SSL Verification Bypassed
The server's SSL certificate could not be verified. The analysis was completed using insecure mode. Data may be less reliable.
Reason:
Hostname Mismatch - certificate is issued for auctane.com, *.shipengine.com, auctane.dev, shipworks.com, *.auctane.com, shipengine.com, *.shipstation.com, shipstation.com, *.shipworks.com, not for ec2-52-0-87-7.compute-1.amazonaws.com
Open
Cached
·
just now
89/100
SECURITY SCORE
Certificate Information
Subject
CN=auctane.com
Issuer
C=US, O=Amazon, CN=Amazon RSA 2048 M02
Valid From
February 27, 2025
Valid Until
March 29, 2026
121 days
Public Key
RSA
2048 bit
Adequate
Signature Algorithm
SHA256-RSA
SHA-256 Fingerprint
E9:1F:9C:A5:06:99:9A:F2:8A:D8:BE:1D:30:98:43:D2:2C:3B:E4:A4:C9:42:74:9D:E0:66:3E:7A:0F:95:30:C7
Alternative Names
Security Configuration
TLS Protocols
TLS 1.2
TLS 1.3
Forward Secrecy
Supported
(Modern clients use PFS)
HTTP Security Headers
Status
Strict-Transport-Security
Excellent
max-age=31536000; includeSubDomains; preload
Content-Security-Policy
Basic
default-src; font-src; connect-src; +8 more
default-src 'self'; font-src 'self' https: data: *.zopim.com static.zdassets.com; connect-src 'self' *.zendesk.com shipstation.zendesk.com wss://shipstation.zendesk.com wss://*.zendesk.com *.zdassets.com *.zopim.com wss://*.zopim.com *.zopim.io *.sentry.io bam.nr-data.net api.segment.io api.segment.com track.segment.com cdn.segment.com https://*.launchdarkly.com https://cdn.packlink.com https://api.ipify.org *.smooch.io *.hotjar.com *.hotjar.io wss://*.hotjar.com *.shipengine.com *.adyen.com https://data.pendo.io *.storage.googleapis.com https://app.pendo.io; media-src 'self' *.zdassets.com *.smooch.io; child-src 'self'; object-src 'none'; frame-src https://*; img-src 'self' data: *.zendesk.com *.zdassets.com *.zopim.io *.zopim.com *.zdusercontent.com *.shipstation.com ipaas-images.ssdevlocal.com ipaas-images-stage.sslocal.com *.amazonaws.com/images.shipstation.com/ File *.smooch.io *.gravatar.com https://cdn.packlink.com *.adyen.com https://data.pendo.io https://app.pendo.io *.storage.googleapis.com; style-src 'self' https: 'unsafe-inline' *.zdassets.com; script-src 'self' 'unsafe-eval' *.zendesk.com https://shipstation.zendesk.com https://static.zdassets.com https://widget-mediator.zopim.com https://v2.zopim.com https://theme.zdassets.com https://js-agent.newrelic.com https://bam.nr-data.net https://cdn.segment.com https://cdn.smooch.io *.hotjar.com 'sha256-g3aKdR2LcYg5AWCl5759RTfLd020MmaGry6zfxSfBoY=' *.iesnare.com https://cdn.pendo.io https://app.pendo.io https://data.pendo.io *.storage.googleapis.com 'sha256-cwqtRr3vzdOfGQi1cX9KuFdGi0W++uozCvAdO9TymDA='; frame-ancestors 'none'
X-Frame-Options
Missing
Not configured
X-Content-Type-Options
Good
nosniff
Referrer-Policy
Good
no-referrer
Permissions-Policy
Missing
Not configured
Recommendations
- • Improve CSP by adding more specific directives and removing 'unsafe-inline'
- • Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
- • Consider adding Permissions-Policy to control browser features
CAA Records (Certificate Authority Authorization)
CAA Records
Not Configured
(Any CA can issue certificates)
CAA Issues
- • No CAA records configured - any CA can issue certificates
Recommendations
- • Implement CAA records to restrict which CAs can issue certificates for your domain
- • This adds an extra layer of security against unauthorized certificate issuance
- • Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
- • Consider adding 'iodef' record to receive security incident reports