most modern web servers and CDNs automatically enable it for Let's Encrypt certificates.
How often should I check OCSP stapling status?
Regular monitoring is recommended, especially after server configuration changes. Use Barrion's continuous monitoring to track OCSP stapling status over time.
Why Barrion
Built for the engineers who already have enough to fix.
Speed
Real-time results
Instant analysis with a detailed report. You see findings as the scan runs, not after.
Coverage
Comprehensive checks
35+ checks per scan covering TLS, headers, CORS, cookies, DNS, email auth, and more, in a single pass.
Action
Step-by-step fixes
Every finding ships with the exact remediation step for your framework. Hand it to the engineer who owns the surface.
Other tools
More free checks, for the rest of your surface.
Complete Security Scan
Complete website security analysis with comprehensive vulnerability detection
Pre-Pentest Security Scan
Passive scan that catches the misconfigurations a pentester finds first. Use it before a manual engagement to clear the easy issues.
Security Compliance Checker
Check compliance with PCI DSS, HIPAA, SOC 2, ISO 27001, and GDPR. Get compliance readiness reports.
WAF Checker
Detect Web Application Firewall presence through passive header analysis. Identify WAF/CDN providers.
Security Headers Test
Check your website's HTTP security headers configuration
TLS/SSL Security Checker
Validate your SSL/TLS configuration and certificate setup
FAQ
Frequently asked.
What is Barrion and how does it enhance website security?
Barrion is a security testing and monitoring platform for engineering teams, covering three products: passive DAST that continuously watches your live web apps and APIs, SAST via GitHub that scans your codebase for secrets, insecure patterns and vulnerable dependencies, and AI pentesting that runs active, agent-driven attacks with proof-of-exploit. Findings come with step-by-step fixes you can ship immediately.
How safe is Barrion to use for security testing?
Every default Barrion scan is 100% passive and read-only. We never submit forms, brute-force endpoints or interact with state-changing routes, so it's safe to run against production.
What types of security issues does Barrion identify?
Barrion is a security testing and monitoring platform, so coverage spans three surfaces. Passive DAST flags misconfigurations across TLS/HTTPS, security headers, cookie flags, CORS policy, DNS records, email authentication (SPF/DKIM/DMARC), network exposure and common web hygiene issues. SAST via GitHub finds secrets in code, insecure patterns and vulnerable dependencies. AI pentesting adds exploitable findings like SQL injection, XSS and broken access control with proof-of-exploit.
What specific security checks does Barrion perform?
Barrion checks TLS/HTTPS configuration, HTTP security headers, cookie flags, CORS policy, DNS and email authentication records, network exposure and common web hygiene issues, then prioritises them by severity with clear remediation.
What is Barrion's smart crawling?
Smart crawling automatically discovers the pages and endpoints of your app so scans cover the surface that matters, without you manually listing every URL.
How often does Barrion perform security scans?
Manual scans on demand. Continuous monitoring runs automatically on Essential (weekly+) and Business (daily), and alerts you the moment a new issue appears.
Is Barrion suitable for security testing of all business sizes?
Yes. Barrion is a security testing and monitoring platform, with passive DAST, SAST via GitHub and AI pentesting available to solo developers, startups, scale-ups and enterprise security teams alike, without adding headcount.
How does Barrion handle data security and privacy during security testing?
Scans are passive and read-only by default, and we never store or expose sensitive data from your application. Pentests are rate-limited and non-destructive, designed to confirm exploitability without altering data or affecting availability.
What if I'm not satisfied with Barrion's security testing service?
Paid plans start with a free trial, and you can cancel anytime. If something isn't right, contact us and we'll make it work for your team.
How does Barrion help with SOC 2, ISO 27001, NIS2, and other compliance frameworks?
Barrion produces audit-ready PDF and CSV reports suitable for SOC 2, ISO 27001, PCI DSS and NIS2, ready to share with auditors, customers and your board.
Anything else? Email contact@barrion.io.
Run a full report on your site.
Free first scan covers every check, no signup needed. Sign up to save the report and turn on continuous monitoring.