SSL Certificate Analysis for coherent.com - Security Grade & TLS Configuration

Open Cached · just now

89/100 SECURITY SCORE

Certificate Information

Subject

CN=coherent.com

Issuer

C=US, O=Google Trust Services, CN=WE1

Valid From

December 03, 2025

Valid Until

March 03, 2026 50 days

Public Key

ECDSA 256 bit (P-256) Adequate

Signature Algorithm

ECDSA-SHA256

SHA-256 Fingerprint

AA:69:A0:A6:EF:D0:EE:6D:72:C0:32:9C:A0:01:7D:3D:61:01:90:33:98:FB:08:B0:2E:69:C3:92:CA:8B:7F:15

Alternative Names

2 domains

Security Configuration

TLS Protocols

TLS 1.2 TLS 1.3

Forward Secrecy

Supported (Modern clients use PFS)

HTTP Security Headers

Status

Strict-Transport-Security

Excellent

max-age=31536000; includeSubDomains; preload

Content-Security-Policy

Basic

Upgrade-Insecure-Requests; default-src; connect-src; +12 more

Upgrade-Insecure-Requests; default-src 'self' https: *.hotjar.com *.hotjar.io; connect-src 'self' 'unsafe-eval' 'unsafe-inline' data: blob: https: *.hotjar.com *.hotjar.io wss://*.hotjar.com *.algolia.net *.algolianet.com *.adobedtm.com *.adobe.com *.day.com *.scene7.com *.demdex.net cm.everesttech.net performance.typekit.net *.osano.com *.drift.com *.driftt.com *.driftcdn.com *.youtube.com *.peopleclick.com *.doubleclick.net *.zoominfo.com *.peopleclick.eu.com *.pardot.com *.twitter.com *.ads-twitter.com *.googletagmanager.com *.googlesyndication.com *.googletagservices.com t.co lltrck.com; worker-src 'self' 'unsafe-eval' 'unsafe-inline' blob: https: *.coherent.com *.google.com *.osano.com t.co lltrck.com; media-src 'self' blob: https: *.coherent.com; img-src 'self' data: https: *.coherent.com *.scene7.com *.ggpht.com *.ytimg.com *.google.com *.example.com *.linkedin.com *.facebook.com *.youtube.com *.google.com *.google-analytics.com *.imgix.net *.doubleclick.net *.pardot.com *.adsymptotic.com t.co; child-src 'self' 'unsafe-eval' 'unsafe-inline' blob: https: *.algolia.net *.algolianet.com *.coherent.com *.peopleclick.com *.peopleclick.eu.com *.algolia.net *.algolianet.com *.adobedtm.com *.adobe.com *.day.com *.scene7.com *.demdex.net cm.everesttech.net *.hotjar.com *.hotjar.io *.pardot.com *.osano.com *.twitter.com *.ads-twitter.com *.googletagmanager.com *.googlesyndication.com *.googletagservices.com t.co lltrck.com; frame-src 'self' 'unsafe-eval' 'unsafe-inline' blob: https: *.algolia.net *.algolianet.com *.coherent.com *.peopleclick.com *.peopleclick.eu.com *.algolia.net *.algolianet.com *.adobedtm.com *.adobe.com *.day.com *.scene7.com *.demdex.net cm.everesttech.net *.hotjar.com *.hotjar.io *.pardot.com *.osano.com *.twitter.com *.ads-twitter.com *.googletagmanager.com *.googlesyndication.com *.googletagservices.com t.co lltrck.com; font-src 'self' data: https: *.algolia.net *.algolianet.com *.adobedtm.com *.adobe.com *.day.com *.scene7.com *.demdex.net cm.everesttech.net *.typekit.com *.hotjar.com *.hotjar.io *.gstatic.com *.google.com *.doubleclick.net *.coherent.com *.google-analytics.com *.pardot.com; object-src 'self' *.bioz.com; script-src 'self' 'report-sample' 'unsafe-eval' 'unsafe-inline' data: blob: https: *.algolia.net *.algolianet.com *.adobedtm.com *.adobe.com *.day.com *.scene7.com *.demdex.net cm.everesttech.net *.osano.com *.zoominfo.com *.facebook.net *.hotjar.com *.hotjar.io *.facebook.com *.linkedin.com *.searchcdn.com *.addsearch.com *.gstatic.com *.google.com *.googletagmanager.com *.driftt.com geoip-db.com *.wistia.net *.wistia.com *.googleapis.com *.coherent.com *.pardot.com *.google-analytics.com *.msecnd.net *.drift.com *.youtube.com *.licdn.com *.twitter.com *.ads-twitter.com *.googleadservices.com *.doubleclick.net *.peopleclick.com *.peopleclick.eu.com *.adsymptotic.com *.googlesyndication.com *.googletagservices.com t.co lltrck.com; style-src 'self' 'report-sample' 'unsafe-inline' blob: https: *.googleapis.com *.google.com *.google-analytics.com *.cloudfront.net *.addsearch.com *.drift.com *.coherent.com *.pardot.com *.driftt.com *.osano.com *.googletagmanager.com; form-action 'self' https: *.coherent.com *.osano.com *.drift.com *.driftt.com *.driftcdn.com *.youtube.com *.peopleclick.com *.doubleclick.net *.zoominfo.com *.peopleclick.eu.com *.pardot.com *.google-analytics.com *.google.com *.facebook.net; frame-ancestors 'self' blob: https: *.algolia.net *.algolianet.com *.coherent.com *.peopleclick.com *.peopleclick.eu.com *.algolia.net *.algolianet.com *.adobedtm.com *.adobe.com *.day.com *.scene7.com *.demdex.net cm.everesttech.net *.hotjar.com *.hotjar.io *.pardot.com *.osano.com t.co *.twitter.com *.ads-twitter.com *.googletagmanager.com *.googlesyndication.com *.googletagservices.com lltrck.com; base-uri 'self'

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

CAA Records (Certificate Authority Authorization)

CAA Records

Not Configured (Any CA can issue certificates)

CAA Issues

• No CAA records configured - any CA can issue certificates

Recommendations

• Implement CAA records to restrict which CAs can issue certificates for your domain
• This adds an extra layer of security against unauthorized certificate issuance
• Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
• Consider adding 'iodef' record to receive security incident reports

Subject Alternative Names

2 domains

coherent.com *.coherent.com