56 comments

[ 2.8 ms ] story [ 65.4 ms ] thread
Checks hosting, analytics, fonts, cdn, video, chat, social embeds. Gives you a score from 0-100 and suggests Eu-alternatives.
EDIT (after 150+ comments of roasting):

First: You are legends. Thanks for the massive roasting. Had a Haupt-Mieterversammlung directly after clicking "Submit" and was too tired (and scared) to directly address the issues afterwards. Reading your comments really delivers some intense cringe-moments over here seeing my bugs exposed. I try to frame it as some of the best feedback from some of the best engineers in the world. This helps (it does).

The core stuff: I chose to implement ASN-list lookups instead of a GeoIP service (to have less deps). Worked for my european test cases. Clearly not battle-tested enough for the wild.

What I'm hearing: - Hosting detection has false positives (detecting links as hosting) and false negatives (US-hosted sites scoring 100%) - Social media LINKS shouldn't count same as EMBEDS (fair point) - Missing: registrar, TLD jurisdiction, DNS location - AWS/Cloudflare detection is spotty - Migration cost estimates are too high for small sites - Some UI bugs on Firefox

What we shipped overnight (yes, while this was trending): - "Hotfix" for our scanning friends over nsa.gov What we ship from now on: - Fix the real bugs

v0.2 roadmap based on your feedback:

1. Hybrid GeoIP + ASN detection 2. Differentiate links vs embeds 3. Add registrar/TLD/DNS checks 4. Fix AWS/CloudFront/Cloudflare detection 5. Smarter migration cost estimates 6. UI fixes

Building in public. This is day 1.

To everyone who tested edge cases: you part of this tool soon :) To whover tested nsa.gov at 2am CET: I noticed.

I am not sure how much i will get done by today – maybe i will need to touch grass later a bit (or feeding the cows as we do it over here in austria)

Ave Caesari, morituri te salutant.

Fixed: 1. GeoIP fallback 2. Links vs embeds 3. Migration costs

*GeoIP* - The ASN-only approach was too restrictive (I tested mostly with orf.at and such). Now using oschwald/geoip2-golang with DB-IP Lite. Hybrid detection: ASN for known providers, GeoIP fallback for everything else.

kapsi.fi now correctly shows as EU/Finland (was the false positive many caught). google.com: 54% (US detected), reddit.com: 94% (Canada - has EU adequacy decision). Added all EU adequacy countries (UK, Switzerland, Japan, Canada, etc.) - no penalty, but labeled "Adequate" not "EU". Im not sure on this one. Im sure we'd like to get UK back in the Union so we get to see the Rolling Stones more often.

*Embeds* - A link TO twitter.com is no longer flagged as a dependency. Only actual embeds (script src, iframes) count now. This might also fix the "links to GitHub flagged as GitHub Pages hosting" issue - same root.

*Costs* - Reduced. Google Fonts swap is now €50-150, not €400-800. Costs were too enterprisy, now for small sites like ours :)

Need to feed some cows now. Will iterate further when back. PS: Please dont roast the latin. Its been a while.

EDIT: Remove Api for now.

EDIT 2 (48h later — shipped based on your feedback after a rough and a good night of sleep):

Should be fixed: - Hybrid Geoip + ASN detection (no more nsa.gov/google.com false positives) - AWS, Azure, Google Cloud, Cloudflare, DigitalOcean, Vercel, Netlify detection - Links vs embeds — href to Twitter ≠ dependency on Twitter - Lazy-loaded YouTube/Vimeo (lite-youtube facades) - Adequacy tier scoring — UK, Switzerland, Japan get -15 (trusted, not sovereign) instead of 0 - Unquoted iframe detection (LinkedIn embeds)

gov.cn no longer scores 100%. admin.ch no longer scores 100%. The "sovereignty" label now hopefully means something.

