SSL Certificate Analysis for go.maxar.com - Security Grade & TLS Configuration

Open Cached · just now

92/100 SECURITY SCORE

Certificate Information

Subject

C=US, ST=Colorado, L=westminster, O=Maxar Technologies Inc, CN=blog.maxar.com

Issuer

C=US, O=DigiCert Inc, CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1

Valid From

October 10, 2025

Valid Until

October 09, 2026 256 days

Public Key

RSA 4096 bit Strong

Signature Algorithm

SHA256-RSA

SHA-256 Fingerprint

0A:7C:8C:18:D4:70:5E:20:D9:2B:60:A0:83:24:10:CD:BD:E8:01:41:F4:79:EE:0D:EB:D2:47:EA:EE:52:1D:63

Alternative Names

11 domains

Security Configuration

TLS Protocols

TLS 1.2 TLS 1.3

Forward Secrecy

Supported (Modern clients use PFS)

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=31536000

Content-Security-Policy

Basic

default-src; script-src; script-src-elem; +10 more

default-src 'self'; script-src 'self' blob: 'unsafe-inline' 'unsafe-eval' https://*.wistia.com https://*.vantor.com https://*.sanity.io https://*.googletagmanager.com https://googletagmanager.com https://tagmanager.google.com https://*.google-analytics.com https://analytics.google.com https://*.analytics.google.com https://*.googlesyndication.com https://*.googleadservices.com https://www.googleadservices.com https://*.doubleclick.net https://googleads.g.doubleclick.net https://*.youtube.com https://*.ytimg.com https://*.demandbase.com https://*.company-target.com https://*.licdn.com https://*.linkedin.com https://www.google.com; script-src-elem 'self' 'unsafe-inline' https://*.wistia.com https://*.vantor.com https://*.sanity.io https://*.googletagmanager.com https://googletagmanager.com https://tagmanager.google.com https://*.google-analytics.com https://analytics.google.com https://*.analytics.google.com https://*.googlesyndication.com https://*.googleadservices.com https://www.googleadservices.com https://*.doubleclick.net https://googleads.g.doubleclick.net https://*.youtube.com https://*.ytimg.com https://*.demandbase.com https://*.company-target.com https://*.licdn.com https://*.linkedin.com https://www.google.com; script-src-attr 'unsafe-inline'; worker-src 'self' blob:; frame-src 'self' https://*.wistia.net https://*.sanity.io https://*.wistia.com https://*.googletagmanager.com https://*.googlesyndication.com https://*.googleadservices.com https://www.googleadservices.com https://*.doubleclick.net https://googleads.g.doubleclick.net https://*.youtube.com https://*.youtube-nocookie.com https://*.company-target.com https://*.linkedin.com https://www.google.com; frame-ancestors 'self' https://*.sanity.io https://vantor-cms.netlify.app; connect-src 'self' https://*.netlify.app https://*.sanity.io https://*.sanity-cdn.com https://sanity-cdn.com https://*.vantor.com https://*.google-analytics.com https://analytics.google.com https://*.analytics.google.com https://*.googlesyndication.com https://*.googleadservices.com https://www.googleadservices.com https://*.doubleclick.net https://googleads.g.doubleclick.net https://*.wistia.com https://fast.wistia.com https://ava0h2e5.apicdn.sanity.io https://*.demandbase.com https://*.company-target.com https://*.licdn.com https://*.linkedin.com https://px.ads.linkedin.com https://www.google.com https://*.googletagmanager.com; style-src 'self' 'unsafe-inline' 'unsafe-hashes' https://fonts.googleapis.com https://*.googletagmanager.com https://googletagmanager.com https://tagmanager.google.com; style-src-elem 'self' 'unsafe-inline' https://fonts.googleapis.com https://*.googletagmanager.com https://googletagmanager.com https://tagmanager.google.com; img-src 'self' https://*.sanity.io https://*.netlify.app https://cdn.sanity.io https://*.s3.amazonaws.com https://*.googlesyndication.com https://*.googleadservices.com https://www.googleadservices.com https://*.doubleclick.net https://googleads.g.doubleclick.net https://*.google-analytics.com https://analytics.google.com https://*.analytics.google.com https://*.googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com https://*.linkedin.com https://*.licdn.com https://www.google.com data: https:; media-src 'self' https://*.sanity.io https://*.netlify.app https://cdn.sanity.io https:; font-src 'self' https://fonts.gstatic.com https://fonts.googleapis.com data: https:;

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin-when-cross-origin

Permissions-Policy

Present

geolocation=(), microphone=(), camera=(), usb=(), payment=(), fullscreen=(self)

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Improve CSP by adding more specific directives and removing 'unsafe-inline'

CAA Records (Certificate Authority Authorization)

CAA Records

Not Configured (Any CA can issue certificates)

CAA Issues

• No CAA records configured - any CA can issue certificates

Recommendations

• Implement CAA records to restrict which CAs can issue certificates for your domain
• This adds an extra layer of security against unauthorized certificate issuance
• Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
• Consider adding 'iodef' record to receive security incident reports

Subject Alternative Names

11 domains

maxar.com blog.maxar.com brand.maxar.com combinedofferings.maxar.com engagesmarttalks.maxar.com go.maxar.com microsites.maxar.com resources.maxar.com signature.maxar.com www.maxar.com

Other domains in certificate

theglobein3d.com