SSL Certificate Analysis for cdn.carfax.ca - Security Grade & TLS Configuration

Open Cached · just now

82/100 SECURITY SCORE

Detected Technologies

See all in URL Inspect 1

DigiCert

Certificate Information

Subject

C=US, ST=New York, L=New York, O=S&P Global Inc., CN=www.carfax.ca

Issuer

C=US, O=DigiCert Inc, CN=DigiCert Global G3 TLS ECC SHA384 2020 CA1

Valid From

October 30, 2025

Valid Until

October 30, 2026 212 days

Public Key

ECDSA 256 bit (P-256) Adequate

Signature Algorithm

ECDSA-SHA384

SHA-256 Fingerprint

78:66:21:F4:EB:56:FA:66:28:30:AA:CC:DA:CE:FD:06:3D:FE:10:EF:49:54:AD:DC:54:2C:75:F8:DF:1D:4F:89

Alternative Names

82 domains

Security Configuration

TLS Protocols

TLS 1.2 TLS 1.3

Forward Secrecy

Supported (Modern clients use PFS)

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=86400

Content-Security-Policy

Weak

frame-ancestors Analyze

Content-Security-Policy-Report-Only

Missing

Not configured Analyze

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Significantly strengthen CSP directives
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

CAA Records (Certificate Authority Authorization)

CAA Records

Not Configured (Any CA can issue certificates)

CAA Issues

• No CAA records configured - any CA can issue certificates

Recommendations

• Implement CAA records to restrict which CAs can issue certificates for your domain
• This adds an extra layer of security against unauthorized certificate issuance
• Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
• Consider adding 'iodef' record to receive security incident reports

Subject Alternative Names

82 domains

carfax.ca accountapi.carfax.ca apigateway.carfax.ca apireference.carfax.ca authenticationapi.carfax.ca autocheckapi.carfax.ca autofraud-notify.carfax.ca autofraud-syncservice.carfax.ca badging.carfax.ca badgingapi.carfax.ca carfaxapi.carfax.ca carfaxcanadadsradmininterface.carfax.ca carfaxcanadafixautocollector.carfax.ca carfaxcanadareportsapi.carfax.ca cdn-tradein-new.carfax.ca cdn-tradein.carfax.ca cdn.carfax.ca cdnretail.carfax.ca cgiapi.carfax.ca cgiestimatecheckapi.carfax.ca comparablesapi.carfax.ca corp.carfax.ca dataaccess.carfax.ca datamanagerapi.carfax.ca datamanagerapi2.carfax.ca datasourcediscoveryapi.carfax.ca dealer.carfax.ca dealerapi.carfax.ca disclosure.carfax.ca disclosureapi.carfax.ca disclosureformapi.carfax.ca dsradmin.carfax.ca flaggingapi.carfax.ca ivrapi.carfax.ca marketview-notify.carfax.ca marketview-syncservice.carfax.ca marketview.carfax.ca marketviewsignalrfunction.carfax.ca mitchellapi.carfax.ca mvdaapi.carfax.ca odometerapi.carfax.ca offersheet.carfax.ca orderapi.carfax.ca payments.carfax.ca pdfgeneration.carfax.ca portal-notify.carfax.ca portal-syncservice.carfax.ca portal.carfax.ca portalapi.carfax.ca r.carfax.ca recallsapi.carfax.ca redbookapi.carfax.ca reports.carfax.ca retailapi.carfax.ca scanningadmin.carfax.ca serviceinsights.carfax.ca serviceinsightsapi.carfax.ca truetrade.carfax.ca truetradeapi.carfax.ca valuation.carfax.ca valuationapi.carfax.ca valuationdiagnostictools.carfax.ca valuationsuiteapi.carfax.ca vehiclehistory.carfax.ca vehiclehistoryapi.carfax.ca vehiclehistorywebsite.carfax.ca vehicleportfolioapi.carfax.ca vhr-legacy.carfax.ca vhr.carfax.ca vhrlookupapi.carfax.ca vhrorderapi.carfax.ca vindecodeapi.carfax.ca vinscan.carfax.ca viprwebsite.carfax.ca vvr.carfax.ca vvr2.carfax.ca vvrapi.carfax.ca webbatch.carfax.ca webservice.carfax.ca websiteleadgenerator.carfax.ca www.carfax.ca integrationsportal.int.carfax.ca