SSL Certificate Analysis for onenote.cloud.microsoft - Security Grade & TLS Configuration

Open Cached · just now

82/100 SECURITY SCORE

Certificate Information

Subject

C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=officeapps.live.com

Issuer

C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 03

Valid From

June 24, 2025

Valid Until

June 19, 2026 155 days

Public Key

RSA 2048 bit Adequate

Signature Algorithm

SHA384-RSA

SHA-256 Fingerprint

54:66:E4:BE:EB:40:95:B8:D2:6D:A4:2A:E9:F4:B6:DD:47:51:3C:65:42:23:F7:F8:86:C1:81:F3:57:3A:AC:9E

Alternative Names

38 domains

Security Configuration

TLS Protocols

TLS 1.2 TLS 1.3

Forward Secrecy

Supported (Modern clients use PFS)

HTTP Security Headers

Status

Strict-Transport-Security

Good

max-age=31536000; includeSubDomains

Content-Security-Policy

Basic

script-src; style-src; default-src; +15 more

script-src 'report-sample' 'self' 'unsafe-eval' 'unsafe-inline' 'wasm-unsafe-eval' *.cdn.office.net *.public.onecdn.static.microsoft *.office.com aadcdn.msauth.net aadcdn.msftauth.net blob: https: https://a-ring.msedge.net https://amcdn.msauth.net https://amcdn.msftauth.net https://b-ring.msedge.net https://graph.microsoft.com https://gtm-dyn-direct.office365.com https://js.monitor.azure.com https://k-ring.msedge.net https://outlook.live.com https://outlook.office.com https://ow1.res.office365.com https://partner.dev.oasis.microsoft.com https://r4.res.office365.com https://s-ring.msedge.net https://web.vortex.data.microsoft.com https://webshell.suite.office.com https://webshell.suite.officeppe.com res.cdn.office.net;style-src 'report-sample' 'self' 'unsafe-inline' *.cdn.office.net *.fluidpreview.office.net *.microsoft.com https://www.microsoft.com/ res-dev.cdn.officeppe.net res.public.onecdn.static.microsoft;default-src 'self' *.cdn.office.net *.public.onecdn.static.microsoft cdn.fluidpreview.office.net https://midgardbranches.blob.core.windows.net res-dev.cdn.officeppe.net res.cdn.office.net res.public.onecdn.static.microsoft;img-src 'self' *.augloop.svc.cloud.microsoft *.cdn.office.net *.clipchamp.com *.create.microsoft.com *.loki.delve.office.com *.oasis.microsoft.com *.onecdn.static.microsoft *.osi.office.net *.osi.officeppe.net *.public.onecdn.static.microsoft *.s-microsoft.com *.sharepointonline.com *.svc.ms aadcdn.msftauthimages.net az787822.vo.msecnd.net blob: browser.events.data.microsoft.com cdn.create.microsoft.com cdn.designerapp.osi.office.net cdn.hubblecontent.osi.office.net clipchamp.df.onecdn.static.microsoft clipchamp.public.onecdn.static.microsoft content.lifecycle.office.net content.lifecycle.officeppe.net content.powerapps.com copilotstudio.preview.microsoft.com data: designer.cloud.microsoft designer.microsoft.com designerapp.edog.officeapps.live.com designerapp.officeapps.live.com forms.office.com https://outlook.office.com https://sdfpilot.outlook.com https://webshell.suite.office.com m365.cloud.microsoft measure.office.com media.licdn.com outlook-1.cdn.office.net pmservices.cp.microsoft.com powerautomate.microsoft.com preview.content.powerapps.com prod.msocdn.com prodapiicons.cdn.powerappscdn.net res-1.cdn.office.net res-dev.cdn.officeppe.net res.cdn.office.net res.public.onecdn.static.microsoft.com secure.aadcdn.microsoftonline-p.com spoprod-a.akamaihd.net static2.sharepointonline.com staticresources.payments.microsoft.com statics.teams.cdn.office.net substrate.office.com tip1apiicons.cdn.powerappscdn.net tip2apiicons.cdn.powerappscdn.net www.microsoft365.com;connect-src 'self' *.augloop.svc.cloud.microsoft *.cdn.office.net *.collabhubrtc.officeapps.live.com *.public.onecdn.static.microsoft *.microsoft.com *.office.com *.office365.com *.officeapps.live.com *.rtc.svc.cloud.microsoft *.sharepoint-df.com *.sharepoint.com *.svc.ms arc-emea.msn.com arc.msn.com blob: data: https: https://admin.microsoft.com https://api.onedrive.com https://artifacts.dev.azure.com https://browser.events.data.microsoft.com https://browser.pipe.aria.microsoft.com https://cdn.config.centro.core.microsoft https://clients.config.gcc.office.net https://clients.config.office.net https://config.edge.skype.com https://config.edge.skype.net https://consentreceiverfd-prod.azurefd.net https://eu-mobile.events.data.microsoft.com https://eu-office.events.data.microsoft.com https://graph.microsoft.com https://login.microsoftonline.com https://my.microsoftpersonalcontent.com https://nleditor.osi.officeppe.net https://odc.edog.officeapps.live.com https://outlook.cloud.microsoft https://petrol-int.office.microsoft.com https://petrol.office.microsoft.com https://pp1.prd.bmc.teams.microsoft.com https://teams.cloud.microsoft https://titles.prod.mos.microsoft.com res-dev.cdn.officeppe.net res.cdn.office.net wss: wss://*.augloop.office.com wss://*.augloop-gcc.office.com wss://*.dogfood.augloop.svc.cloud.microsoft wss://*.gcc.augloop.svc.cloud.microsoft wss://*.trouter.teams.microsoft.com wss://augloop.office.com wss://augloop.svc.cloud.microsoft wss://gcc.augloop.svc.cloud.microsoft wss://substrate.office.com;font-src 'self' 'unsafe-inline' *.azureedge.net *.cdn.office.net *.public.onecdn.static.microsoft *.fluidpreview.office.net *.sharepointonline.com cdn.create.microsoft.com data: fs.microsoft.com https://c.s-microsoft.com prod.msocdn.com res-dev.cdn.officeppe.net res.cdn.office.net res.public.onecdn.static.microsoft sharepointonline.com spoprod-a.akamaihd.net;frame-ancestors 'self' data: https://support.office.com;frame-src 'self' * *.cdn.office.net *.oasis.microsoft.com *.office.com *.officeapps.live.com *.sharepoint-df.com *.sharepoint.com blob: https://amcdn.msftauth.net https://create.cloud.microsoft https://create.microsoft.com https://login.live.com https://login.microsoftonline.com https://microsoft-onmicrosoft-com.access.mcas.ms https://my.microsoftpersonalcontent.com https://onedrive.live.com https://webshell.suite.officeppe.com https://www.odwebp.svc.ms ms-excel: ms-powerpoint: ms-word: onenote:;upgrade-insecure-requests;media-src 'self' https://*.sharepoint-df.com https://*.sharepoint.com blob: data: *.cdn.office.net *.azureedge.net *.core.windows.net *.clipchamp.com *.oasis.microsoft.com *.create.microsoft.com;manifest-src 'self';child-src blob:;object-src 'none';form-action https://*;worker-src 'self' blob:;trusted-types 'allow-duplicates' 1DSScriptURL @1js/midgard-trusted-types @azure/ms-rest-js#xml.browser @centro/floodgate @centro/hvc-loader @fluidx/loop @fluidx/loop#loop-app @fluidx/loop#loop-page-container @fluidx/loop#odsp-driver @fluidx/loop#office-fluid-container @microsoft/1ds-getcollectorurlsnippet-js#sanitize-html @msstream/azuremediaplayer#worker-noop @msstream/one-player#noop-create-html @msstream/one-player#sanitize-html MeControlScriptURL cdn-url#oneshell default domPurifyHTML domUtilsTrustedTypePolicy dompurify html2canvas html2canvas-feedback nextjs nextjs#bundler ocvPolicy officebrowserfeedback#domUtils safe-xml#oneshell sccChatTrustedTypesPolicy sccEntityDrawerTrustedTypesPolicy script-url#webpack shellInfoPolicy;report-uri https://csp.microsoft.com/report/OfficeAppHome-PROD;report-to AppHomeReportToEndpoint

