SSL Certificate Analysis for courier.com - Security Grade & TLS Configuration

Open Cached · just now

83/100 SECURITY SCORE

Certificate Information

Subject

CN=courier.com

Issuer

C=US, O=Let's Encrypt, CN=R12

Valid From

January 03, 2026

Valid Until

April 03, 2026 68 days

Public Key

RSA 2048 bit Adequate

Signature Algorithm

SHA256-RSA

SHA-256 Fingerprint

5A:F9:D2:BA:05:ED:EE:FD:90:C9:EA:75:EB:FE:94:E7:31:B5:06:76:79:4F:AD:F0:E5:9E:F7:6A:A4:32:6D:04

Alternative Names

1 domains

Security Configuration

TLS Protocols

TLS 1.2 TLS 1.3

Forward Secrecy

Supported (Modern clients use PFS)

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=31536000

Content-Security-Policy

Basic

base-uri; connect-src; default-src; +13 more

base-uri 'self'; connect-src 'self' 'strict-dynamic' inbox.courier.com wss://realtime.courier.io static.hsappstatic.net 9xgnrndqve.execute-api.us-west-2.amazonaws.com https://9xgnrndqve.execute-api.us-west-2.amazonaws.com https://pro.ip-api.com https://alocdn.com/c/vn3d8u2u/a/xtarget/p.json https://*.liadm.com https://a.usbrowserspeed.com ka-p.fontawesome.com *.framer.com framerusercontent.com api.segment.io cdn.segment.com api-iam.intercom.io forms.hubspot.com api-na2.hubapi.com *.google-analytics.com wss://nexus-websocket-a.intercom.io api.hubapi.com *.google.com stats.g.doubleclick.net api.hsforms.com vitals.vercel-insights.com cdn.linkedin.oribi.io vercel.live *.google-analytics.com analytics.google.com pagead2.googlesyndication.com status.courier.com px.ads.linkedin.com api.mintlifytrieve.com leaves.mintlify.com; default-src 'self' strict-dynamic https://*.liadm.com; font-src 'self' 'unsafe-inline' data: *; form-action calendly.com; frame-ancestors 'self'; frame-src edit.framer.com *.youtube.com *.googletagmanager.com intercom-sheets.com bid.g.doubleclick.net *.loom.com play.hubspotvideo.com vercel.live td.doubleclick.net; img-src 'self' 'unsafe-inline' data: *; manifest-src 'self'; media-src 'self' js.intercomcdn.com; object-src 'none'; script-src 'self' 'unsafe-inline' widget.intercom.io *.google-analytics.com *.googletagmanager.com cdn.segment.com js.hs-analytics.net js-na2.hs-analytics.net js-na2.hs-scripts.com js-na2.hs-banner.com js-na2.hsadspixel.net js.hscollectedforms.net js.intercomcdn.com *.google.com *.googleadservices.com googleads.g.doubleclick.net stats.g.doubleclick.net js.hsleadflows.net vitals.vercel-insights.com *.hsappstatic.net *.cloudfront.net *.cloudflareinsights.com https://ddwl4m2hdecbv.cloudfront.net/b/ https://b-code.liadm.com/lc2.js https://rp.liadm.com idx.liadm.com 'unsafe-eval'; script-src-elem 'self' 'unsafe-inline' s3-us-west-2.amazonaws.com kit.fontawesome.com patches.ahrefs.com framer.com *.framer.com framerusercontent.com fdr-prod-docs-files-public.s3.amazonaws.com widget.intercom.io *.google-analytics.com *.googletagmanager.com cdn.segment.com js.hs-analytics.net js-na2.hs-analytics.net js-na2.hs-scripts.com js-na2.hs-banner.com js-na2.hsadspixel.net js.hscollectedforms.net js.intercomcdn.com *.google.com *.googleadservices.com googleads.g.doubleclick.net stats.g.doubleclick.net js.hsleadflows.net vitals.vercel-insights.com *.googleoptimize.com vercel.live js.hs-scripts.com *.hsappstatic.net *.cloudfront.net *.cloudflareinsights.com https://ddwl4m2hdecbv.cloudfront.net/b/ https://b-code.liadm.com/lc2.js https://rp.liadm.com idx.liadm.com; style-src 'self' 'unsafe-inline' *; style-src-elem 'self' 'unsafe-inline' *; worker-src 'self' blob:

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

CAA Records (Certificate Authority Authorization)

CAA Records

Not Configured (Any CA can issue certificates)

CAA Issues

• No CAA records configured - any CA can issue certificates

Recommendations

• Implement CAA records to restrict which CAs can issue certificates for your domain
• This adds an extra layer of security against unauthorized certificate issuance
• Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
• Consider adding 'iodef' record to receive security incident reports

Subject Alternative Names

1 domain

courier.com