http1.dev HTTP/1.x must die

http1.dev quickly checks if a host exposes legacy HTTP/1.x attack surface instead of relying on HTTP/2 or HTTP/3.

About

Is this a replacement for SSL Labs?

No. Run ssllabs.com first and follow its TLS, certificate, and cipher advice. Then use http1.dev to quickly spot HTTP/1.x-only frontends that are worth modernising or isolating.

Where is the source code?

The CLI and web UI are open source on GitHub: github.com/RuneStone0/http1.dev.

Got feedback? Found a bug? Open an issue or PR on GitHub and help make this scanner better.

How do I run the CLI?

Why is the CLI handy?

You can point it at internal hostnames or IPs from a jump box or laptop on your VPN, so you can grade services that aren't exposed to the public internet.

Tip a coffee?

If this tool helped you deprecate some crusty HTTP/1.x edge boxes, consider buying the author a coffee or starring the project on GitHub.

This service is inspired in part by the HTTP/1.1 security concerns documented at http1mustdie.com. It is designed as a lightweight addition to ssllabs.com: run SSL Labs and follow its TLS/certificate/cipher recommendations, then use http1.dev to quickly spot legacy HTTP/1.x-only surfaces that are still missing HTTP/2 or HTTP/3.
Buy me a coffee