Open
Cached
·
just now
95/100
SECURITY SCORE
Certificate Information
Subject
CN=app.supabase.io
Issuer
C=US, O=Let's Encrypt, CN=R12
Valid From
December 19, 2025
Valid Until
March 19, 2026
51 days
Public Key
RSA
2048 bit
Adequate
Signature Algorithm
SHA256-RSA
SHA-256 Fingerprint
76:08:B8:90:3F:63:BF:37:68:20:28:9B:E2:C0:98:6B:6B:3F:23:1F:C0:85:B4:BA:46:97:D3:25:EC:FA:8B:07
Alternative Names
Security Configuration
TLS Protocols
TLS 1.2
TLS 1.3
Forward Secrecy
Supported
(Modern clients use PFS)
HTTP Security Headers
Status
Strict-Transport-Security
Excellent
max-age=31536000; includeSubDomains; preload
Content-Security-Policy
Basic
default-src; img-src; script-src; +10 more
default-src 'self' https://api.supabase.com http://localhost:8000 https://auth.supabase.io ws://localhost:8000 wss://localhost:8000 https://*.supabase.co wss://*.supabase.co https://*.hcaptcha.com https://cdn-global.configcat.com https://configcat.supabase.com https://*.stripe.com https://*.stripe.network https://www.cloudflare.com https://*.vercel-insights.com https://api.github.com https://raw.githubusercontent.com https://frontend-assets.supabase.com https://*.usercentrics.eu https://ss.supabase.com https://maps.googleapis.com https://ph.supabase.com https://cdnjs.cloudflare.com wss://*.pusher.com https://*.ingest.sentry.io https://*.ingest.us.sentry.io https://*.ingest.de.sentry.io; img-src 'self' blob: data: http://localhost:8000 https://supabase.com https://*.supabase.co https://avatars.githubusercontent.com https://lh3.googleusercontent.com https://frontend-assets.supabase.com https://app.usercentrics.eu https://ss.supabase.com; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://cdnjs.cloudflare.com https://js.hcaptcha.com https://js.stripe.com https://frontend-assets.supabase.com https://ss.supabase.com https://ph.supabase.com https://vercel.live https://*.pusher.com https://maps.googleapis.com; frame-src 'self' https://newassets.hcaptcha.com https://js.stripe.com https://ss.supabase.com https://vercel.live; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com https://frontend-assets.supabase.com https://vercel.live; font-src 'self' https://cdnjs.cloudflare.com https://frontend-assets.supabase.com https://vercel.live; worker-src 'self' blob: data:; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; block-all-mixed-content; upgrade-insecure-requests;
X-Frame-Options
Good
SAMEORIGIN
X-Content-Type-Options
Present
no-sniff
Referrer-Policy
Good
strict-origin-when-cross-origin
Permissions-Policy
Missing
Not configured
Recommendations
- • Improve CSP by adding more specific directives and removing 'unsafe-inline'
- • Consider adding Permissions-Policy to control browser features
CAA Records (Certificate Authority Authorization)
CAA Records
Configured
(Restricts certificate issuance)
Current Issuer
Authorized
(Matches CAA policy)
Authorized CAs
Recommendations
- • Consider using critical flag (flags=128) for stricter CAA enforcement
- • Consider adding 'iodef' records to receive notifications about unauthorized certificate issuance attempts
- • Consider adding 'issuewild' records to control wildcard certificate issuance