SSL Certificate Analysis for app.retrium.com - Security Grade & TLS Configuration

Open Cached · just now

94/100 SECURITY SCORE

Certificate Information

Subject

CN=*.retrium.com

Issuer

C=US, O=Amazon, CN=Amazon RSA 2048 M03

Valid From

July 02, 2025

Valid Until

July 30, 2026 171 days

Public Key

RSA 2048 bit Adequate

Signature Algorithm

SHA256-RSA

SHA-256 Fingerprint

84:32:82:C2:9D:E5:B1:E5:51:A1:A3:6D:60:B2:AA:AB:18:76:04:EC:B6:BD:43:0B:50:24:F1:60:63:0B:F8:3C

Alternative Names

1 domains

Security Configuration

TLS Protocols

TLS 1.2 TLS 1.3

Forward Secrecy

Supported (Modern clients use PFS)

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=15552000; includeSubDomains

Content-Security-Policy

Basic

script-src; style-src; img-src; +7 more

script-src 'self' 'unsafe-eval' 'unsafe-inline' retrium-public.s3.amazonaws.com maxcdn.bootstrapcdn.com oss.maxcdn.com code.jquery.com *.google.com *.gstatic.com *.google-analytics.com *.googleadservices.com googleads.g.doubleclick.net *.googletagmanager.com tagmanager.google.com *.auth0.com ajax.googleapis.com connect.facebook.net js.stripe.com checkout.stripe.com js.hs-scripts.com js.hs-banner.com js.hs-analytics.net js.hsadspixel.net js.hsleadflows.net js.hscollectedforms.net js.usemessages.com js.hsforms.net js-na1.hs-scripts.com *.hubspotfeedback.com tag.marinsm.com pixel-geo.prfct.co static.ads-twitter.com analytics.twitter.com bat.bing.com snap.licdn.com rum-static.pingdom.net *.redditstatic.com auth.retrium.com accounts.google.com/gsi/client https://*.wistia.com https://*.wistia.net https://src.litix.io https://button.glitch.me embed.typeform.com https://static.hotjar.com https://script.hotjar.com/ *.newrelic.com https://static.retrium.com/29.1.6;style-src 'self' 'unsafe-inline' *.googleapis.com *.googletagmanager.com tagmanager.google.com fonts.google.com maxcdn.bootstrapcdn.com cdnjs.cloudflare.com accounts.google.com/gsi/style https://fast.wistia.com https://button.glitch.me https://static.retrium.com/29.1.6;img-src 'self' data: www.google.com api.atlassian.com *.google-analytics.com *.googleusercontent.com *.gstatic.com *.facebook.com *.auth0.com *.stripe.com track.hubspot.com cdn2.hubspot.net pixel-geo.prfct.co *.adnxs.com ads.yahoo.com us-u.openx.net *.doubleclick.net t.co bat.bing.com px.ads.linkedin.com p.adsymptotic.com alb.reddit.com https://*.wistia.com https://*.wistia.net https://embedwistia-a.akamaihd.net https://glitch.com https://cdn.glitch.com https://avatars0.githubusercontent.com avatars.slack-edge.com https://static.retrium.com/29.1.6;font-src 'self' data: *.bootstrapcdn.com *.gstatic.com cdn.auth0.com cdnjs.cloudflare.com fonts.googleapis.com fonts.gstatic.com https://*.wistia.com https://static.retrium.com/29.1.6;child-src 'self' www.google.com js.stripe.com checkout.stripe.com app.hubspot.com https://static.retrium.com/29.1.6;frame-ancestors https://static.retrium.com/29.1.6;frame-src *.google.com js.stripe.com app.hubspot.com accounts.google.com/gsi/ https://fast.wistia.com https://fast.wistia.net https://static.retrium.com/29.1.6;connect-src * api.ipify.org retrium.geminiops-client.com accounts.google.com/gsi/ https://*.litix.io https://*.wistia.com https://embedwistia-a.akamaihd.net https://api.glitch.com https://static.retrium.com/29.1.6;media-src 'self' blob: data: https://*.wistia.com https://*.wistia.net https://embedwistia-a.akamaihd.net static.retrium.com;default-src https://*.wistia.com https://*.wistia.net

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin-when-cross-origin

Permissions-Policy

Present

accelerometer=(), ambient-light-sensor=(), autoplay=(self), battery=(), camera=(), clipboard-read=(), clipboard-write=(self), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(self), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Improve CSP by adding more specific directives and removing 'unsafe-inline'

CAA Records (Certificate Authority Authorization)

CAA Records

Configured (Restricts certificate issuance)

Current Issuer

Authorized (Matches CAA policy)

Authorized CAs

amazon.com

Recommendations

• Consider using critical flag (flags=128) for stricter CAA enforcement
• Consider adding 'iodef' records to receive notifications about unauthorized certificate issuance attempts
• Consider adding 'issuewild' records to control wildcard certificate issuance

Subject Alternative Names

1 domain

*.retrium.com