SSL Certificate Analysis for parent.skool.sg - Security Grade & TLS Configuration

Open Cached · just now

92/100 SECURITY SCORE

Certificate Information

Subject

C=SG, L=Singapore, O=NTUC FIRST CAMPUS LIMITED, CN=ntucfirstcampus.com

Issuer

C=US, O=DigiCert Inc, CN=DigiCert Global G3 TLS ECC SHA384 2020 CA1

Valid From

October 01, 2025

Valid Until

October 01, 2026 250 days

Public Key

ECDSA 256 bit (P-256) Adequate

Signature Algorithm

ECDSA-SHA384

SHA-256 Fingerprint

9B:4B:B3:39:21:04:CE:7A:7A:08:19:DB:3B:68:E4:4A:62:D9:5B:4B:AB:5C:FB:A9:E0:21:9E:78:DD:26:20:01

Alternative Names

24 domains

Security Configuration

TLS Protocols

TLS 1.2 TLS 1.3

Forward Secrecy

Supported (Modern clients use PFS)

HTTP Security Headers

Status

Strict-Transport-Security

Excellent

max-age=31536000; includeSubDomains; preload

Content-Security-Policy

Basic

default-src; style-src; script-src; +10 more

default-src 'self' https://*.skool.sg https://*.myfirstskool.com https://*.littleskoolhouse.com https://*.amazonaws.com https://*.cloudfront.com https://*.cloudfront.net https://sn-image-service-dot-tcc-sn-dev.appspot.com https://*.go-mpulse.net https://*.google.com https://*.googleapis.com https://*.freshchat.com https://*.google-analytics.com https://*.googletagmanager.com stats.g.doubleclick.net ws: wss:; style-src https://*.freshdesk.com https://*.freshworks.com 'self' 'unsafe-inline' https://fonts.googleapis.com https://wchat.freshchat.com https://sn2-care-journal-stg.web.app https://sn2-whiteboard-stg.web.app; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.go-mpulse.net https://polyfill-fastly.io https://maps.googleapis.com https://wchat.freshchat.com https://www.google-analytics.com https://www.googletagmanager.com stats.g.doubleclick.net; object-src blob: 'self' *.amazonaws.com *.cloudfront.com *.cloudfront.net https://sn-image-service-dot-tcc-sn-dev.appspot.com *.skool.sg *.myfirstskool.com *.littleskoolhouse.com; img-src * 'self' data: *.amazonaws.com *.cloudfront.com *.cloudfront.net https://sn-image-service-dot-tcc-sn-dev.appspot.com *.skool.sg *.myfirstskool.com *.littleskoolhouse.com https://akstat.io; font-src * data: blob: fonts.googleapis.com fonts.gstatic.com; frame-ancestors https://www.parent.skool.sg https://parent.skool.sg https://www.parent.skooluat.sg https://parent.skooluat.sg https://www.myfirstskool.com https://myfirstskool.com; frame-src https://www.googletagmanager.com *.freshchat.com *.google.com blob: 'self' *.amazonaws.com *.cloudfront.com *.cloudfront.net https://sn-image-service-dot-tcc-sn-dev.appspot.com *.skool.sg *.myfirstskool.com *.littleskoolhouse.com https://sn2-care-journal-stg.web.app https://preprod-auth.ntuclink.com.sg; worker-src 'self' blob:; script-src-elem https://*.freshdesk.com https://*.freshworks.com 'self' 'unsafe-inline' blob: https://polyfill-fastly.io https://maps.googleapis.com https://wchat.freshchat.com https://www.google-analytics.com https://*.go-mpulse.net https://sn2-whiteboard-stg.web.app https://sn2-care-journal-stg.web.app https://sn2-care-journal-dev.web.app; form-action 'self' https://*.skool.sg https://*.myfirstskool.com https://*.littleskoolhouse.com https://preprod-auth.ntuclink.com.sg; base-uri 'self'; connect-src 'self' https://preprod-auth.ntuclink.com.sg https://*.akstat.io https://*.freshdesk.com https://*.freshworks.com 'self' https://*.skool.sg https://*.myfirstskool.com https://*.littleskoolhouse.com https://sn2-care-journal-stg.web.app https://sn2-whiteboard-stg.web.app https://*.amazonaws.com https://*.cloudfront.com https://*.cloudfront.net https://sn-image-service-dot-tcc-sn-dev.appspot.com https://*.go-mpulse.net https://*.google.com https://*.googleapis.com https://*.freshchat.com https://*.google-analytics.com https://*.googletagmanager.com stats.g.doubleclick.net https://*.split.io https://cloudflare-dns.com https://*.datadoghq.eu https://logs.browser-intake-datadoghq.eu https://rum.browser-intake-datadoghq.eu ws: wss:;

X-Frame-Options

Present

ALLOW-FROM https://parent.skool.sg; DENY; SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

no-referrer

Permissions-Policy

Missing

Not configured

Recommendations

• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Consider adding Permissions-Policy to control browser features

CAA Records (Certificate Authority Authorization)

CAA Records

Not Configured (Any CA can issue certificates)

CAA Issues

• No CAA records configured - any CA can issue certificates

Recommendations

• Implement CAA records to restrict which CAs can issue certificates for your domain
• This adds an extra layer of security against unauthorized certificate issuance
• Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
• Consider adding 'iodef' record to receive security incident reports

Subject Alternative Names

24 domains

parent.skool.sg staff.skool.sg guardian-api.lsh.skool.sg guardian-api.mfs.skool.sg staging2.api.skool.sg

Other domains in certificate

admin-ep.littleskoolhouse.com enrichment.littleskoolhouse.com ep-api.littleskoolhouse.com parent.littleskoolhouse.com sn-api.littleskoolhouse.com staff.littleskoolhouse.com

admin-ep.myfirstskool.com api.myfirstskool.com enrichment.myfirstskool.com ep-api.myfirstskool.com parent.myfirstskool.com staff.myfirstskool.com vps-api.myfirstskool.com

msportal-api-dev.ntucfirstcampus.com msportal-api.ntucfirstcampus.com ntucfirstcampus.com

dev.api.skooluat.sg dev5.api.skooluat.sg sn2-test-1.skooluat.sg