SSL Certificate Analysis for hig-ins.co - Security Grade & TLS Configuration

Open Cached · just now

80/100 SECURITY SCORE

Certificate Information

Subject

CN=hig-ins.co

Issuer

C=US, O=Let's Encrypt, CN=R12

Valid From

November 28, 2025

Valid Until

February 26, 2026 82 days

Public Key

RSA 2048 bit Adequate

Signature Algorithm

SHA256-RSA

SHA-256 Fingerprint

6D:3F:37:12:9A:53:85:4E:D7:D6:C4:F5:BB:70:30:A5:C5:44:FF:84:79:55:1F:40:32:B9:C7:6A:66:93:47:D6

Alternative Names

1 domains

Security Configuration

TLS Protocols

TLS 1.2 TLS 1.3

Forward Secrecy

Supported (Modern clients use PFS)

HTTP Security Headers

Status

Strict-Transport-Security

Weak

max-age=0; includeSubDomains

Content-Security-Policy

Basic

default-src; font-src; frame-ancestors; +6 more

default-src 'self' *.thehartford.com *.hfdstatic.com aa.agkn.com report.thehartford.gbqofs.io cdn.gbqofs.com console.thehartford.glassboxdigital.io *.crazyegg.com blob:; font-src 'self' data: *.thehartford.com *.hfdstatic.com fonts.gstatic.com *.kampyle.com dnsl4xr6unrmf.cloudfront.net; frame-ancestors 'self' *.thehartford.com www.slipcase.com marketplace.marsh.com *.optimizely.com; frame-src 'self' *.optimizely.com *.thehartford.com *.kampyle.com cl.exct.net www.youtube.com pub.s1.exacttarget.com *.doubleclick.net hosted.where2getit.com uk132.infusionsoft.com *.tealiumiq.com connect.facebook.net *.akamaihd.net pinecast.com storage.pinecast.net insight.adsrvr.org match.adsrvr.org mc3jl4gfl2432w-98y2stw11txh8.pub.sfmc-content.com www.google.com *.qualtrics.com agents.floodsmart.gov pixel.sitescout.com pixel-sync.sitescout.com attribution.sitescout.com up.pixel.ad cdn01.basis.net www.googletagmanager.com https://a16909830060.cdn.optimizely.com https://a16909830060.cdn-pci.optimizely.com *.crazyegg.com; connect-src 'self' *.tealiumiq.com *.thehartford.com *.kampyle.com *.powerreviews.com rules.atgsvcs.com www.google-analytics.com *.doubleclick.net img.c3tag.com www.googletagmanager.com ampcid.google.com s.srvsynd.com api.genesyscloud.com 530-ct.c3tag.com *.akamaihd.net *.optimizely.com www.google.com analytics.google.com region1.google-analytics.com region1.analytics.google.com *.qualtrics.com acdn.adnxs.com d2hrivdxn8ekm8.cloudfront.net d1lu3pmaz2ilpx.cloudfront.net dvqigh9b7wa32.cloudfront.net d330aiyvva2oww.cloudfront.net *.cookielaw.org *.cookiepro.com *.onetrust.com report.thehartford.gbqofs.io cdn.gbqofs.com console.thehartford.glassboxdigital.io *.hfdstatic.com hartfordinsurancegroup.pxf.io services-api.wyng.com content-api.wyng.com experiences.wyng.com wyng.io facebook.com obs.seroundprince.com d.agkn.com *.crazyegg.com www.googleadservices.com; img-src 'self' data: *.thehartford.com *.optimizely.com *.hfdstatic.com *.kampyle.com *.powerreviews.com ecf.d41.co aa.agkn.com so.rlcdn.com http://image.insurance.thehartford.com res.cloudinary.com aa.agkn.com *.tealiumiq.com da.usaa.com uk132.infusionsoft.com hits.convergetrack.com www.google-analytics.com *.doubleclick.net www.google.com www.facebook.com secure.adnxs.com www.googletagmanager.com sp.analytics.yahoo.com bat.bing.com analytics.convertlanguage.com *.akamaihd.net thumb.service.pinecast.com px.ads.linkedin.com insight.adsrvr.org px.ads.linkedin.com p.adsymptotic.com www.linkedin.com cookie.havasedge.com event.havasedge.com tag.havasedge.com cx.atdmt.com match.sharethrough.com gw.helixbi.io api.securedvisit.com track.securedvisit.com content.securedvisit.com images.securedvisit.com track.sv.rkdms.com www.gstatic.com region1.google-analytics.com region1.analytics.google.com data.adxcel-ec2.com match.adsrvr.org *.qualtrics.com ib.adnxs.com *.cookielaw.org *.onetrust.com https://logs-01.loggly.com