SSL Certificate Analysis for blog.aurora.dev - Security Grade & TLS Configuration

Open Cached · just now

91/100 SECURITY SCORE

Certificate Information

Subject

CN=blog.aurora.dev

Issuer

C=US, O=Let's Encrypt, CN=R12

Valid From

November 22, 2025

Valid Until

February 20, 2026 35 days

Public Key

RSA 2048 bit Adequate

Signature Algorithm

SHA256-RSA

SHA-256 Fingerprint

FA:D9:D8:F0:A6:D7:66:42:19:34:76:1D:7A:CD:D6:40:DD:78:1D:49:04:3F:B6:B3:2E:9A:B0:C8:CF:34:75:78

Alternative Names

1 domains

Security Configuration

TLS Protocols

TLS 1.2 TLS 1.3

Forward Secrecy

Supported (Modern clients use PFS)

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=63072000

Content-Security-Policy

Good

default-src; frame-src; frame-ancestors; +6 more

default-src 'self'; frame-src 'self' www.googletagmanager.com www.google.com customer-fqk3oatg6fm4ie14.cloudflarestream.com www.youtube.com; frame-ancestors 'self' https://cms.aurora.dev https://plugins-cdn.datocms.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src 'self' fonts.gstatic.com; img-src 'self' data: sa.aurora.dev www.googletagmanager.com www.datocms-assets.com raw.githubusercontent.com/aurora-is-near/ customer-fqk3oatg6fm4ie14.cloudflarestream.com i.imgur.com *.google.com *.google.ad *.google.ae *.google.com.af *.google.com.ag *.google.com.ai *.google.al *.google.am *.google.co.ao *.google.com.ar *.google.as *.google.at *.google.com.au *.google.az *.google.ba *.google.com.bd *.google.be *.google.bf *.google.bg *.google.com.bh *.google.bi *.google.bj *.google.com.bn *.google.com.bo *.google.com.br *.google.bs *.google.bt *.google.co.bw *.google.by *.google.com.bz *.google.ca *.google.cd *.google.cf *.google.cg *.google.ch *.google.ci *.google.co.ck *.google.cl *.google.cm *.google.cn *.google.com.co *.google.co.cr *.google.com.cu *.google.cv *.google.com.cy *.google.cz *.google.de *.google.dj *.google.dk *.google.dm *.google.com.do *.google.dz *.google.com.ec *.google.ee *.google.com.eg *.google.es *.google.com.et *.google.fi *.google.com.fj *.google.fm *.google.fr *.google.ga *.google.ge *.google.gg *.google.com.gh *.google.com.gi *.google.gl *.google.gm *.google.gr *.google.com.gt *.google.gy *.google.com.hk *.google.hn *.google.hr *.google.ht *.google.hu *.google.co.id *.google.ie *.google.co.il *.google.im *.google.co.in *.google.iq *.google.is *.google.it *.google.je *.google.com.jm *.google.jo *.google.co.jp *.google.co.ke *.google.com.kh *.google.ki *.google.kg *.google.co.kr *.google.com.kw *.google.kz *.google.la *.google.com.lb *.google.li *.google.lk *.google.co.ls *.google.lt *.google.lu *.google.lv *.google.com.ly *.google.co.ma *.google.md *.google.me *.google.mg *.google.mk *.google.ml *.google.com.mm *.google.mn *.google.ms *.google.com.mt *.google.mu *.google.mv *.google.mw *.google.com.mx *.google.com.my *.google.co.mz *.google.com.na *.google.com.ng *.google.com.ni *.google.ne *.google.nl *.google.no *.google.com.np *.google.nr *.google.nu *.google.co.nz *.google.com.om *.google.com.pa *.google.com.pe *.google.com.pg *.google.com.ph *.google.com.pk *.google.pl *.google.pn *.google.com.pr *.google.ps *.google.pt *.google.com.py *.google.com.qa *.google.ro *.google.ru *.google.rw *.google.com.sa *.google.com.sb *.google.sc *.google.se *.google.com.sg *.google.sh *.google.si *.google.sk *.google.com.sl *.google.sn *.google.so *.google.sm *.google.sr *.google.st *.google.com.sv *.google.td *.google.tg *.google.co.th *.google.com.tj *.google.tl *.google.tm *.google.tn *.google.to *.google.com.tr *.google.tt *.google.com.tw *.google.co.tz *.google.com.ua *.google.co.ug *.google.co.uk *.google.com.uy *.google.co.uz *.google.com.vc *.google.co.ve *.google.vg *.google.co.vi *.google.com.vn *.google.vu *.google.ws *.google.rs *.google.co.za *.google.co.zm *.google.co.zw *.google.cat; media-src 'self' data: www.datocms-assets.com; script-src 'self' 'sha256-xq2GjnsgpfYkB4Z+c9yYwcOSCxc4OMp1SbaARDhTH7U=' 'sha256-/7TKSGjBqug2/rbMfKIQ7UNRLXVRHHHsbQ09sKpnfHA=' 'sha256-CA+WQBPlufcdIkUhUDOoZD+LI9nFG5pEQ8mVu8YjH3Q=' 'sha256-t3DYCVDcnkeWqhRaJ++OnKtvbXPcGFLzLgAmW3zGlMg=' 'sha256-szEtXECLEj1seQDq9vCkK7YChg8efAcuHzIOEXE7Rqk=' 'sha256-gRcmQ01AhQiVriXIkh44b2DVv33lteAxtcZUaRhZe9M=' 'sha256-IAQgH51hucmD4nWYKwhNCUQUJv/uyCY14rZ4YZxAyHM=' js.zi-scripts.com www.googletagmanager.com beacon-v2.helpscout.net sa.aurora.dev www.google.com/recaptcha/ www.gstatic.com/recaptcha/; connect-src 'self' graphql.datocms.com analytics.google.com testnet.aurora.dev api.coingecko.com api.llama.fi stats.g.doubleclick.net sa.aurora.dev d3hb14vkzrxvla.cloudfront.net raw.githubusercontent.com/aurora-is-near/bridge-assets/master/ mainnet.aurora.dev mainnet.infura.io https://goerli.infura.io https://mainnet.infura.io beaconapi.helpscout.net region1.analytics.google.com js.zi-scripts.com https://www.google.com/recaptcha/;

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Present

origin-when-cross-origin

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Strengthen CSP by removing 'unsafe-eval'
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Consider adding Permissions-Policy to control browser features

CAA Records (Certificate Authority Authorization)

CAA Records

Configured (Restricts certificate issuance)

Current Issuer

Authorized (Matches CAA policy)

Authorized CAs

letsencrypt.org sectigo.com globalsign.com

Recommendations

• Consider using critical flag (flags=128) for stricter CAA enforcement
• Consider adding 'iodef' records to receive notifications about unauthorized certificate issuance attempts
• Consider adding 'issuewild' records to control wildcard certificate issuance

Subject Alternative Names

1 domain

blog.aurora.dev