Open
Cached
·
just now
85/100
SECURITY SCORE
Certificate Information
Subject
CN=*.nutrient.io
Issuer
C=US, O=Amazon, CN=Amazon RSA 2048 M04
Valid From
September 23, 2025
Valid Until
October 22, 2026
262 days
Public Key
RSA
2048 bit
Adequate
Signature Algorithm
SHA256-RSA
SHA-256 Fingerprint
BD:64:0E:7F:B5:BD:09:BA:57:7F:8A:60:31:1E:BD:A1:9D:D5:69:E2:4E:F4:C1:19:37:A1:45:1B:E7:D0:0E:93
Alternative Names
Security Configuration
TLS Protocols
TLS 1.2
Forward Secrecy
Limited
(Check cipher configuration)
Warnings
- • TLS 1.3 is not supported (recommended)
HTTP Security Headers
Status
Strict-Transport-Security
Missing
Not configured
Content-Security-Policy
Basic
base-uri; connect-src; default-src; +10 more
base-uri 'self' dashboard.nutrient.io dashboard.pspdfkit.com; connect-src 'self' https://www.nutrient.io dashboard.nutrient.io dashboard.pspdfkit.com *.sentry.io https://*.googletagmanager.com https://gtm.nutrient.io https://*.google-analytics.com https://*.analytics.google.com https://*.g.doubleclick.net https://*.google.com https://adservice.google.com https://*.hotjar.com https://*.hotjar.io wss://*.hotjar.com https://consentcdn.cookiebot.com https://consent.cookiebot.com https://*.lottiefiles.com https://lottie.host https://api.kapa.ai https://metrics.kapa.ai https://kapa-widget-proxy-la7dkmplpq-uc.a.run.app https://www.google.com https://pa.nutrient.io https://cta-eu1.hubspot.com https://analytics.ahrefs.com https://c.6sc.co https://ipv6.6sc.co https://epsilon.6sense.com https://px.ads.linkedin.com https://tracking-api.g2.com https://bat.bing.com; default-src 'self' dashboard.nutrient.io dashboard.pspdfkit.com; font-src 'self' blob: data: dashboard.nutrient.io dashboard.pspdfkit.com https://fonts.gstatic.com https://script.hotjar.com; frame-ancestors 'self' dashboard.nutrient.io dashboard.pspdfkit.com; frame-src 'self' https://www.youtube.com/ dashboard.nutrient.io dashboard.pspdfkit.com https://*.googletagmanager.com https://gtm.nutrient.io https://www.google.com https://vars.hotjar.com https://consentcdn.cookiebot.com https://cta-eu1.hubspot.com https://*.paddle.com; img-src 'self' blob: data: https: dashboard.nutrient.io dashboard.pspdfkit.com https://px.ads.linkedin.com; media-src 'self' blob: data: dashboard.nutrient.io dashboard.pspdfkit.com; object-src dashboard.nutrient.io dashboard.pspdfkit.com; report-to csp-endpoint; report-uri https://o15437.ingest.sentry.io/api/5775608/security/?sentry_key=093630cf40114d8abf8b27a65aa00809&sentry_environment=production; script-src * 'unsafe-inline' 'unsafe-eval' blob: https://*.googletagmanager.com https://gtm.nutrient.io https://*.google-analytics.com https://*.googleadservices.com https://static.hotjar.com https://script.hotjar.com https://widget.kapa.ai https://www.google.com https://www.gstatic.com https://pa.nutrient.io https://cta-eu1.hubspot.com; style-src 'self' dashboard.nutrient.io dashboard.pspdfkit.com https://static.hotjar.com https://script.hotjar.com 'unsafe-inline' https://fonts.googleapis.com https://*.paddle.com;
X-Frame-Options
Good
SAMEORIGIN
X-Content-Type-Options
Good
nosniff
Referrer-Policy
Good
strict-origin-when-cross-origin
Permissions-Policy
Missing
Not configured
Recommendations
- • Add Strict-Transport-Security header with max-age of at least 1 year
- • Improve CSP by adding more specific directives and removing 'unsafe-inline'
- • Consider adding Permissions-Policy to control browser features
CAA Records (Certificate Authority Authorization)
CAA Records
Not Configured
(Any CA can issue certificates)
CAA Issues
- • No CAA records configured - any CA can issue certificates
Recommendations
- • Implement CAA records to restrict which CAs can issue certificates for your domain
- • This adds an extra layer of security against unauthorized certificate issuance
- • Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
- • Consider adding 'iodef' record to receive security incident reports