SSL Certificate Analysis for netcup.de - Security Grade & TLS Configuration

Open Cached · just now

88/100 SECURITY SCORE

Certificate Information

Subject

CN=www.netcup.de

Issuer

C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1

Valid From

August 01, 2025

Valid Until

July 31, 2026 183 days

Public Key

RSA 2048 bit Adequate

Signature Algorithm

SHA256-RSA

SHA-256 Fingerprint

8A:66:3E:37:60:73:B4:97:8A:E2:90:A2:7A:C0:C5:ED:91:4C:F2:DD:1F:15:B4:5D:C7:96:FA:D1:D5:04:97:F3

Alternative Names

2 domains

Security Configuration

TLS Protocols

TLS 1.2

Forward Secrecy

Limited (Check cipher configuration)

Warnings

• TLS 1.3 is not supported (recommended)

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=31536000

Content-Security-Policy

Basic

base-uri; font-src; form-action; +12 more

base-uri 'none'; font-src 'self' https: data:; form-action https://green.netcup.com https://red.netcup.com https://blue.netcup.com https://www.netcup.com https://www.facebook.com; frame-ancestors 'self'; img-src https://green.netcup.com https://red.netcup.com https://blue.netcup.com https://www.netcup.com https://ads-twitter.com https://ads-api.twitter.com https://analytics.twitter.com https://mautic.netcup.news https://px.ads.linkedin.com 'self' blob: data: https:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src https://green.netcup.com https://red.netcup.com https://blue.netcup.com https://www.netcup.com https://cdn.cookielaw.org https://cookie-cdn.cookiepro.com https://*.onetrust.com https://measure.netcup.com https://www.googleadservices.com https://pagead2.googlesyndication.com https://widget.trustpilot.com https://cdn.brevo.com/js/sdk-loader.js 'self' 'wasm-unsafe-eval' 'nonce-lbXxaN2yi4zGfavm+fcrkCfB'; upgrade-insecure-requests; connect-src https://green.netcup.com https://red.netcup.com https://blue.netcup.com https://www.netcup.com https://ads-twitter.com https://ads-api.twitter.com https://analytics.twitter.com https://cdn.cookielaw.org https://cookie-cdn.cookiepro.com https://*.onetrust.com https://www.google.com https://in-automate.brevo.com https://measure.netcup.com https://google.com https://px.ads.linkedin.com https://*.clarity.ms/ 'self' https://*.analytics.google.com https://*.google-analytics.com https://stats.g.doubleclick.net https://eu-api.friendlycaptcha.eu https://googleads.g.doubleclick.net https://www.googleadservices.com https://cdn.cookielaw.org https://adservice.google.com https://pagead2.googlesyndication.com https://www.redditstatic.com https://pixel-config.reddit.com https://analytics.tiktok.com https://ads.tiktok.com https://bat.bing.com https://widget.trustpilot.com; worker-src blob:; child-src blob: https://td.doubleclick.net; script-src-elem https://green.netcup.com https://red.netcup.com https://blue.netcup.com https://www.netcup.com https://cdn.brevo.com/js/sdk-loader.js https://sibautomation.com/sa.js https://sibforms.com/ https://www.googleadservices.com https://www.redditstatic.com 'self' 'unsafe-inline' https://*.googletagmanager.com https://static.ads-twitter.com https://snap.licdn.com https://bat.bing.com https://connect.facebook.net https://*.clarity.ms https://googleads.g.doubleclick.net https://cdn.cookielaw.org https://analytics.tiktok.com https://ads.tiktok.com https://measure.netcup.com https://www.youtube.com https://pagead2.googlesyndication.com https://widget.trustpilot.com; frame-src https://td.doubleclick.net https://www.facebook.com https://www.googletagmanager.com https://measure.netcup.com https://www.youtube-nocookie.com/ https://widget.trustpilot.com https://green.netcup.com https://red.netcup.com https://blue.netcup.com https://www.netcup.com;

X-Frame-Options

Excellent

DENY

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin-when-cross-origin

Permissions-Policy

Present

camera=(), display-capture=(), fullscreen=(), geolocation=(), microphone=()

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Improve CSP by adding more specific directives and removing 'unsafe-inline'

CAA Records (Certificate Authority Authorization)

CAA Records

Not Configured (Any CA can issue certificates)

CAA Issues

• No CAA records configured - any CA can issue certificates

Recommendations

• Implement CAA records to restrict which CAs can issue certificates for your domain
• This adds an extra layer of security against unauthorized certificate issuance
• Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
• Consider adding 'iodef' record to receive security incident reports

Subject Alternative Names

2 domains

netcup.de www.netcup.de