Back to Home

Internet.nl

Our 100% Rating – What does it mean and how did we get it?

Internet.nl 100%

1. Internet.nl – what is it and why does it matter?

Internet.nl is an open-source, free tool provided by the Dutch Internet Standards Platform (Platform Internetstandaarden), jointly developed and operated by the internet community and the Dutch government. The platform's partners include institutions such as the NCSC-NL (National Cyber Security Centre), NLnet Labs, SIDN (the .nl domain registry), the RIPE NCC, the Internet Society, and the Forum Standaardisatie.

The goal of the tool is exceptionally broad: rather than merely examining a single technological layer (like SSL Labs does with TLS, or the MDN Observatory with HTTP headers), it simultaneously evaluates five fundamental layers of internet infrastructure: the modern IP protocol (IPv6), domain name system authenticity (DNSSEC), encrypted connections (HTTPS/TLS), HTTP security settings (headers, security.txt), and route authorization (RPKI). This breadth of coverage distinguishes Internet.nl from other recognized tools.

It is important to emphasize: Internet.nl is primarily an internet standards compliance test, not a penetration test. The test standard is built upon the mandatory open standards list maintained by the Dutch Forum Standaardisatie, the security guidelines of the NCSC-NL, and the relevant RFC documents of the IETF. A 100% score means that the website and the infrastructure serving it fully comply with this system of standards.

The latest version 1.11 (April 2026) also incorporates the updated TLS guidelines issued by the NCSC-NL in mid-2025, once again modernizing the test standard.

2. What does Internet.nl test – the five categories of the website test

The website test consists of five main categories. Each category receives equal weight in the overall percentage score. Within a category, only REQUIRED subtests affect the score – RECOMMENDED and OPTIONAL subtests do not count towards the score, but they do appear in the report.

Test category What does it test? Weight
IPv6Availability of the web server and nameservers on IPv6, IPv4/IPv6 consistencyEqual weight
DNSSECDomain signature and signature validityEqual weight
HTTPS / TLSTLS protocols, cipher suites, certificate, HSTS, DANE, CAAEqual weight
Security settingsHTTP security headers (CSP, X-Frame-Options, etc.) and security.txtEqual weight
RPKIRoute Origin Authorization for the IPs of the web server and nameserversEqual weight (since 2025)

2.1. IPv6 – Modern IP address support

IPv6 is the current internet protocol, the successor to IPv4, which solves the global IP address exhaustion problem and provides a better network architecture. Internet.nl checks the following aspects:

IPv6 support might initially seem like an infrastructural issue, but it has real security and reliability implications: IPv6 implies a more modern network stack and is a prerequisite for future internet accessibility.

2.2. DNSSEC – Domain signature

DNSSEC (Domain Name System Security Extensions) protects DNS records with cryptographic signatures, preventing an attacker from injecting false DNS responses (DNS spoofing, cache poisoning). Internet.nl performs two subtests:

DNSSEC is especially important for DANE (see below), whose prerequisite is that the domain must be signed. Without DNSSEC, DANE records do not provide reliable protection.

2.3. HTTPS / TLS – Secure connection

This is the most extensive category with the highest number of subtests. Version 1.11 (April 2026) of Internet.nl applies the NCSC-NL 2025 TLS guidelines, which define four security levels: Good, Sufficient, To be phased out, and Insufficient. Good and Sufficient settings pass, To be phased out results in a warning, and Insufficient means a failure.

Subtest What does it check? Level
TLS versionOnly TLS 1.2 and 1.3 – SSL/TLS 1.0/1.1 bannedREQUIRED
Cipher suitesOnly strong AEAD suites; RC4, 3DES, NULL bannedREQUIRED
Key exchangeECDHE/DHE (Forward Secrecy); weak DH parameters bannedREQUIRED
Certificate trustIssued by a known CA, valid chainREQUIRED
Certificate key lengthRSA ≥ 2048 bit or ECDSA ≥ 256 bitREQUIRED
Certificate signature algorithmSHA-256 or stronger; MD5/SHA-1 bannedREQUIRED
HTTP→HTTPS redirectionHTTP requests are directed to HTTPSREQUIRED
HSTSStrict-Transport-Security header ≥ 6 months max-ageREQUIRED
DANE (TLSA record)DNS-based certificate authentication (TLSA)REQUIRED
CAA recordCertification Authority Authorization DNS recordREQUIRED
Extended Master SecretStrengthened TLS session key according to RFC 7627REQUIRED
OCSP StaplingOnline certificate revocation checkRECOMMENDED
TLS compression bannedPrevention of CRIME vulnerabilityREQUIRED

DANE (DNS-Based Authentication of Named Entities): this is one of Internet.nl's most important and highest-level security requirements. DANE uses the TLSA DNS record (authenticated via DNSSEC) to anchor within the domain name system exactly which chain element the server's certificate must match. This practically eliminates MITM attacks utilizing fake certificates, even if a CA is compromised – an event that could otherwise occur despite a CAA record.

