SSL Certificate Analysis for auth.paddle.com - Security Grade & TLS Configuration

Open Cached · just now

94/100 SECURITY SCORE

Certificate Information

Subject

CN=auth.paddle.com

Issuer

C=US, O=Let's Encrypt, CN=E7

Valid From

December 05, 2025

Valid Until

March 05, 2026 48 days

Public Key

ECDSA 256 bit (P-256) Adequate

Signature Algorithm

ECDSA-SHA384

SHA-256 Fingerprint

39:BA:A0:36:B6:3C:F8:5C:06:BE:D0:B4:B1:AF:37:72:AF:05:D9:73:40:44:72:65:70:58:B2:57:42:9B:8D:D7

Alternative Names

1 domains

Security Configuration

TLS Protocols

TLS 1.2 TLS 1.3

Forward Secrecy

Supported (Modern clients use PFS)

HTTP Security Headers

Status

Strict-Transport-Security

Good

max-age=31536000; includeSubDomains

Content-Security-Policy

Basic

base-uri; default-src; worker-src; +11 more

base-uri 'self'; default-src 'self' blob: data: https: ; worker-src 'self' blob:; frame-ancestors 'self' http://localhost:9999 *.paddle.com *.prismic.io https://www.profitwell.com https://paddle.enablix.com https://paddle.letter.ai; media-src 'self' blob: data: https: ; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.visualwebsiteoptimizer.com app.vwo.com tag.unifyintent.com unifyintent.com *.stackadapt.com *.twitter.com *.iubenda.com connect.facebook.net *.cloudfront.net *.hsforms.com googleads.g.doubleclick.net *.hs-analytics.net *.hs-banner.com *.hs-scripts.com *.hsforms.net *.hsleadflows.net *.hotjar.com *.licdn.com *.ads-twitter.com *.doubleclick.net *.google-analytics.com *.google.com *.googleadservices.com *.googletagmanager.com *.gstatic.com *.redditstatic.com *.youtube.com dnf20ypvrc856.cloudfront.net dta8euw1l8gvs.cloudfront.net prod-assets.sequelvideo.com https: ; script-src-elem 'self' 'unsafe-inline' 'unsafe-eval' *.visualwebsiteoptimizer.com app.vwo.com tag.unifyintent.com unifyintent.com *.youtube.com *.wistia.com *.licdn.com *.ads-twitter.com *.doubleclick.net *.hotjar.com *.redditstatic.com *.profitwell.com *.bing.com js.hubspot.com *.hs-analytics.net *.hs-banner.com *.hsadspixel.net www.clarity.ms *.hs-scripts.com connect.facebook.net *.rudderlabs.com *.influ2.com *.stackadapt.com *.metadata.io *.clearbitscripts.com *.clearbitjs.com *.kustomerapp.com *.qualified.com *.iubenda.com *.netlify.app *.hsforms.net *.googletagmanager.com *.googleapis.com prismic.io *.prismic.io *.mplat-ppcprotect.com status.io dnf20ypvrc856.cloudfront.net dta8euw1l8gvs.cloudfront.net tracking.g2crowd.com cdn.jsdelivr.net/npm/hockeystack@latest/hockeystack.min.js cdn.jsdelivr.net/npm/hockeystack@latest/hockeystack-qualified.min.js js.stripe.com/v3/ cdnjs.cloudflare.com/polyfill/ prod-assets.sequelvideo.com; style-src 'self' 'unsafe-inline' *.visualwebsiteoptimizer.com app.vwo.com *.cloudfront.net *.youtube.com dnf20ypvrc856.cloudfront.net dta8euw1l8gvs.cloudfront.net s3.amazonaws.com https: blob: ; object-src 'none'; font-src 'self' *.cloudfront.net *.gstatic.com data: https: ; connect-src 'self' *.visualwebsiteoptimizer.com app.vwo.com dnf20ypvrc856.cloudfront.net dta8euw1l8gvs.cloudfront.net *.qualified.com ws: wss: https: data: ; img-src 'self' *.visualwebsiteoptimizer.com app.vwo.com useruploads.vwo.io *.googletagmanager.com *.ctfassets.net *.reddit.com *.cloudfront.net *.ytimg.com *.adsymptotic.com *.ads.linkedin.com t.co *.hubspot.com *.facebook.com *.google.com *.youtube.com *.ggpht.com dnf20ypvrc856.cloudfront.net dta8euw1l8gvs.cloudfront.net chart.googleapis.com wingify-assets.s3.amazonaws.com data: https:; frame-src 'self' paddle.chilipiper.com *.visualwebsiteoptimizer.com app.vwo.com paddle.prismic.io www.googletagmanager.com *.youtube.com *.wistia.net *.wistia.com *.hsforms.com paddle.kustomer.help *.kustomerapp.com *.qualified.com app.netlify.com *.doubleclick.net *.prismic.io www.slideshare.net dnf20ypvrc856.cloudfront.net dta8euw1l8gvs.cloudfront.net js.stripe.com *.sequel.io; upgrade-insecure-requests;

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin-when-cross-origin

Permissions-Policy

Missing

Not configured

Recommendations

• Consider adding 'preload' to HSTS for maximum security
• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Consider adding Permissions-Policy to control browser features

CAA Records (Certificate Authority Authorization)

CAA Records

Configured (Restricts certificate issuance)

Current Issuer

Authorized (Matches CAA policy)

Authorized CAs

letsencrypt.org

Recommendations

• Consider using critical flag (flags=128) for stricter CAA enforcement
• Consider adding 'iodef' records to receive notifications about unauthorized certificate issuance attempts
• Consider adding 'issuewild' records to control wildcard certificate issuance

Subject Alternative Names

1 domain

auth.paddle.com