Open
Cached
·
just now
92/100
SECURITY SCORE
Certificate Information
Subject
CN=voomly.com
Issuer
C=US, O=Amazon, CN=Amazon RSA 2048 M01
Valid From
November 10, 2025
Valid Until
December 08, 2026
340 days
Public Key
RSA
2048 bit
Adequate
Signature Algorithm
SHA256-RSA
SHA-256 Fingerprint
B0:0F:A0:E9:7C:D1:C3:FB:EC:D3:26:BF:8C:10:3E:00:35:A5:BC:E3:C2:BC:0B:44:52:BF:C8:58:E8:AD:6F:95
Alternative Names
Security Configuration
TLS Protocols
TLS 1.1
TLS 1.2
TLS 1.3
Forward Secrecy
Supported
(Modern clients use PFS)
Warnings
- • TLS 1.1 is deprecated and should be disabled
HTTP Security Headers
Status
Strict-Transport-Security
Excellent
max-age=63072000; includeSubDomains; preload
Content-Security-Policy
Basic
default-src; img-src; media-src; +7 more
default-src 'self'; img-src 'self' data: blob: *.voomly.com *.voomly-staging.com *.voomly-dev.com *.bootstrap-cloud.com *.bootstrap-cloud-staging.com *.bootstrap-cloud-dev.com embed-ssl.wistia.com *.userflow.com clickfunnels.zendesk.com i.vimeocdn.com; media-src 'self' blob: *.voomly.com *.voomly-staging.com *.voomly-dev.com *.userflow.com *.zdassets.com dm0qx8t0i9gc9.cloudfront.net; script-src 'self' 'unsafe-eval' data: blob: cdn.lr-ingest.io www.google.com www.gstatic.com *.voomly.com *.voomly-staging.com *.voomly-dev.com *.osano.com *.zdassets.com *.userflow.com *.stripe.com *.cloudflare.com *.hotjar.com 'sha256-sMrh8r6jDNfg7Vs1tjyHVedwFe9QxUx/fQBJWGTtaZg=' 'sha256-yUZK28O46PkHNQbaOq8dtHNfuWb+GBzS8pMAf70oqoY='; style-src 'self' 'unsafe-inline' fonts.gstatic.com fonts.googleapis.com *.userflow.com *.voomly.com *.voomly-staging.com *.voomly-dev.com; object-src 'none'; font-src data: fonts.gstatic.com; connect-src 'self' ws: wss: *.voomly.com *.voomly-staging.com *.voomly-dev.com *.bootstrap-cloud.com *.bootstrap-cloud-staging.com *.bootstrap-cloud-dev.com *.s3-accelerate.amazonaws.com *.s3.amazonaws.com s3.amazonaws.com *.s3.us-east-1.amazonaws.com r.lr-ingest.io *.sentry.io tattle.api.osano.com http://127.0.0.1:25123 *.userflow.com *.launchdarkly.com *.zdassets.com *.zendesk.com *.hotjar.com *.hotjar.io *.mixpanel.com; frame-src www.google.com *.stripe.com *.cloudflare.com; manifest-src 'self' blob:;
X-Frame-Options
Excellent
DENY
X-Content-Type-Options
Good
nosniff
Referrer-Policy
Good
no-referrer
Permissions-Policy
Missing
Not configured
Recommendations
- • Improve CSP by adding more specific directives and removing 'unsafe-inline'
- • Consider adding Permissions-Policy to control browser features
CAA Records (Certificate Authority Authorization)
CAA Records
Not Configured
(Any CA can issue certificates)
CAA Issues
- • No CAA records configured - any CA can issue certificates
Recommendations
- • Implement CAA records to restrict which CAs can issue certificates for your domain
- • This adds an extra layer of security against unauthorized certificate issuance
- • Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
- • Consider adding 'iodef' record to receive security incident reports