SSL Certificate Analysis for aman.com - Security Grade & TLS Configuration

Open Cached · just now

86/100 SECURITY SCORE

Certificate Information

Subject

CN=sendmethere.net

Issuer

C=US, O=Let's Encrypt, CN=R13

Valid From

January 19, 2026

Valid Until

April 19, 2026 79 days

Public Key

RSA 2048 bit Adequate

Signature Algorithm

SHA256-RSA

SHA-256 Fingerprint

04:1D:64:1C:A3:D8:94:C4:B9:1E:BC:C5:42:7B:D0:B7:14:EE:8B:72:E0:F1:58:4E:D6:15:DE:3C:E1:34:70:92

Alternative Names

10 domains

Security Configuration

TLS Protocols

TLS 1.2 TLS 1.3

Forward Secrecy

Supported (Modern clients use PFS)

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=31536000

Content-Security-Policy

Basic

default-src; worker-src; script-src; +9 more

default-src 'self' blob: *.aman-d8.my127.site *.brightcove.net *.brightcove.com *.boltdns.net *.akamaihd.net *.typekit.net *.nr-data.net *.buyatab.com *.aman.com *.quantummetric.com cloud.typography.com *.sojern.com 'unsafe-inline' 'unsafe-eval'; worker-src blob: *.aman.com *.rudderlabs.com; script-src 'self' 'unsafe-inline' blob: *.googleapis.com 'unsafe-eval' *.brightcove.net *.googletagmanager.com *.newrelic.com *.nr-data.net *.typekit.net *.buyatab.com *.aman.com *.ipstack.com *.quantummetric.com *.doubleclick.net *.googleadservices.com impactradius-event.com utt.impactcdn.com *.cinnox.com *.gstatic.com *.onetrust.com *.synxis.com *.recaptcha.net *.google.com logs-01.loggly.com ojrq.net *.zencdn.net *.thehotelsnetwork.com *.google-analytics.com https://d2wy8f7a9ursnm.cloudfront.net/v6/bugsnag.min.js *.analytics.google.com s.yimg.jp snap.licdn.com connect.facebook.net d.line-scdn.net p.relay-t.io js.sentry-cdn.com *.yahoo.co.jp *.clarity.ms bat.bing.com cdn.linkedin.oribi.io https://cdn.jsdelivr.net/gh/jonthornton/[email protected]/jquery.timepicker.min.js https://cdn.jsdelivr.net/gh/jackocnr/[email protected]/build/js/intlTelInput-jquery.min.js https://cdn.jsdelivr.net/gh/jackocnr/[email protected]/build/js/intlTelInput.min.js https://cdn.jsdelivr.net/gh/jackocnr/[email protected]/build/js/utils.js fxgate.baidu.com secure-hotel-tracker.com newbooking.azds.com *.cinnox.cn https://*.googletagmanager.com aman-d8.my127.site browser.sentry-cdn.com *.visualwebsiteoptimizer.com app.vwo.com https://acsbapp.com https://accesswidget-log-receiver.acsbapp.com https://global.localizecdn.com https://js.appboycdn.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net https://js.adsrvr.org https://*.cloudflare.com https://*.metrics.brightcove.com api.mapbox.com js-agent.newrelic.com https://tags.srv.stackadapt.com https://srv.stackadapt.com https://ap.srv.stackadapt.com https://east.srv.stackadapt.com https://uw.srv.stackadapt.com https://eu.srv.stackadapt.com https://qvdt3feo.com *.sojern.com; style-src 'self' 'unsafe-inline' 'unsafe-eval' cloud.typography.com *.buyatab.com *.aman.com *.cinnox.com *.googleapis.com *.bootstrapcdn.com *.synxis.com *.thehotelsnetwork.com https://cdn.jsdelivr.net/gh/jonthornton/[email protected]/jquery.timepicker.min.css https://cdn.jsdelivr.net/gh/jackocnr/[email protected]/build/css/intlTelInput.min.css newbooking.azds.com cdnjs.cloudflare.com *.cinnox.cn *.aman-d8.my127.site *.visualwebsiteoptimizer.com app.vwo.com https://use.fontawesome.com api.mapbox.com https://tags.srv.stackadapt.com https://srv.stackadapt.com https://ap.srv.stackadapt.com https://east.srv.stackadapt.com https://uw.srv.stackadapt.com https://eu.srv.stackadapt.com https://qvdt3feo.com; img-src 'self' data: about: *.brightcove.net *.brightcove.com *.googletagmanager.com *.buyatab.com *.aman.com *.cinnox.com *.boltdns.net *.google-analytics.com *.onetrust.com *.thehotelsnetwork.com https://www.google.com https://www.google.com.uk https://www.google.co.uk https://px.ads.linkedin.com https://cdn.jsdelivr.net/gh/jackocnr/[email protected]/build/img/flags.png bat.bing.com tr.line.me ad.doubleclick.net doubleclick.net www.facebook.com *.clarity.ms newbooking.azds.com dbmajt85xhr99.cloudfront.net controlcenter-p1.synxis.com newbooking.azds.com dbmajt85xhr99.cloudfront.net d1t1qzzb2zwrre.cloudfront.net *.bing.com *.linkedin.com *.cinnox.cn https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://*.g.doubleclick.net https://*.google.com *.aman-d8.my127.site *.visualwebsiteoptimizer.com chart.googleapis.com app.vwo.com appboy-images.com braze-images.com cdn.braze.eu https://ade.googlesyndication.com *.mapbox.com https://*.cloudflare.com api.mapbox.com https://tags.srv.stackadapt.com https://srv.stackadapt.com https://ap.srv.stackadapt.com https://east.srv.stackadapt.com https://uw.srv.stackadapt.com https://eu.srv.stackadapt.com https://qvdt3feo.com; media-src 'self' blob: *.buyatab.com *.aman.com *.akamaihd.net *.boltdns.net *.aman-d8.my127.site *.brightcovecdn.com *.media.brightcove.com *.cf.brightcove.com; frame-src *; frame-ancestors 'self'; child-src *; font-src 'self' data: *.typekit.net *.aman.com *.gstatic.com *.cinnox.com *.thehotelsnetwork.com newbooking.azds.com dbmajt85xhr99.cloudfront.net d1t1qzzb2zwrre.cloudfront.net *.cinnox.cn *.aman-d8.my127.site https://use.fontawesome.com; connect-src 'self' *.aman.com *.boltdns.net *.thehotelsnetwork.com *.quantummetric.com *.akamaihd.net *.doubleclick.net *.google-analytics.com *.nr-data.net ws: 'unsafe-eval' *.googleapis.com *.onetrust.com *.synxis.com *.cinnox.com impactradius-event.com utt.impactcdn.com *.brightcove.com ojrq.net logs-01.loggly.com amanresorts.pxf.io sessions.bugsnag.com p.relay-t.io cdn.linkedin.oribi.io pagead2.googlesyndication.com *.clarity.ms newbooking.azds.com *.analytics.google.com *.cinnox.cn https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://*.g.doubleclick.net https://*.google.com *.aman-d8.my127.site px.ads.linkedin.com am.yahoo.co.jp *.visualwebsiteoptimizer.com app.vwo.com https://cdn.acsbapp.com/config/stage.www.aman.com/config.json https://cdn.acsbapp.com/cache/app/wildcards.json https://sdk.iad-01.braze.com https://sdk.fra-02.braze.eu https://www.facebook.com *.mapbox.com p.typekit.net use.typekit.net fastly-signed-eu-west-1-prod.brightcovecdn.com *.brightcovecdn.com insight.adsrvr.org bat.bing.com apm.yahoo.co.jp https://tags.srv.stackadapt.com https://srv.stackadapt.com https://ap.srv.stackadapt.com https://east.srv.stackadapt.com https://uw.srv.stackadapt.com https://eu.srv.stackadapt.com https://qvdt3feo.com *.sojern.com; upgrade-insecure-requests

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

CAA Records (Certificate Authority Authorization)

CAA Records

Not Configured (Any CA can issue certificates)

CAA Issues

• No CAA records configured - any CA can issue certificates

Recommendations

• Implement CAA records to restrict which CAs can issue certificates for your domain
• This adds an extra layer of security against unauthorized certificate issuance
• Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
• Consider adding 'iodef' record to receive security incident reports

Subject Alternative Names

10 domains

aman.com

Other domains in certificate

amanrosaalpina.com www.amanrosaalpina.com

amanvari.com

amanyara.com www.amanyara.com

amanzoe.com www.amanzoe.com

sendmethere.net *.sendmethere.net