Skip to content is intended for manual testing of web security in clients and test tolos
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Please note that this project is in beta, due to requirements to be completed by MozFest.

Visit for a list of test subdomains, including:

Server Setup

Stock Ubuntu VM, DNS A records for badsite.test. and *.badsite.test. pointing to the VM.

Testing and development

  1. Follow the instructions to install Docker.

  2. Clone into the badsite repo by running git clone && cd

  3. In order to access the various badsite subdomains locally you will need to add them to your system hosts file. Run make list-hosts and copy and paste the output into /etc/hosts.

  4. Start Docker by running make serve.

  5. You can now navigate to badsite.test in your browser, and you should see a certificate error.

  6. The badsite root certificate is at certs/sets/test/gen/crt/ca-root.crt. In order to get the rest of the badsite subdomains working, you will need to add this to your machine's list of trusted certificates.

    • On macOS, drag certs/sets/test/gen/crt/ca-root.crt into the login section of the program Keychain Access. A BadSite Root Certificate Authority entry should appear in the list. Double-click on this entry and select "Use Custom Settings" from the drop-down menu next to "When using this certificate." Then select "Always Trust" from the drop-down menu next to "Secure Sockets Layer (SSL)." Close the window to save your changes.

      If you are already familiar with this process, you can instead run this command:

      security add-trusted-cert -r trustRoot -p ssl \
        -k "$HOME/Library/Keychains/login.keychain" certs/sets/test/gen/crt/ca-root.crt
  7. In order to preserve the root certificate even after running make clean, run:

cd certs/sets/test
mkdir -p pregen/crt pregen/key
cp gen/crt/ca-root.crt pregen/crt/ca-root.crt
cp gen/key/ca-root.key pregen/key/ca-root.key

Acknowledgments is hosted on Mozilla infrastructure and co-maintained by:

Disclaimer is meant for manual testing of web security in clients and test tools.

Most subdomains are likely to have stable functionality, but anything could change without notice. If you would like a documented guarantee for a particular use case, please file an issue. (Alternatively, you could make a fork and host your own copy.) is not an official Mozilla or Google product. It is offered "AS-IS" and without any warranties.

You can’t perform that action at this time.