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Missing

Not configured

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Consider adding 'preload' to HSTS for maximum security
• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Add X-Content-Type-Options: nosniff
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

CAA Records (Certificate Authority Authorization)

CAA Records

Not Configured (Any CA can issue certificates)

CAA Issues

• No CAA records configured - any CA can issue certificates

Recommendations

• Implement CAA records to restrict which CAs can issue certificates for your domain
• This adds an extra layer of security against unauthorized certificate issuance
• Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
• Consider adding 'iodef' record to receive security incident reports

Subject Alternative Names

38 domains

excel.cloud.microsoft onenote.cloud.microsoft powerpoint.cloud.microsoft visio.cloud.microsoft word.cloud.microsoft df.excel.cloud.microsoft df.onenote.cloud.microsoft df.powerpoint.cloud.microsoft df.visio.cloud.microsoft df.word.cloud.microsoft *.ocs.svc.cloud.microsoft *.rtc.svc.cloud.microsoft

Other domains in certificate

excel.cloud-dev.microsoft powerpoint.cloud-dev.microsoft word.cloud-dev.microsoft

excel.cloud.dev.microsoft onenote.cloud.dev.microsoft powerpoint.cloud.dev.microsoft visio.cloud.dev.microsoft word.cloud.dev.microsoft

office.live.com *.office.live.com officeapps-df.live.com *.officeapps-df.live.com officeapps.live.com *.officeapps.live.com officeppe.live.com *.th.officeapps.live.com *.vhs.officeapps.live.com *.view.officeapps.live.com

*.fp.measure.office.com online.office.com *.online.office.com *.optin.online.office.com tr-ofc-afdb.office.com tr-ofc-afdwac.office.com

online.office365.com *.online.office365.com