SSL Certificate Analysis for lumens.com - Security Grade & TLS Configuration

Open Cached · just now

89/100 SECURITY SCORE

Certificate Information

Subject

CN=lumens.com

Issuer

C=US, O=Amazon, CN=Amazon RSA 2048 M02

Valid From

July 14, 2025

Valid Until

August 12, 2026 199 days

Public Key

RSA 2048 bit Adequate

Signature Algorithm

SHA256-RSA

SHA-256 Fingerprint

F2:0A:D0:5E:30:DB:FE:80:AB:7C:CD:42:2A:CE:6D:D9:17:F0:A5:00:21:CC:01:13:BF:F1:BB:6B:F1:AC:B1:FC

Alternative Names

2 domains

Security Configuration

TLS Protocols

TLS 1.2 TLS 1.3

Forward Secrecy

Supported (Modern clients use PFS)

HTTP Security Headers

Status

Strict-Transport-Security

Weak

max-age=0

Content-Security-Policy

Basic

default-src; base-uri; block-all-mixed-content; +12 more

default-src 'self' https: http:; base-uri 'self' *.cloudfront.net; block-all-mixed-content; font-src 'self' https: data:; frame-ancestors 'self' https: data:; frame-src 'self' https: data:; img-src 'self' data: blob: *.newrelic.com *.commercecloud.salesforce.com *.lumens.com *.signifyd.com *.online-metrix.net s7d1.scene7.com s7d5.scene7.com images.ctfassets.net storage.googleapis.com cdn.ywxi.net www.gstatic.com *.google.com *.paypal.com *.bing.com *.facebook.com *.everesttech.net *.omtrdc.net *.ydesigngroup.com *.listrakbi.com *.doubleclick.net *.liadm.com *.agkn.com *.rtactivate.com *.dtstmio.com *.cloudfront.net *.datasteam.io *.equalweb.com *.cookielaw.org *.googletagmanager.com *.demdex.net *.espssl.com *.powerreviews.com sdk.helloextend.com api.helloextend.com api-demo.helloextend.com *.cloudinary.com *.facebook.net *.clarity.ms *.modernimpact.com *.amazonaws.com *.adnxs.com *.ojrq.net *.gladly.com *.smooch.io; manifest-src 'self' https: http:; media-src 'self' https: http: data: blob:; object-src 'self' https: http:; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: *.online-metrix.net *.newrelic.com *.nr-data.net runtime.commercecloud.com *.googleapis.com *.lumens.com cdn.gladly.qa *.gladly.com *.smooch.io d1fc8wv8zag5ca.cloudfront.net cdnjs.cloudflare.com www.googlecommerce.com *.curalate.com *.google.com *.googletagmanager.com *.google-analytics.com js.cnnx.link *.paypal.com *.datasteam.io *.facebook.net *.impactradius-event.com *.pinimg.com *.googleadservices.com *.usabilla.com *.zi-scripts.com *.bing.com *.taboola.com *.adobedtm.com cnstrc.com *.cnstrc.com *.listrakbi.com *.omtrdc.net *.listrak.com *.equalweb.com tags.pw.adn.cloud www.paypalobjects.com *.stape.ma *.pinterest.com *.agkn.com *.zoominfo.com *.adn.cloud *.facebook.com *.cookielaw.org *.bing-int.com *.powerreviews.com sdk.helloextend.com api.helloextend.com api-demo.helloextend.com *.signifyd.com *.iesnare.com *.doubleclick.net *.gladly.chat *.clarity.ms *.kyc.red *.tintup.com *.publitas.com *.cquotient.com *.newrelic.com *.scene7.com *.verygoodvault.com; script-src-attr 'self' 'unsafe-inline' 'unsafe-hashes' https: http:; style-src 'self' https: 'unsafe-inline'; connect-src 'self' runtime.commercecloud.com *.lumens.com *.signifyd.com *.newrelic.com *.nr-data.net cdn.gladly.qa *.gladly.com *.smooch.io d1fc8wv8zag5ca.cloudfront.net cdnjs.cloudflare.com www.googlecommerce.com *.google.com *.googletagmanager.com *.google-analytics.com js.cnnx.link *.paypal.com *.datasteam.io *.facebook.net *.impactradius-event.com *.pinimg.com *.googleadservices.com *.usabilla.com *.zi-scripts.com *.bing.com *.taboola.com *.adn.cloud *.demdex.net *.omtrdc.net *.doubleclick.net *.listrak.com *.cnstrc.com *.listrakbi.com *.mobify-storefront.com *.evyy.net *.impct.site *.pinterest.com *.stape.ma *.zoominfo.com *.equalweb.com *.facebook.com *.run.app *.cookielaw.org *.onetrust.com *.powerreviews.com sdk.helloextend.com api.helloextend.com api-demo.helloextend.com *.cloudinary.com *.gladly.chat wss://*.gladly.chat *.clarity.ms *.ydesigngroup.com *.sinter-collect.com *.verygoodvault.com; upgrade-insecure-requests

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Present

same-origin

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Consider adding Permissions-Policy to control browser features

CAA Records (Certificate Authority Authorization)

CAA Records

Not Configured (Any CA can issue certificates)

CAA Issues

• No CAA records configured - any CA can issue certificates

Recommendations

• Implement CAA records to restrict which CAs can issue certificates for your domain
• This adds an extra layer of security against unauthorized certificate issuance
• Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
• Consider adding 'iodef' record to receive security incident reports

Subject Alternative Names

2 domains

lumens.com www.lumens.com