SSL Certificate Analysis for pre.h5p.com - Security Grade & TLS Configuration

Open Cached · just now

89/100 SECURITY SCORE

Certificate Information

Subject

CN=*.h5p.com

Issuer

C=US, O=Amazon, CN=Amazon RSA 2048 M02

Valid From

June 23, 2025

Valid Until

July 20, 2026 200 days

Public Key

RSA 2048 bit Adequate

Signature Algorithm

SHA256-RSA

SHA-256 Fingerprint

09:38:18:6B:92:C4:7F:05:1C:C2:59:68:A7:3B:DF:E3:8C:43:FE:05:59:03:E8:38:68:6A:37:03:D7:82:19:3B

Alternative Names

2 domains

Security Configuration

TLS Protocols

TLS 1.2 TLS 1.3

Forward Secrecy

Supported (Modern clients use PFS)

HTTP Security Headers

Status

Strict-Transport-Security

Excellent

max-age=31536000; includeSubDomains; preload

Content-Security-Policy

Basic

default-src; connect-src; img-src; +8 more

default-src 'self' https://eu-west-1.cdn.h5p.com https://c.h5p.io; connect-src 'self' https://eu-west-1.cdn.h5p.com *.h5p.com https://c.h5p.io https://h5p.zendesk.com/ https://ekr.zdassets.com/ https://checkout.stripe.com/ https://*.hotjar.com https://*.hotjar.io wss://*.hotjar.com https://www.wiris.net/ https://api.h5p.org/v1/licenses/ vimeo.com/api/ wss://multiplayer-eu-west-1.h5p.com hub-api.h5p.org https://*.google-analytics.com/ https://cdn.linkedin.oribi.io/partner/ https://analytics.google.com https://*.analytics.google.com https://*.googletagmanager.com https://*.g.doubleclick.net https://data.wiris.cloud/telemetry/v1 https://*.userpilot.io wss://*.userpilot.io; img-src * data: blob: https://*.userpilot.io; media-src * blob:; frame-src * blob:; object-src 'none'; child-src 'self' https://eu-west-1.cdn.h5p.com https://c.h5p.io blob: *.vimeo.com vimeo.com; script-src 'self' https://eu-west-1.cdn.h5p.com https://c.h5p.io 'unsafe-inline' 'unsafe-eval' blob: https://*.hotjar.com static.zdassets.com www.youtube.com gdata.youtube.com/feeds/api/ https://s.ytimg.com/yts/jsbin/ https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://js.stripe.com/v3/ https://checkout.stripe.com/ en.wikipedia.org/w/api.php api.flickr.com/services/rest/ soundcloud.com/oembed https://developers.panopto.com/ https://www.wiris.net/ https://player.vimeo.com https://www.vimeo.com https://f.vimeocdn.com https://connect.facebook.net/ https://snap.licdn.com/li.lms-analytics/ https://*.googletagmanager.com https://*.userpilot.io; style-src 'self' https://eu-west-1.cdn.h5p.com https://c.h5p.io 'unsafe-inline' https://checkout.stripe.com/ https://fonts.googleapis.com/css https://fonts.googleapis.com/css2 https://cdnjs.cloudflare.com/ajax/libs/font-awesome/ https://*.hotjar.com https://www.wiris.net/ https://*.userpilot.io; font-src 'self' https://eu-west-1.cdn.h5p.com https://c.h5p.io data: https://fonts.gstatic.com https://cdnjs.cloudflare.com/ https://*.hotjar.com https://www.wiris.net/; frame-ancestors 'none';

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

CAA Records (Certificate Authority Authorization)

CAA Records

Not Configured (Any CA can issue certificates)

CAA Issues

• No CAA records configured - any CA can issue certificates

Recommendations

• Implement CAA records to restrict which CAs can issue certificates for your domain
• This adds an extra layer of security against unauthorized certificate issuance
• Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
• Consider adding 'iodef' record to receive security incident reports

Subject Alternative Names

2 domains

h5p.com *.h5p.com