SSL Certificate Analysis for developer.xero.com - Security Grade & TLS Configuration

Open Cached · 2h ago

78/100 SECURITY SCORE

Detected Technologies

See all in URL Inspect 23

Akamai

Algolia

Cloudflare CDNJS

Contentful

DigiCert

Facebook

GitHub

Google Analytics

Google API JS Client

Google Fonts

Google Optimize

Google Search

Google Static File Front End

Google Tag Manager

Instagram

LaunchDarkly

Mixpanel

New Relic

OneTrust

Twitter

Vimeo

YouTube

Google Cloud

Certificate Information

Subject

C=NZ, L=Wellington, O=Xero Limited, CN=www1.xero.com

Issuer

C=US, O=DigiCert Inc, CN=DigiCert Global G3 TLS ECC SHA384 2020 CA1

Valid From

January 29, 2026

Valid Until

November 19, 2026 198 days

Public Key

ECDSA 256 bit (P-256) Adequate

Signature Algorithm

ECDSA-SHA384

SHA-256 Fingerprint

6F:58:27:60:4B:97:98:57:38:50:5B:A3:E7:F6:AF:4D:0F:40:D8:85:76:18:76:A7:D7:E1:E7:39:3F:14:02:2A

Alternative Names

58 domains

Security Configuration

TLS Protocols

TLS 1.2 TLS 1.3

Forward Secrecy

Supported (Modern clients use PFS)

HTTP Security Headers

Status

Strict-Transport-Security

Missing

Not configured

Content-Security-Policy

Basic

base-uri; connect-src; default-src; +8 more Analyze

Content-Security-Policy-Report-Only

Missing

Not configured Analyze

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Missing

Not configured

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Add Strict-Transport-Security header with max-age of at least 1 year
• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Add X-Content-Type-Options: nosniff
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

CAA Records (Certificate Authority Authorization)

CAA Records

Not Configured (Any CA can issue certificates)

CAA Issues

• No CAA records configured - any CA can issue certificates

Recommendations

• Implement CAA records to restrict which CAs can issue certificates for your domain
• This adds an extra layer of security against unauthorized certificate issuance
• Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
• Consider adding 'iodef' record to receive security incident reports

Subject Alternative Names

58 domains

activity.xero.com api-explorer.xero.com apps.xero.com ask-bot.xero.com ask.xero.com autax.xero.com bankaccounts.xero.com brand.xero.com central.xero.com client.xero.com clientinsights.xero.com compliance-fwp-addin.xero.com connect-banking.xero.com connect.xero.com developer.xero.com education.xero.com financial-connect.xero.com fixedassets.xero.com gcpay-webhook.xero.com growth.xero.com help.xero.com hired.xero.com invoicing.xero.com love.xero.com marketplace.xero.com mobile-platform.xero.com payables-billing-web.xero.com payables-web-ecs.xero.com payables.xero.com paypal-webhook.xero.com payroll.xero.com personal.xero.com portal.xero.com practice-reporting.xero.com practice.xero.com practicestudiohelp.xero.com product-analytics-bff.xero.com projects-mobile.xero.com projects.xero.com queries.xero.com reporting.xero.com sorry-s3.xero.com sorry.xero.com ssoclient.xero.com staff.xero.com static.xero.com store.xero.com subscription.xero.com support.xero.com touch.xero.com tv.xero.com uktax-personal.xero.com workpapers.xero.com www1.xero.com xab.xero.com xerodevblog.xero.com xeus.xero.com xtm-taxpayer.xero.com