SSL Certificate Analysis for ec2-52-31-221-69.eu-west-1.compute.amazonaws.com - Security Grade & TLS Configuration

SSL Verification Bypassed

The server's SSL certificate could not be verified. The analysis was completed using insecure mode. Data may be less reliable.

Reason:

Hostname Mismatch - certificate is issued for onrech.at, ontimo.gr, bestinvoicing.co.uk, onfakt.no, *.onfatt.it, onfakt.fi, *.ontimo.gr, *.onfakt.no, *.onfatt.mt, not for ec2-52-31-221-69.eu-west-1.compute.amazonaws.com

Open Cached · just now

70/100 SECURITY SCORE

Certificate Information

Subject

CN=onrech.at

Issuer

C=US, O=Amazon, CN=Amazon RSA 2048 M04

Valid From

August 31, 2025

Valid Until

September 29, 2026 303 days

Public Key

RSA 2048 bit Adequate

Signature Algorithm

SHA256-RSA

SHA-256 Fingerprint

4E:69:E0:AB:CE:8D:B2:67:E2:2D:6E:83:1D:66:FB:00:CF:E2:0C:D0:D2:17:CE:DB:3C:9C:59:FA:EA:E9:42:3A

Alternative Names

82 domains

Security Configuration

TLS Protocols

TLS 1.0 TLS 1.1 TLS 1.2

Forward Secrecy

Limited (Check cipher configuration)

Warnings

• TLS 1.3 is not supported (recommended)
• TLS 1.1 is deprecated and should be disabled
• TLS 1.0 is deprecated and should be disabled

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=16070400

Content-Security-Policy

Missing

Not configured

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Missing

Not configured

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Add Content-Security-Policy header to prevent XSS attacks
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Add X-Content-Type-Options: nosniff
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

CAA Records (Certificate Authority Authorization)

CAA Records

Not Configured (Any CA can issue certificates)

CAA Issues

• No CAA records configured - any CA can issue certificates

Recommendations

• Implement CAA records to restrict which CAs can issue certificates for your domain
• This adds an extra layer of security against unauthorized certificate issuance
• Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
• Consider adding 'iodef' record to receive security incident reports

Subject Alternative Names

82 domains

bestinvoicing.co.uk *.bestinvoicing.co.uk

bestinvoicing.com *.bestinvoicing.com

bestinvoicing.mt *.bestinvoicing.mt

enfact.be *.enfact.be

enfact.ch *.enfact.ch

enfact.fr *.enfact.fr

enfact.lu *.enfact.lu

infakt.lt *.infakt.lt

nafakt.hr *.nafakt.hr

nazara.si *.nazara.si

onarvel.ee *.onarvel.ee

onfact.be *.onfact.be

onfact.es *.onfact.es

onfact.eu *.onfact.eu

onfact.nl *.onfact.nl

onfact.ro *.onfact.ro

onfactur.pl *.onfactur.pl

onfakt.bg *.onfakt.bg

onfakt.cz *.onfakt.cz

onfakt.dk *.onfakt.dk

onfakt.fi *.onfakt.fi

onfakt.no *.onfakt.no

onfakt.se *.onfakt.se

onfakt.sk *.onfakt.sk

onfat.cy *.onfat.cy

onfat.pl *.onfat.pl

onfat.pt *.onfat.pt

onfatt.ch *.onfatt.ch

onfatt.it *.onfatt.it

onfatt.mt *.onfatt.mt

onlask.fi *.onlask.fi

onrech.at *.onrech.at

onrech.be *.onrech.be

onrech.ch *.onrech.ch

onrech.de *.onrech.de

onrech.it *.onrech.it

onrech.lu *.onrech.lu

onreik.is *.onreik.is

ontimo.cy *.ontimo.cy

ontimo.gr *.ontimo.gr

onzsam.hu *.onzsam.hu