SSL Certificate Analysis for expo.io - Security Grade & TLS Configuration

Open Cached · just now

89/100 SECURITY SCORE

Certificate Information

Subject

CN=expo.io

Issuer

C=US, O=Google Trust Services, CN=WE1

Valid From

December 16, 2025

Valid Until

March 17, 2026 65 days

Public Key

ECDSA 256 bit (P-256) Adequate

Signature Algorithm

ECDSA-SHA256

SHA-256 Fingerprint

C0:0E:08:B2:25:47:C8:E7:48:92:D7:7A:E2:23:8C:1B:55:40:41:6F:B8:4A:F5:44:D9:81:CA:CA:5B:98:35:0E

Alternative Names

2 domains

Security Configuration

TLS Protocols

TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3

Forward Secrecy

Supported (Modern clients use PFS)

Warnings

• TLS 1.1 is deprecated and should be disabled
• TLS 1.0 is deprecated and should be disabled

HTTP Security Headers

Status

Strict-Transport-Security

Good

max-age=31536000; includeSubDomains

Content-Security-Policy

Good

default-src; connect-src; manifest-src; +8 more

default-src 'self' https://static.expo.dev; connect-src 'self' https://api.expo.dev https://static.expo.dev https://job-artifacts.eascdn.net https://job-logs.eascdn.net https://staging-assets.eascdn.net https://assets.eascdn.net https://eas.expo.app https://cdp.expo.dev http://127.0.0.1:* https://qr.expo.dev https://status.expo.dev https://8tdse0ohgq-dsn.algolia.net https://qex7pb7d46-dsn.algolia.net https://sessions.bugsnag.com https://*.g.doubleclick.net https://api.github.com https://google.com https://*.google.com https://*.analytics.google.com https://*.google-analytics.com https://www.googleadservices.com https://*.googleapis.com https://pagead2.googlesyndication.com https://*.googletagmanager.com https://react-tweet.vercel.app https://reactnative.directory https://api.rudderstack.com https://9r24npb8.api.sanity.io https://9r24npb8.apicdn.sanity.io https://sentry.io https://o30871.ingest.sentry.io https://api.stripe.com https://api.logrocket.com https://*.typeform.com https://*.hubapi.com https://*.hubspot.com https://*.hs-banner.com https://*.hscollectedforms.net https://*.hsforms.com https://px.ads.linkedin.com https://www.redditstatic.com https://pixel-config.reddit.com https://alb.reddit.com https://*.crazyegg.com https://*.kapa.ai https://*.vexo.co; manifest-src 'self'; font-src 'self' data: https://static.expo.dev https://cdnjs.cloudflare.com https://fonts.gstatic.com; frame-src https://*.datadoghq.com https://td.doubleclick.net https://www.google.com https://www.googletagmanager.com https://www.recaptcha.net https://*.js.stripe.com https://js.stripe.com https://hooks.stripe.com https://*.youtube.com https://embed.bsky.app https://*.logrocket.com https://*.typeform.com https://*.hubspot.com https://*.hs-sites.com https://*.hubspot.net https://*.hsforms.net https://*.hsforms.com https://*.vexo.co; img-src 'self' https: data: blob:; media-src 'self' https: data: blob:; script-src 'self' 'unsafe-inline' https://static.expo.dev https://d2wy8f7a9ursnm.cloudfront.net https://googleads.g.doubleclick.net https://tagmanager.google.com https://www.google.com https://www.googleadservices.com https://maps.googleapis.com https://pagead2.googlesyndication.com https://*.googletagmanager.com https://www.gstatic.cn https://www.gstatic.com https://cdn.rudderlabs.com https://js.stripe.com https://*.js.stripe.com https://www.youtube.com https://embed.bsky.app https://*.typeform.com https://*.hs-scripts.com https://*.hsadspixel.net https://*.hscollectedforms.net https://*.hs-analytics.net https://*.hs-banner.com https://*.hsforms.net https://*.hsforms.com https://*.hsleadflows.net https://snap.licdn.com https://www.redditstatic.com https://pixel-config.reddit.com https://*.crazyegg.com https://*.kapa.ai; style-src 'self' 'unsafe-inline' https:; frame-ancestors 'self'; report-to expo

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Consider adding 'preload' to HSTS for maximum security
• Strengthen CSP by removing 'unsafe-eval'
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

CAA Records (Certificate Authority Authorization)

CAA Records

Not Configured (Any CA can issue certificates)

CAA Issues

• No CAA records configured - any CA can issue certificates

Recommendations

• Implement CAA records to restrict which CAs can issue certificates for your domain
• This adds an extra layer of security against unauthorized certificate issuance
• Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
• Consider adding 'iodef' record to receive security incident reports

Subject Alternative Names

2 domains

expo.io *.expo.io