OpenSSL CVE-2014-0160 Heartbleed vulnerability test

go get



Tests your servers for OpenSSL CVE-2014-0160 aka Heartbleed.

WARNING: No guarantees are made about the accuracy of results, and you should verify them independently by checking your OpenSSL build.

Pull requests welcome.


$ heartbleeder
INSECURE - has the heartbeat extension enabled and is vulnerable

Multiple hosts

Multiple hosts may be monitored by setting -hostfile flag to a file with newline separated addresses. A web dashboard is available at http://localhost:5000 by default.

Testing PostgreSQL

Postgres uses OpenSSL in a slightly different way. To test whether a Postgres server is vulnerable, run the following (defaults to port 5432):

$ heartbleeder -pg
SECURE - example:5432 does not have the heartbeat extension enabled


Binaries are available from

Build from source by running go get -u, which will put the code in $GOPATH/src/ and a binary at $GOPATH/bin/heartbleeder.

Requires Go version >= 1.2. On Ubuntu godeb is an easy way of getting the latest version of Go.


The TLS implementation was borrowed from the Go standard library.