Still open: - DNS/registrar checks (v2) - One reported LetsEncrypt cert error (can't reproduce)

Details on Vercel: I try to detect via response headers (x-vercel-id), so custom domains are hopefully flagged correctly. Cloudflare for DNS is intentionally not pennalized — it's a proxy layer, not hosting (that was also stated in the methodology-popup from the beginning). I try that the origin server determines your hosting score.

Thanks to everyone who took the time. We (meaning all of you, who tested, tried and commented and maybe I, myself) made this tool hopefully significantly better.

And to have it stated here too: Though it might sound ironic or something (especially via a board like this): I and my partner never meant to insult anybody. We have profound respect for quality engineering outside of our borders. It even inspires us.

Nice, good idea. I need to move away from Github pages finally ;)
Seems to treat finnish kapsi.fi hosting as US?
(comment deleted)
Happy to see mastodon.xyz score 100%.

Mastodon is pretty cool and proof that we can make federation work.

nice idea, are you planning to open source this project?
Considering it. Backend is Go on a single-node K8s-"Cluster". Frontend is vanilla JS on the same Hetzner-Box. Code-situation in the midst of this ongoing "HN-Feuertaufe" is a bit … well.

What would make it useful for you - self-hosting capability, or contributing to detection logic?

I am considering a api but need stability first.

Any recommendations for good European alternatives to Clooudflare? Is there an EU company that's as trustworthy when it comesq to DDoS protection?
thanks for this checker, we also need HN alternative for EU only. As Europeans, I'm sure we can do this.
I really wish this existed so that HN could go back to being a tech community of nerds and builders. Somehow HN has become overrun with more and more urban monoculture euro-fetishists and actual Europeans in the last few years. I haven't seen a headline mentioning Rust or Lisp in days! That's how you know things have really gone downhill.

European HN could focus on its favorite topics of privacy paranoia, "what regulation can we make next?" and tech safetyism, while maybe real HN could go back to Bay Area tech esotericism and fun historical anecdotes.

reddit.com gets a perfect "no US dependencies" score. I guess they have servers around the world and can serve requests from a local-ish server.

Obviously this simple check only concerns the technical aspects of the website and doesn't analyse the business itself but I wonder if all .com domains should be marked down?

I put in my site and it gave me a red cross for "Hosting", on hover it said "GitHub Pages". But my site isn't hosted on GitHub Pages.

Expanding "Details", the URL that is hosted on GitHub Pages is... a different website? There's merely a hyperlink to it on my website.

It also says I'm using "self-hosted" fonts - but I don't think I'm doing that at all? I'm just using the browser's fonts. Using non-standard fonts is a bad idea because it causes the content to either be invisible until the font is loaded, or else it initially shows in a fallback font and then the text all jumps when the font is loaded.

Meanwhile I get a green check for CDN - presumably because I'm not using Cloudflare, but I am using CloudFront which is AWS.

So the tool's a good idea, but currently very inaccurate.

Meanwhile, mine is actually hosted on GH pages and I get a green mark and a perfect 100% score.
Thanks for the Bugs Bunny. I'm detecting a LINK to GitHub Pages and marking it as hosting. That's wrong - hosting should only flag when the actual page is served from there.

Re fonts: "self-hosted" means fonts served from your domain (vs Google Fonts CDN). If you're using system fonts, that's a detection error on my end.

Both going in on the fix list. Thanks.

I have some feedback for OP: my personal website got 92% because there is a link to my X profile in the contact session. It's not like it relies on the service. Its just a contact and there are also links to other services such as self hosted matrix.

On the other hand my registrar is Namecheap which is in the US and your tool didn't checked for that. I think thats a lot more important in terms of dependance than a link to a social network so you could run a whois lookup to check what registrar is hosting that domain.

1. Link to X profile ≠ dependency on X. Will differentiate links from embeds in v0.2.

2. Registrar check is a good thinking. Already have some stubs in the codebase. Namecheap is US and could theoretically be compelled. Adding to roadmap.

Thanks!

nice idea!

If I may, and not trying to be annoying, on my screen the navigation bar (.navigation-wrapper) covers 90% of the top left buttons (aria-label=breadcrumbs).

