SSL Certificate Analysis for d253frdcexiyha.cloudfront.net - Security Grade & TLS Configuration

Open Cached · just now

89/100 SECURITY SCORE

Certificate Information

Subject

CN=*.cloudfront.net

Issuer

C=US, O=Amazon, CN=Amazon RSA 2048 M01

Valid From

May 05, 2025

Valid Until

April 23, 2026 144 days

Public Key

RSA 2048 bit Adequate

Signature Algorithm

SHA256-RSA

SHA-256 Fingerprint

60:38:9D:24:9E:41:8F:23:AC:D9:14:5C:A3:47:7E:AF:07:DB:9F:2D:6A:8C:0D:08:E9:24:8A:8E:49:A9:4D:28

Alternative Names

2 domains

Security Configuration

TLS Protocols

TLS 1.1 TLS 1.2 TLS 1.3

Forward Secrecy

Supported (Modern clients use PFS)

Warnings

• TLS 1.1 is deprecated and should be disabled

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=84600; includeSubDomains

Content-Security-Policy

Basic

default-src; script-src; style-src; +2 more

default-src 'self' data: https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://app.usercentrics.eu *.cloudfront.net https://messenger.dixa.io https://js-agent.newrelic.com https://widget.reviews.io https://tagalys-assets.s3.ap-southeast-1.amazonaws.com https://www.google.com https://www.paypal.com https://pay.google.com https://cert.tryggehandel.net https://maps.googleapis.com https://cdnjs.cloudflare.com https://static.klaviyo.com https://widget.thuiswinkel.org https://static-tracking.klaviyo.com https://cdn.parcellab.com https://www.youtube.com *.parcellab.com *.tagalys.com *.criteo.com *.criteo.net https://api.braintreegateway.com https://sandbox.braintreegateway.com https://api.sandbox.braintreegateway.com https://braintreegateway.com https://payments.braintree-api.com https://sandbox.braintree-api.com https://songbird.cardinalcommerce.com https://songbirdstag.cardinalcommerce.com https://js.braintreegateway.com https://x.klarnacdn.net https://static-eu.payments-amazon.com https://js.klarna.com https://cdn.tink.de https://cdn.tink.at https://cdn-vattenfall.tink.de https://cdn-deutsche-giganetz.tink.de https://cdn-kpn.tink.nl https://cdn.tink.nl https://cdn.tink.net https://cdn.tink.be https://cdn-plus.tink.de https://d2810q2tlzpt0m.cloudfront.net cdn.builder.io https://widget.thuiswinkel-cdn.org https://*.heyflow.com https://*.heyflow.cloud https://www.googletagmanager.com https://ww1.tink.de https://ww1.tink.at https://ww1.tink.nl https://ww1.tink.be https://vf1.tink.de https://js.appboycdn.com https://s.ytimg.com https://content.zeotap.com https://bat.bing.com https://googleads.g.doubleclick.net https://www.googleadservices.com https://www.gstatic.com https://connect.facebook.net https://*.getsitecontrol.com https://www.dwin1.com https://d.impactradius-event.com https://cdn.taboola.com https://lantern.roeyecdn.com https://code.jquery.com https://s.pinimg.com https://tr.fatmedia.io https://trc.taboola.com https://analytics.tiktok.com https://www.shopperapproved.com https://analytics.fatmedia.io https://www.awin1.com https://static.hotjar.com https://script.hotjar.com https://*.ad-srv.net https://*.adsrvr.org https://*.doubleclick.net https://*.adform.net https://*.adition.com https://*.adfarm.com https://app.varify.io https://origin.acuityplatform.com https://cdn.pdst.fm https://ct.pinterest.com https://redditstatic.com https://www.redditstatic.com https://consent.cookiebot.com https://consentcdn.cookiebot.com https://widget.thuiswinkel.org; style-src 'self' 'unsafe-inline' 'unsafe-eval' data: https://messenger.dixa.io https://assets.reviews.io https://static.klaviyo.com https://*.getsitecontrol.com https://cdn.parcellab.com https://static-tracking.klaviyo.com https://api.braintreegateway.com https://sandbox.braintreegateway.com https://api.sandbox.braintreegateway.com https://braintreegateway.com https://payments.braintree-api.com https://sandbox.braintree-api.com https://songbird.cardinalcommerce.com https://songbirdstag.cardinalcommerce.com https://js.braintreegateway.com https://x.klarnacdn.net https://static-eu.payments-amazon.com https://js.klarna.com https://cdn.tink.de https://cdn.tink.at https://cdn-vattenfall.tink.de https://cdn-deutsche-giganetz.tink.de https://cdn-kpn.tink.nl https://cdn.tink.nl https://cdn.tink.net https://cdn.tink.be https://cdn-plus.tink.de https://d2810q2tlzpt0m.cloudfront.net cdn.builder.io https://widget.thuiswinkel-cdn.org https://*.heyflow.com https://*.heyflow.cloud; connect-src *; frame-ancestors 'self' https://builder.io https://*.builder.io

X-Frame-Options

Excellent

DENY

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

no-referrer-when-downgrade

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Consider adding Permissions-Policy to control browser features

CAA Records (Certificate Authority Authorization)

CAA Records

Not Configured (Any CA can issue certificates)

CAA Issues

• No CAA records configured - any CA can issue certificates

Recommendations

• Implement CAA records to restrict which CAs can issue certificates for your domain
• This adds an extra layer of security against unauthorized certificate issuance
• Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
• Consider adding 'iodef' record to receive security incident reports

Subject Alternative Names

2 domains

cloudfront.net *.cloudfront.net