Open
Cached
·
8h ago
82/100
SECURITY SCORE
Certificate Information
Subject
CN=www.pbs.org
Issuer
C=US, O=Let's Encrypt, CN=E7
Valid From
February 01, 2026
Valid Until
May 02, 2026
79 days
Public Key
ECDSA
384 bit
(P-384)
Strong
Signature Algorithm
ECDSA-SHA384
SHA-256 Fingerprint
76:AD:1A:2D:42:B1:CE:93:77:9B:6E:6D:CE:AB:22:0B:F3:71:3A:7F:26:3A:31:08:30:89:01:F0:41:87:3A:E3
Alternative Names
Security Configuration
TLS Protocols
TLS 1.1
TLS 1.2
TLS 1.3
Forward Secrecy
Supported
(Modern clients use PFS)
Warnings
- • TLS 1.1 is deprecated and should be disabled
HTTP Security Headers
Status
Strict-Transport-Security
Missing
Not configured
Content-Security-Policy
Basic
default-src; script-src; style-src; +4 more
default-src 'self' *.pbs.org; script-src 'self' 'unsafe-eval' 'unsafe-inline' *.pbs.org *.googlesyndication.com *.adtrafficquality.google adservice.google.com adservice.google.co.in connect.facebook.net fundingchoicesmessages.google.com *.2mdn.net *.nr-data.net sb.scorecardresearch.com securepubads.g.doubleclick.net www.google-analytics.com analytics.google.com www.googletagmanager.com *.googletagservices.com 'unsafe-inline' 'unsafe-eval' *.cookielaw.org www.redditstatic.com alb.reddit.com analytics.tiktok.com s.pinimg.com *.ketchcdn.com *.ketchjs.com static.cloudflareinsights.com; style-src 'self' 'unsafe-inline' *.pbs.org *.ketchcdn.com *.ketchjs.com; img-src 'self' blob: data: *.pbs.org *.doubleclick.net *.cookielaw.org *.googlesyndication.com *.adtrafficquality.google sb.scorecardresearch.com www.googletagmanager.com www.facebook.com graph.facebook.com platform-lookaside.fbsbx.com *.2mdn.net *.agkn.com *.fbsbx.com *.fbcdn.net www.google-analytics.com www.google.com *.googleusercontent.com tags.w55c.net www.redditstatic.com alb.reddit.com analytics.tiktok.com ct.pinterest.com impressions.onelink.me *.ketchcdn.com *.ketchjs.com; connect-src 'self' *.pbs.org *.pbs.org:7000 *.pbs.org:3000 *.localhost:3010 *.localhost:3020 *.localhost:3030 *.doubleclick.net *.googlesyndication.com *.adtrafficquality.google *.2mdn.net *.nr-data.net *.eloqua.com *.cookielaw.org *.onetrust.com csi.gstatic.com fundingchoicesmessages.google.com www.google-analytics.com analytics.google.com www.redditstatic.com alb.reddit.com analytics.tiktok.com ct.pinterest.com *.sentry.io *.ketchcdn.com *.ketchjs.com; frame-src 'self' *.pbs.org player.localhost:8080 *.doubleclick.net *.2mdn.net *.googlesyndication.com *.googleadservices.com *.adtrafficquality.google www.facebook.com www.google.com *.googletagservices.com *.youtube.com ct.pinterest.com *.ketchcdn.com *.ketchjs.com; upgrade-insecure-requests;
X-Frame-Options
Missing
Not configured
X-Content-Type-Options
Missing
Not configured
Referrer-Policy
Missing
Not configured
Permissions-Policy
Missing
Not configured
Recommendations
- • Add Strict-Transport-Security header with max-age of at least 1 year
- • Improve CSP by adding more specific directives and removing 'unsafe-inline'
- • Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
- • Add X-Content-Type-Options: nosniff
- • Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
- • Consider adding Permissions-Policy to control browser features
CAA Records (Certificate Authority Authorization)
CAA Records
Configured
(Restricts certificate issuance)
Current Issuer
Authorized
(Matches CAA policy)
Authorized CAs
Recommendations
- • Consider using critical flag (flags=128) for stricter CAA enforcement
- • You have authorized 5 CAs - consider limiting to only the CAs you actively use
- • Consider adding 'iodef' records to receive notifications about unauthorized certificate issuance attempts
- • Consider adding 'issuewild' records to control wildcard certificate issuance