SSL Certificate Analysis for ocrlabs.com - Security Grade & TLS Configuration

Open Cached · just now

91/100 SECURITY SCORE

Certificate Information

Subject

C=US, ST=Georgia, L=Alpharetta, O=Lexisnexis Risk Solutions Inc., CN=idverse.com

Issuer

C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018

Valid From

June 12, 2025

Valid Until

July 14, 2026 171 days

Public Key

RSA 2048 bit Adequate

Signature Algorithm

SHA256-RSA

SHA-256 Fingerprint

12:98:D7:D8:9A:40:A0:AA:7B:D2:A6:B5:EC:B3:99:0E:29:3E:62:41:40:17:27:46:D6:1A:64:81:C3:E1:3C:C6

Alternative Names

4 domains

Security Configuration

TLS Protocols

TLS 1.2 TLS 1.3

Forward Secrecy

Supported (Modern clients use PFS)

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=31536000

Content-Security-Policy

Basic

default-src; script-src; worker-src; +13 more

default-src 'self' atlassian-companion:; script-src 'self' 'unsafe-inline' 'unsafe-eval' www.recaptcha.net tracking.risk.lexisnexis.com code.jquery.com www.gstatic.com player.vimeo.com cdn.cookielaw.org *.clickagy.com *.adsrvr.org www.buzzsprout.com blob: *.visualwebsiteoptimizer.com cdnjs.cloudflare.com platform.twitter.com connect.facebook.net img.en25.com assets.adobedtm.com js.zi-scripts.com *.zoominfo.com www.googletagmanager.com *.google-analytics.com www.youtube.com www.youtube-nocookie.com s.ytimg.com *.lexisnexis.com *.lexisnexis.co.uk *.lexisnexis.es *.lexisnexis.com.br *.lexisnexis.co.jp *.liadm.com *.qualified.com *.doubleclick.net bat.bing.com *.licdn.com *.linkedin.com *.microad.jp *.baidu.com pagead2.googlesyndication.com; worker-src 'self' blob:; style-src 'self' 'unsafe-inline' fonts.googleapis.com fast.fonts.net cdnjs.cloudflare.com; img-src 'self' data: blob: img.en25.com bat.bing.com *.ytimg.com pbs.twimg.com *.lexisnexis.com *.lexisnexis.co.uk pixel.wp.com *.lexisnexis.es *.lexisnexis.com.br *.lexisnexis.co.jp analytics.lexisnexisrisk.com *.google-analytics.com *.doubleclick.net *.everesttech.net *.demdex.net cdn.cookielaw.org tracking.risk.lexisnexis.com *.pagead2.googlesyndication.com *.clickagy.com *.openx.net *.liadm.com idsync.rlcdn.com *.agkn.com *.visualwebsiteoptimizer.com *.microad.jp pixel-sync.sitescout.com *.linkedin.com *.google.com www.google.co.in *.facebook.com *.adsrvr.org pixel.rubiconproject.com; font-src 'self' fonts.gstatic.com *.agkn.com wordpress.com *.tmxcyber.com *.adnxs.com; connect-src 'self' *.microad.jp www.google.co.in *.googleadservices.com browser-intake-datadoghq.com *.visualwebsiteoptimizer.com *.zoominfo.com *.google-analytics.com *.algolia.net *.algolianet.com analytics.lexisnexisrisk.com js.zi-scripts.com *.demdex.net *.everesttech.net www.recaptcha.net cdn.cookielaw.org geolocation.onetrust.com *.lexisnexis.com *.lexisnexis.co.uk *.lexisnexis.es *.lexisnexis.com.br *.lexisnexis.co.jp *.clickagy.com *.adsrvr.org *.liadm.com *.qualified.com wss://*.qualified.com *.google.com bat.bing.com px.ads.linkedin.com *.facebook.com privacyportal.onetrust.com cdnjs.cloudflare.com pagead2.googlesyndication.com *.baidu.com; frame-src 'self' atlassian-companion: *.visualwebsiteoptimizer.com www.youtube.com www.comparably.com *.blueflamingo.solutions *.tmxcyber.com app.teamwalnut.com *.doubleclick.net www.buzzsprout.com *.turtl.co www.youtube-nocookie.com platform.twitter.com player.vimeo.com *.demdex.net gateway.on24.com www.recaptcha.net *.adsrvr.org *.liadm.com www.googletagmanager.com *.qualified.com *.microad.jp cdn.cookielaw.org dpm.demdex.net *.linkedin.com www.kitchco.com nam11.safelinks.protection.outlook.com; media-src 'self' *.cloudfront.net *.qualified.com; manifest-src 'self'; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; upgrade-insecure-requests; report-uri /cdn-cgi/script_monitor/report

X-Frame-Options

Good

sameorigin

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

no-referrer-when-downgrade

Permissions-Policy

Present

camera=(self), microphone=(self)

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Improve CSP by adding more specific directives and removing 'unsafe-inline'

CAA Records (Certificate Authority Authorization)

CAA Records

Not Configured (Any CA can issue certificates)

CAA Issues

• No CAA records configured - any CA can issue certificates

Recommendations

• Implement CAA records to restrict which CAs can issue certificates for your domain
• This adds an extra layer of security against unauthorized certificate issuance
• Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
• Consider adding 'iodef' record to receive security incident reports

Subject Alternative Names

4 domains

ocrlabs.com www.ocrlabs.com

Other domains in certificate

idverse.com www.idverse.com