SSL Certificate Analysis for airnzagent.co.nz - Security Grade & TLS Configuration

Open Cached · just now

95/100 SECURITY SCORE

Certificate Information

Subject

CN=www.airnewzealand.co.nz

Issuer

C=US, O=Amazon, CN=Amazon RSA 2048 M04

Valid From

November 19, 2025

Valid Until

December 18, 2026 389 days

Public Key

RSA 2048 bit Adequate

Signature Algorithm

SHA256-RSA

SHA-256 Fingerprint

91:DD:A9:A2:EB:C9:E0:14:D1:1F:60:64:AB:94:7B:FC:E2:18:68:34:CC:DD:5F:57:8E:7B:8D:A8:DB:0B:E1:A1

Alternative Names

97 domains

Security Configuration

TLS Protocols

TLS 1.2 TLS 1.3

Forward Secrecy

Supported (Modern clients use PFS)

HTTP Security Headers

Status

Strict-Transport-Security

Good

max-age=31536000; includeSubDomains;

Content-Security-Policy

Basic

block-all-mixed-content; default-src; base-uri; +11 more

block-all-mixed-content; default-src 'self'; base-uri 'self'; form-action 'self' flightbookings.airnewzealand.ca flightbookings.airnewzealand.cn flightbookings.airnewzealand.co.jp flightbookings.airnewzealand.co.kr flightbookings.airnewzealand.co.nz flightbookings.airnewzealand.co.uk flightbookings.airnewzealand.com flightbookings.airnewzealand.com.au flightbookings.airnewzealand.com.cn flightbookings.airnewzealand.com.hk flightbookings.airnewzealand.com.sg flightbookings.airnewzealand.com.tw flightbookings.airnewzealand.eu flightbookings.airnewzealand.hk flightbookings.airnewzealand.jp flightbookings.airnewzealand.kr flightbookings.airnewzealand.pf flightbookings.airnewzealand.tw flightbookings.grabaseat.co.nz govtbookings.airnewzealand.co.nz; script-src 'self' p-airnz.com 'unsafe-inline' 'unsafe-eval' flightbookings.airnewzealand.co.nz *.demdex.net www.everestjs.net https://unpkg.com/[email protected]/dist/chat-adapter.js *.googleapis.com *.gstatic.com *.google.com *.ggpht.com *.googleusercontent.com www.google-analytics.com analytics.google.com tagmanager.google.com www.googletagmanager.com *.doubleclick.net https://widget.timatic.iata.org/scripts/iata-timatic-widget-live.js md-scp.kampyle.com sbt-prod.kampyle.com nebula-cdn.kampyle.com udc-neb.kampyle.com analytics-fe.digital-cloud-syd1.medallia.com.au cdn-au.onetrust.com cdn-assets-prod.s3.amazonaws.com *.optimizely.com optimizely-hrd.appspot.com optimizely.s3.amazonaws.com s.swiftypecdn.com player.vimeo.com s.wayin.com xd.wayin.com x.wayin.com eu-x.wayin.com s.engagesciences.com display.engagesciences.com display.wayin.com www.youtube.com s.ytimg.com; style-src 'unsafe-inline' p-airnz.com fonts.googleapis.com tagmanager.google.com s.swiftypecdn.com; img-src https: data: blob: www.google.com www.googletagmanager.com *.kampyle.com i.vimeocdn.com i.ytimg.com; font-src p-airnz.com *.cdn.office.net fonts.googleapis.com fonts.gstatic.com data: dhm5hy2vn8l0l.cloudfront.net; media-src 'self' p-airnz.com data: video.cdnvue.com; frame-src 'self' *.demdex.net www.everestjs.net pixel.everesttech.net comms.omnichannelengagementhub.com customervoice.microsoft.com *.google.com *.doubleclick.net www.googletagmanager.com nebula-cdn.kampyle.com *.cdn-pci.optimizely.com v.qq.com player.vimeo.com xd.wayin.com x.wayin.com eu-x.wayin.com display.engagesciences.com airnz.wufoo.com player.youku.com www.youtube.com; connect-src 'self' api.airnz.io api.airnz.ai p-airnz.com *.demdex.net *.tt.omtrdc.net browser.pipe.aria.microsoft.com *.omnichannelengagementhub.com *.au.omnichannelengagementhub.com https://*.trouter.skype.com wss://*.trouter.skype.com edge.skype.com *.communication.azure.com ocsdk-prod.azureedge.net blob: *.googleapis.com *.google.com *.gstatic.com www.google-analytics.com region1.google-analytics.com region1.analytics.google.com analytics.google.com stats.g.doubleclick.net pagead2.googlesyndication.com www.google.com https://widget.timatic.iata.org/api/ md-scp.kampyle.com sbt-prod.kampyle.com nebula-cdn.kampyle.com udc-neb.kampyle.com analytics-fe.digital-cloud-syd1.medallia.com.au cdn-au.onetrust.com geolocation.onetrust.com privacyportal-au.onetrust.com *.optimizely.com s.swiftypecdn.com search-api.swiftype.com; object-src 'none'; frame-ancestors 'none'; report-uri /csp-report

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin

Permissions-Policy

Present

geolocation=(self "https://p-airnz.com"), camera=(), fullscreen=(self "https://www.youtube.com"), accelerometer=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), screen-wake-lock=(), sync-xhr=(*), usb=(), web-share=(self), clipboard-read=(), clipboard-write=()

Recommendations

• Consider adding 'preload' to HSTS for maximum security
• Improve CSP by adding more specific directives and removing 'unsafe-inline'

CAA Records (Certificate Authority Authorization)

CAA Records

Configured (Restricts certificate issuance)

Current Issuer

Authorized (Matches CAA policy)

Authorized CAs

amazonaws.com amazontrust.com awstrust.com amazon.com

Recommendations

• Consider using critical flag (flags=128) for stricter CAA enforcement
• You have authorized 4 CAs - consider limiting to only the CAs you actively use
• Consider adding 'iodef' records to receive notifications about unauthorized certificate issuance attempts
• Consider adding 'issuewild' records to control wildcard certificate issuance