SSL Certificate Analysis for paddle.com - Security Grade & TLS Configuration

Open Cached · 6h ago

91/100 SECURITY SCORE

Certificate Information

Subject

CN=paddle.com

Issuer

C=US, O=Google Trust Services, CN=WE1

Valid From

November 29, 2025

Valid Until

February 27, 2026 45 days

Public Key

ECDSA 256 bit (P-256) Adequate

Signature Algorithm

ECDSA-SHA256

SHA-256 Fingerprint

2E:C9:9A:4B:D4:63:8A:30:86:3A:FE:F9:45:40:0A:3F:F8:F1:32:C1:49:A5:DD:22:39:10:B7:B1:53:C9:59:85

Alternative Names

2 domains

Security Configuration

TLS Protocols

TLS 1.2 TLS 1.3

Forward Secrecy

Supported (Modern clients use PFS)

HTTP Security Headers

Status

Strict-Transport-Security

Good

max-age=31536000; includeSubDomains

Content-Security-Policy

Basic

base-uri; default-src; worker-src; +11 more

base-uri 'self'; default-src 'self' blob: data: https: ; worker-src 'self' blob:; frame-ancestors 'self' http://localhost:9999 *.paddle.com *.prismic.io https://www.profitwell.com https://paddle.enablix.com https://paddle.letter.ai; media-src 'self' blob: data: https: ; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.visualwebsiteoptimizer.com app.vwo.com tag.unifyintent.com unifyintent.com *.stackadapt.com *.twitter.com *.iubenda.com connect.facebook.net *.cloudfront.net *.hsforms.com googleads.g.doubleclick.net *.hs-analytics.net *.hs-banner.com *.hs-scripts.com *.hsforms.net *.hsleadflows.net *.hotjar.com *.licdn.com *.ads-twitter.com *.doubleclick.net *.google-analytics.com *.google.com *.googleadservices.com *.googletagmanager.com *.gstatic.com *.redditstatic.com *.youtube.com dnf20ypvrc856.cloudfront.net dta8euw1l8gvs.cloudfront.net prod-assets.sequelvideo.com https: ; script-src-elem 'self' 'unsafe-inline' 'unsafe-eval' *.visualwebsiteoptimizer.com app.vwo.com tag.unifyintent.com unifyintent.com *.youtube.com *.wistia.com *.licdn.com *.ads-twitter.com *.doubleclick.net *.hotjar.com *.redditstatic.com *.profitwell.com *.bing.com js.hubspot.com *.hs-analytics.net *.hs-banner.com *.hsadspixel.net www.clarity.ms *.hs-scripts.com connect.facebook.net *.rudderlabs.com *.influ2.com *.stackadapt.com *.metadata.io *.clearbitscripts.com *.clearbitjs.com *.kustomerapp.com *.qualified.com *.iubenda.com *.netlify.app *.hsforms.net *.googletagmanager.com *.googleapis.com prismic.io *.prismic.io *.mplat-ppcprotect.com status.io dnf20ypvrc856.cloudfront.net dta8euw1l8gvs.cloudfront.net tracking.g2crowd.com cdn.jsdelivr.net/npm/hockeystack@latest/hockeystack.min.js cdn.jsdelivr.net/npm/hockeystack@latest/hockeystack-qualified.min.js js.stripe.com/v3/ cdnjs.cloudflare.com/polyfill/ prod-assets.sequelvideo.com; style-src 'self' 'unsafe-inline' *.visualwebsiteoptimizer.com app.vwo.com *.cloudfront.net *.youtube.com dnf20ypvrc856.cloudfront.net dta8euw1l8gvs.cloudfront.net s3.amazonaws.com https: blob: ; object-src 'none'; font-src 'self' *.cloudfront.net *.gstatic.com data: https: ; connect-src 'self' *.visualwebsiteoptimizer.com app.vwo.com dnf20ypvrc856.cloudfront.net dta8euw1l8gvs.cloudfront.net *.qualified.com ws: wss: https: data: ; img-src 'self' *.visualwebsiteoptimizer.com app.vwo.com useruploads.vwo.io *.googletagmanager.com *.ctfassets.net *.reddit.com *.cloudfront.net *.ytimg.com *.adsymptotic.com *.ads.linkedin.com t.co *.hubspot.com *.facebook.com *.google.com *.youtube.com *.ggpht.com dnf20ypvrc856.cloudfront.net dta8euw1l8gvs.cloudfront.net chart.googleapis.com wingify-assets.s3.amazonaws.com data: https:; frame-src 'self' paddle.chilipiper.com *.visualwebsiteoptimizer.com app.vwo.com paddle.prismic.io www.googletagmanager.com *.youtube.com *.wistia.net *.wistia.com *.hsforms.com paddle.kustomer.help *.kustomerapp.com *.qualified.com app.netlify.com *.doubleclick.net *.prismic.io www.slideshare.net dnf20ypvrc856.cloudfront.net dta8euw1l8gvs.cloudfront.net js.stripe.com *.sequel.io; upgrade-insecure-requests;

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin-when-cross-origin

Permissions-Policy

Missing

Not configured

Recommendations

• Consider adding 'preload' to HSTS for maximum security
• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Consider adding Permissions-Policy to control browser features

CAA Records (Certificate Authority Authorization)

CAA Records

Not Configured (Any CA can issue certificates)

CAA Issues

• No CAA records configured - any CA can issue certificates

Recommendations

• Implement CAA records to restrict which CAs can issue certificates for your domain
• This adds an extra layer of security against unauthorized certificate issuance
• Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
• Consider adding 'iodef' record to receive security incident reports

Subject Alternative Names

2 domains

paddle.com *.paddle.com