https://www.ojrq.net https://utt.impactcdn.com https://pubads.g.doubleclick.net hartfordinsurancegroup.pxf.io cdn.wyng.com dnsl4xr6unrmf.cloudfront.net pixel.sitescout.com ad.doubleclick.net pixel.sitescout.com pixel-sync.sitescout.com attribution.sitescout.com up.pixel.ad cdn01.basis.net obs.seroundprince.com d.agkn.com arttrk.com alb.reddit.com pixel-config.reddit.com *.quora.com *.crazyegg.com user-images.crazyeggcdn.com; style-src 'self' *.thehartford.com *.hfdstatic.com *.kampyle.com *.powerreviews.com fonts.googleapis.com *.custhelp.com *.akamaihd.net 'unsafe-inline' www.gstatic.com *.cookielaw.org *.cookiepro.com *.onetrust.com agents.floodsmart.gov *.crazyegg.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.tealiumiq.com *.optimizely.com *.thehartford.com *.hfdstatic.com *.kampyle.com *.powerreviews.com vsvipmw01.rightnowtech.com *.custhelp.com rules.atgsvcs.com www.linkedin.com *.doubleclick.net *.akamaihd.net secure.adnxs.com insight.adsrvr.org data.adxcel-ec2.com aa.agkn.com aa.agkn.com sp.analytics.yahoo.com static.atgsvcs.com beacon.krxd.net bat.bing.com sjs.bizographics.com 530-ct.c3tag.com hits.convergetrack.com s.delvenetworks.com as00.estara.com conv-tm.everesttech.net www.facebook.com connect.facebook.net adservice.google.com www.google.com www.googleadservices.com www.google-analytics.com www.googletagmanager.com mpsnare.iesnare.com uk132.infusionsoft.com solutions.invocacdn.com secure.leadforensics.com px.ads.linkedin.com www.livelook.com cdn.mouseflow.com mpp.mxptint.net onlinebusinessservicsc60333118us1.cobrowse.oraclecloud.com public.cobrowse.oraclecloud.com pixelg.adswizz.com www.rackcdn.com bcvipmw11.rightnowtech.com www.rnengage.com s.srvsynd.com trc.taboola.com tags.tiqcdn.com www.youtube.com i.ytimg.com i9.ytimg.com s.ytimg.com adadvisor.net cdn.ampproject.org analytics.convertlanguage.com so.rlcdn.com ecf.d41.co cdn.embed.ly js.adsrvr.org cdn-assets-prod.s3.amazonaws.com optimizely.s3.amazonaws.com cdn.invoca.solutions pnapi0.invoca.net sdk.helixbi.io snap.licdn.com pnapi.invoca.net api.securedvisit.com track.securedvisit.com content.securedvisit.com images.securedvisit.com track.sv.rkdms.com www.gstatic.com acdn.adnxs.com d2hrivdxn8ekm8.cloudfront.net d1lu3pmaz2ilpx.cloudfront.net dvqigh9b7wa32.cloudfront.net d330aiyvva2oww.cloudfront.net *.qualtrics.com *.cookielaw.org *.cookiepro.com *.onetrust.com report.thehartford.gbqofs.io cdn.gbqofs.com console.thehartford.glassboxdigital.io https://logs-01.loggly.com https://www.ojrq.net https://utt.impactcdn.com https://pubads.g.doubleclick.net hartfordinsurancegroup.pxf.io dnsl4xr6unrmf.cloudfront.net cdnjs.cloudflare.com code.jquery.com pixel.sitescout.com pixel-sync.sitescout.com attribution.sitescout.com up.pixel.ad cdn01.basis.net ob.seroundprince.com obs.seroundprince.com www.redditstatic.com *.quora.com *.crazyegg.com blob:; media-src storage.pinecast.net pinecast.com;

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Missing

Not configured

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Add X-Content-Type-Options: nosniff
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

CAA Records (Certificate Authority Authorization)

CAA Records

Not Configured (Any CA can issue certificates)

CAA Issues

• No CAA records configured - any CA can issue certificates

Recommendations

• Implement CAA records to restrict which CAs can issue certificates for your domain
• This adds an extra layer of security against unauthorized certificate issuance
• Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
• Consider adding 'iodef' record to receive security incident reports

Subject Alternative Names

1 domain

hig-ins.co