CAA (Certification Authority Authorization): a DNS record according to RFC 8659, which specifies which CAs are allowed to issue a certificate for the domain. This prevents unauthorized certificate issuers from issuing false certificates for the domain.

2.4. Security settings – HTTP headers and security.txt

This category partially overlaps with the areas examined by the MDN Observatory, but Internet.nl evaluates them based on its own standards. Based on NCSC-NL guidelines and current web security standards, it checks the following elements:

Header / Setting What does it protect against? Level
Content-Security-Policy (CSP)XSS, code injection, loading unauthorized resourcesREQUIRED
X-Frame-Options / CSP frame-ancestorsProtection against clickjackingREQUIRED
X-Content-Type-Options: nosniffMIME-sniffing based XSS attacksREQUIRED
Referrer-PolicyPrevention of sensitive URL data leakageREQUIRED
security.txt (RFC 9116)Publishing security vulnerability reporting contactREQUIRED

security.txt (RFC 9116): this is one of Internet.nl's unique and less commonly known requirements. According to the RFC 9116 standard, a file available at the /.well-known/security.txt path allows security researchers and ethical hackers to easily contact the organization if they find a vulnerability. The file must include a valid Expires field, Contact information, and a PGP signature for full points.

2.5. RPKI – Route authorization

RPKI (Resource Public Key Infrastructure) strengthens the routing security of BGP (Border Gateway Protocol). BGP is the routing protocol that forms the backbone of the internet, with the fundamental weakness that it does not authenticate route announcements – making so-called BGP-hijacking attacks possible, which can lead to the hijacking or disruption of internet traffic.

Through RPKI Route Origin Authorization (ROA) records, the owners of network resources cryptographically anchor which Autonomous System (AS) is permitted to announce a route on behalf of a given IP address block. Internet.nl checks RPKI for three groups of servers:

RPKI became a scoring factor on Internet.nl in January 2025 (version 1.9). Previously, it was only displayed for informational purposes. This means that domains previously unaffected by the RPKI requirement can no longer achieve a 100% score without it as of this change.

3. The scoring system

Internet.nl's scoring differs significantly from the approach of SSL Labs and the MDN Observatory: while they work with points and letter grades, Internet.nl gives a single percentage value, which is calculated as the equally weighted average of the test categories.

4. How do websites generally perform?

The current data from the Internet.nl Hall of Fame provides an accurate picture of the field we measure ourselves against:

Internet.nl itself emphasizes that its test standards are continuously becoming stricter: the introduction of RPKI in 2025 affected many domains that previously had 100%. With version 1.11 (April 2026), the NCSC 2025 TLS guidelines were also integrated into the requirements, filtering the field once again.

For context: the Dutch government – which prescribes the Internet.nl standards as a mandatory standard for its own agencies – did not achieve 100% on all of its own websites according to 2024 measurements.

5. What does our 100% rating mean?

A 100% score means that we passed all currently mandatory (REQUIRED) subtests flawlessly across all five categories. Specifically, this assumes the following infrastructural and configuration levels:

IPv6

DNSSEC

HTTPS / TLS

Security settings

RPKI

The unique feature of the Internet.nl 100% rating compared to other tests is that it does not merely certify the HTTP-level configuration of the web server (MDN Observatory) or its TLS implementation (SSL Labs), but the infrastructural depth of the entire internet presence: the authenticity of the DNS layer (DNSSEC), the security of the routing layer (RPKI), modern IP protocol support (IPv6), and the certificate-binding mechanism (DANE) simultaneously.

6. The limitations of Internet.nl – what the test does not measure

Internet.nl itself explicitly emphasizes: it is primarily a standard compliance test, not a security audit. The following areas are not part of the examination:

7. Summary

Internet.nl is the most comprehensive, publicly available testing tool for internet infrastructure compliance: it simultaneously evaluates IPv6 availability, DNSSEC signature, TLS configuration (including DANE and CAA), HTTP security headers, security.txt, and RPKI protection.

Our 100% rating certifies that our website and the infrastructure serving it:

The three ratings – the 130/100 A+ result of the MDN Observatory, the A+ grade of SSL Labs, and the 100% score of Internet.nl – together verify that our website meets the strictest industry expectations in every relevant dimension up to the current limit of measurability.

Source: Internet.nl – internet.nl · Scoring: internet.nl/faqs/report · GitHub: github.com/internetstandards/Internet.nl
Current version: v1.11.1 · Last substantial update: April 21, 2026. (Integration of NCSC TLS 2025 guidelines)