Open
Cached
·
5h ago
90/100
SECURITY SCORE
Certificate Information
Subject
CN=docs.pastpay.com
Issuer
C=US, O=Let's Encrypt, CN=R12
Valid From
December 27, 2025
Valid Until
March 27, 2026
86 days
Public Key
RSA
2048 bit
Adequate
Signature Algorithm
SHA256-RSA
SHA-256 Fingerprint
F8:BD:F3:A6:E4:42:5B:ED:D5:C2:46:F3:4D:52:44:41:C1:2C:9D:D6:06:57:A6:A1:4A:6C:BA:39:83:93:B0:C7
Alternative Names
Security Configuration
TLS Protocols
TLS 1.2
TLS 1.3
Forward Secrecy
Supported
(Modern clients use PFS)
HTTP Security Headers
Status
Strict-Transport-Security
Excellent
max-age=63072000; includeSubDomains; preload
Content-Security-Policy
Basic
base-uri; child-src; connect-src; +12 more
base-uri 'none';child-src 'self' * blob:;connect-src 'self' https://cdn.coda.io wss://coda.io https://auth.grammarly.com wss://capi-local.grammarly.com/freews wss://capi.grammarly.com/freews https://f-log-ai-editor.grammarly.io https://ai-editor.femetrics.grammarly.io https://treatment.grammarly.com https://gates.grammarly.com https://gr-core-prod-assistant-file.s3.amazonaws.com/ https://goldengate.grammarly.com https://subscription.grammarly.com https://d1m7gvwd59hen3.cloudfront.net https://superhuman.framer.website https://superhuman.com https://coda.io wss://*.intercom.io https://coda-us-west-2-prod-blobs-upload.s3-accelerate.amazonaws.com https://coda-us-west-2-prod-packs-upload.s3-accelerate.amazonaws.com https://coda-us-west-2-prod-packs.s3.us-west-2.amazonaws.com https://codahosted.io https://codacontent.io https://coda.io https://*.intercom.io https://uploads.intercomcdn.com https://uploads.intercomusercontent.com https://sdk.iad-05.braze.com https://app.getsentry.com https://iframe.ly https://cdn.iframe.ly https://baconipsum.com https://api.trello.com https://api.stripe.com https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://www.google.com/ccm/collect https://*.g.doubleclick.net https://*.google.com https://www.google.com/pagead/landing https://www.facebook.com https://*.marketo.com https://*.mktoresp.com https://*.mktoutil.com https://*.mutinycdn.com https://*.mutinyhq.com https://*.mutinyhq.io https://cdn.cookielaw.org https://*.onetrust.com https://us-central1-adaptive-growth.cloudfunctions.net https://sink.pdst.fm https://grsm.io https://partnerlinks.io https://pixel.pvd.to https://tracker.pixeltracker.co https://pixelconnector.pixeltracker.co https://login.microsoftonline.com https://graph.microsoft.com https://*.hotjar.com https://*.hotjar.io wss://*.hotjar.com https://*.api.sanity.io https://*.apicdn.sanity.io https://statsig.coda.io https://statsigapi.net https://app.clearbit.com https://cdn.linkedin.oribi.io https://snap.licdn.com https://px.ads.linkedin.com https://px4.ads.linkedin.com https://p.adsymptotic.com https://gw.linkedin.oribi.io https://dc.ads.linkedin.com https://sjs.bizographics.com https://api.sprig.com https://cdn.sprig.com https://pixels.spotify.com/v1/ingest https://api.cr-relay.com/ https://api.palette.dev https://*.forethought.ai https://coda-migrations.femetrics.grammarly.io https://in.grammarly.com https://gateway.grammarly.com ;default-src 'self' https://cdn.coda.io https://codacontent.io https://coda-us-west-2-prod-blobs.s3.us-west-2.amazonaws.com https://coda.io;font-src data: https://cdn.coda.io https://js.intercomcdn.com https://fonts.intercomcdn.com https://fonts.gstatic.com https://fonts.googleapis.com https://use.typekit.net https://static-web.grammarly.com;form-action 'self' https://api-iam.intercom.io https://intercom.help *.coda.io;frame-ancestors *.intercom-sheets.com teams.microsoft.com chrome-extension://ocjjmmnhefcaopncklmdodfglamkeign chrome-extension://pbdpddefpmdbfdgkaknnmimgjmjoefmj chrome-extension://cdgkmagmdldlpiglliebaajdpdkigcbi chrome-extension://dipjbaeecehmimeelgehcodalckeklid chrome-extension://clppjidbanhondokgacbbbhdnihejpad *.sanity.studio ;frame-src *;img-src * blob: data:;media-src 'self' https://codahosted.io https://cdn.coda.io https://js.intercomcdn.com https://cdn.sanity.io;object-src 'none';report-uri /csp-violation;script-src 'unsafe-inline' 'unsafe-eval' https: https://*.mutinycdn.com https://*.googletagmanager.com https://cdn.cr-relay.com/ https://*.forethought.ai;style-src 'self' 'unsafe-inline' blob: https://accounts.google.com https://cdn.coda.io https://fonts.googleapis.com https://use.typekit.net https://p.typekit.net https://*.mktoweb.com;worker-src 'self' blob:
X-Frame-Options
Missing
Not configured
X-Content-Type-Options
Good
nosniff
Referrer-Policy
Good
strict-origin-when-cross-origin
Permissions-Policy
Present
fullscreen=*, autoplay=(self), geolocation=*
Recommendations
- • Improve CSP by adding more specific directives and removing 'unsafe-inline'
- • Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
CAA Records (Certificate Authority Authorization)
CAA Records
Not Configured
(Any CA can issue certificates)
CAA Issues
- • No CAA records configured - any CA can issue certificates
Recommendations
- • Implement CAA records to restrict which CAs can issue certificates for your domain
- • This adds an extra layer of security against unauthorized certificate issuance
- • Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
- • Consider adding 'iodef' record to receive security incident reports