Happens with both Chrome and Firefox, macOS, 15" macbook pro.

My customer's site got a 100% while running on azure.
Right. Missed Azure. Fix is live now. Would be great if you could recheck and confirm. Thanks for helping me out by reporting.
In English, unlike German, "1." doesn't mean "1st"/"first".
I find it ironic that in Europe the defacto language for intercommunication is from a country that chose to disassociate itself from the EU. In all, I think it's great that every EU country uses the English language with all their idiosyncrasies and hell be damned about "proper" english.
You can also tell the guy is German because of the strange hyphen between EU and Sovereignty. :P
Very nice tool!

The UI has a few errors on desktop, I cannot see all the issues. The leaderboard... doesn't work ? and the topbar hides some elements

browser: firefox

hmm... it really miss a lot of infrastructure.

take my website for example mrtno.com - it's hosted in europe, ok. but under what legislation the domain register is based? and where is the dns server?

those a crucial information. and they are missing.

So their leatherboard of good examples lists nsa.gov with 100 points.

Is this a parody?

Was a bug. Now some kind of Snowden-Approved-Feature.
Nice, but for me it is reporting false information. I use Vercel, Cloudflare for DNS yet it shows 92%. The only thing it correctly reported was the LinkedIn link. (There is also a GitHub and Bluesky link, which are US companies / services as well).
Hi,

i have fixed the Vercel detection. Also added Netlify header detection (via x-nf-request-id).

DNS-proxieng is not taken into account. Maybe will do that in the future.

Thanks for reporting!

When I check google.com I get a 94% score? Kinda ironic no?
I am proud my website would score a nice round 0% even though I am pure blooded european
How is this calculated? A suspicious amount of people (including myself) get 92%...
I get a 100% for a site hosted in GH pages and which embeds YouTube videos and Google fonts. So this does not seem to be very reliable.
microsoft.com got 92%

my blog which is hosted on namecheap.com, server whois is Los Angeles, got 100%

I guess this is another vibe coding AI slop service which doesn't even render its own top buttons properly (they're covered by some white div).

Have mercy, web devs!

nsa.gov got PERFECT! NO US DEPENDENCIES lmao
Not accurate.

It has nsa.gov on the leaderboard as having no US dependencies.

It wrongly says one of my sites is using Cloudflare.

It says that one of my sites that is hosted in the US (no CDN, US IP address) has no US dependencies.

it treats social media links the same way was embeds.

it gives gov.uk a perfect score. Maybe by design because it is hosted in Europe, but if so it should not say its EU sovereignty.

I do not think that is the case because it also gives a perfect score to https://english.www.gov.cn/

I do not know how it got to the HN front page - people presumably vote it up without checking it actually works.

Its just not anywhere near accurate.

Fair points, all of them.

The nsa.gov thing: :)

The reals: 1. Hosting detection: I'm matching links TO GitHub as hosting ON GitHub. That's wrong. Fix incoming.

2. US-hosted sites getting 100%: My ASN lookup isn't catching everything. I opted against GeoIP services (privacy reasons), but clearly the ASN-only approach has to much gaps.

3. Social links vs embeds: You're right. A link to Twitter isn't a dependency. An embed is. Will differentiate.

4. gov.uk/gov.cn perfect scores: The tool checks infrastructure, not jurisdiction. gov.uk probably serves from EU edge nodes. That said, the name. Also tried to mention this in the Methodology-Modal. But iterating on all legalese and features same time as a single dev did not land well with my sleeping patterns for v0.1. Will fix that too.

"EU sovereignty" is misleading for non-EU countries - point taken. Will think about better framings.

Update on the Cloudflare point: I now detect Vercel and Netlify hosting via response headers (catches custom domains). Cloudflare as CDN/DNS proxy is intentionally not flagged as US hosting — the origin server behind it could be EU. This is documented in the methodology popup.

The other issues you raised (social links vs embeds, US-hosted sites not detected) were fixed in earlier updates.