Open
Cached
·
just now
95/100
SECURITY SCORE
Certificate Information
Subject
CN=paddle.com
Issuer
C=US, O=Google Trust Services, CN=WE1
Valid From
November 29, 2025
Valid Until
February 27, 2026
39 days
Public Key
ECDSA
256 bit
(P-256)
Adequate
Signature Algorithm
ECDSA-SHA256
SHA-256 Fingerprint
2E:C9:9A:4B:D4:63:8A:30:86:3A:FE:F9:45:40:0A:3F:F8:F1:32:C1:49:A5:DD:22:39:10:B7:B1:53:C9:59:85
Alternative Names
Security Configuration
TLS Protocols
TLS 1.2
TLS 1.3
Forward Secrecy
Supported
(Modern clients use PFS)
HTTP Security Headers
Status
Strict-Transport-Security
Excellent
max-age=31536000; includeSubDomains; preload
Content-Security-Policy
Good
default-src; script-src; style-src; +9 more
default-src 'self'; script-src 'self' 'sha256-SiobGnchxi4uR4htKS7OfhQk4T+ol0ncDKl2ul8XUqs=' 'sha256-cQ83S6C95jffZ84aI+sTirQGLC7TBUWZsN4cIIoZrBc=' challenges.cloudflare.com *.googletagmanager.com www.googleadservices.com www.google.com pagead2.googlesyndication.com googleads.g.doubleclick.net *.hs-scripts.com *.hs-analytics.net js.hs-banner.com *.hscollectedforms.net *.iubenda.com *.hotjar.com cdn.jsdelivr.net/npm/hockeystack@latest/hockeystack.min.js; style-src 'self' 'unsafe-inline' *.iubenda.com *.googletagmanager.com *.googleapis.com; img-src 'self' data: *.google-analytics.com *.googletagmanager.com *.g.doubleclick.net *.google.com *.gstatic.com pagead2.googlesyndication.com www.googleadservices.com google.com track.hubspot.com *.hsforms.com *.iubenda.com; font-src static.paddle.com fonts.gstatic.com; connect-src *.hscollectedforms.net api.paddle.com o522631.ingest.sentry.io *.google-analytics.com *.analytics.google.com *.googletagmanager.com pagead2.googlesyndication.com www.googleadservices.com googleads.g.doubleclick.net www.google.com google.com *.iubenda.com *.hotjar.com *.hotjar.io wss://*.hotjar.com data.hockeystack.com ld.paddle.com; form-action 'none'; object-src 'none'; frame-src 'self' challenges.cloudflare.com *.iubenda.com www.paddle.com; frame-ancestors 'none'; upgrade-insecure-requests; report-uri https://o522631.ingest.sentry.io/api/6313850/security/?sentry_key=9b6ba9811db04a378bff01169e59f037
X-Frame-Options
Excellent
DENY
X-Content-Type-Options
Good
nosniff
Referrer-Policy
Good
no-referrer
Permissions-Policy
Present
accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),gamepad=(),geolocation=(),gyroscope=(),layout-animations=(self),legacy-image-formats=(self),magnetometer=(),microphone=(),midi=(),oversized-images=(self),payment=(),picture-in-picture=(),publickey-credentials-get=(),speaker-selection=(),sync-xhr=(self),unoptimized-images=(self),unsized-media=(self),usb=(),screen-wake-lock=(),web-share=(),xr-spatial-tracking=()
Recommendations
- • Strengthen CSP by removing 'unsafe-eval'
CAA Records (Certificate Authority Authorization)
CAA Records
Not Configured
(Any CA can issue certificates)
CAA Issues
- • No CAA records configured - any CA can issue certificates
Recommendations
- • Implement CAA records to restrict which CAs can issue certificates for your domain
- • This adds an extra layer of security against unauthorized certificate issuance
- • Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
- • Consider adding 'iodef' record to receive security incident reports