SSL Certificate Analysis for roadmap.formstack.com - Security Grade & TLS Configuration

Open Cached · just now

96/100 SECURITY SCORE

Certificate Information

Subject

CN=*.formstack.com

Issuer

C=US, O=Amazon, CN=Amazon RSA 2048 M04

Valid From

December 18, 2025

Valid Until

January 15, 2027 364 days

Public Key

RSA 2048 bit Adequate

Signature Algorithm

SHA256-RSA

SHA-256 Fingerprint

C5:2E:5E:E0:51:88:3A:A8:4E:BF:F0:69:3E:BC:8D:20:8F:9F:55:DC:3F:7B:B1:6E:C6:FE:A4:20:E4:B6:BB:95

Alternative Names

2 domains

Security Configuration

TLS Protocols

TLS 1.2 TLS 1.3

Forward Secrecy

Supported (Modern clients use PFS)

HTTP Security Headers

Status

Strict-Transport-Security

Excellent

max-age=31536000; includeSubDomains; preload

Content-Security-Policy

Good

default-src; base-uri; child-src; +10 more

default-src 'self'; base-uri optimize.google.com; child-src *.stripe.com *.wistia.com *.wistia.net *.doubleclick.net *.productboard.com *.marketo.com optimize.google.com *.hotjar.com *.figma.com *.loom.com miro.com *.mural.co *.youtube.com *.google.com; connect-src 'self' cdn.productboard.com nucleus.productboard.net *.productboard.info *.pusher.com wss://*.pusher.com wss://ws.pusherapp.com:443 wss://ws.pusherapp.com ana-api.productboard.com *.segment.io *.segment.com nexus-websocket-a.intercom.io nexus-websocket-b.intercom.io wss://nexus-websocket-a.intercom.io wss://nexus-websocket-b.intercom.io nexus-long-poller-a.intercom.io nexus-long-poller-b.intercom.io api-iam.intercom.io *.intercomcdn.com api.sprig.com *.typekit.net api.mixpanel.com *.fullstory.com fullstory.com *.wistia.com *.facebook.com api.trello.com embedwistia-a.akamaihd.net heapanalytics.com *.googlesyndication.com *.google.com www.google-analytics.com *.litix.io *.clearbit.com *.mktoresp.com *.launchdarkly.com *.hotjar.com wss://*.hotjar.com *.ingest.sentry.io *.datadoghq.com *.browser-intake-datadoghq.com api-js.mixpanel.com api.amplitude.com api2.amplitude.com platformapi.metadata.io/insight directory.cookieyes.com/geoip/checker/result.php geoip.cookieyes.com/geoip/checker/result.php active.cookieyes.com/api/15c129b68a4e12b799f6926d/log cdn-cookieyes.com/client_data/15c129b68a4e12b799f6926d/ consentlog.cookieyes.com/api/v1/log log.cookieyes.com/api/v1/log *.zdassets.com widget-mediator.zopim.com wss://widget-mediator.zopim.com productboard.zendesk.com api.iterative.ly *.leadmanagerfx.com *.6sc.co *.adnxs.com events.rm-api.com app.satismeter.com cdn.cookielaw.org *.onetrust.com *.onetrust.io *.linkedin.com api.churnkey.co api.privacy-center.org; font-src 'self' cdn.productboard.com data: use.typekit.net fonts.typekit.net *.intercomcdn.com *.wistia.com heapanalytics.com maxcdn.bootstrapcdn.com cdnjs.cloudflare.com; frame-src *.stripe.com *.wistia.com *.wistia.net *.doubleclick.net *.productboard.com *.marketo.com optimize.google.com *.hotjar.com *.figma.com *.loom.com miro.com *.mural.co *.youtube.com *.google.com; img-src * data:; media-src 'self' data: blob: *.intercomcdn.com embedwistia-a.akamaihd.net *.wistia.com cdn.productboard.com nucleus.productboard.net *.zdassets.com; object-src 'none'; script-src 'strict-dynamic' 'self' cdn.productboard.com cdn.productboard.info blob: *.stripe.com use.typekit.net *.jquery.com unpkg.com/[email protected]/dist/es6-promise.min.js unpkg.com/[email protected]/fetch.js ana-api.productboard.com ana-cdn.productboard.com *.segment.com *.intercom.io *.intercomcdn.com cdn.sprig.com google-analytics.com www.google-analytics.com www.googletagmanager.com www.googleadservices.com www.google.com optimize.google.com *.doubleclick.net cdn.heapanalytics.com heapanalytics.com cdn.mxpnl.com connect.facebook.net *.fullstory.com fullstory.com *.wistia.com *.wistia.net src.litix.io/core/2/mux.js *.hotjar.com *.ads-twitter.com *.licdn.com *.linkedin.com cdn.linkedin.oribi.io *.twitter.com d3pkntwtp2ukl5.cloudfront.net/uba.js t.unbounce.com pi.pardot.com *.clearbit.com clearbitjs.com *.marketo.net *.marketo.com *.productboard.com *.productboard.info ajax.cloudflare.com/cdn-cgi/scripts/7089c43e/cloudflare-static/rocket-loader.min.js platformapi.metadata.io/insight *.zdassets.com *.6sc.co sdk.privacy-center.org 'sha256-1xtiB6mV1iIKZ5iz9CxA5lEnfEg8d0XEH3FL9L8NBqo=' 'sha256-JGNwU22sBNi7NDHL+wqlwIkC2JuuTqj3HSN50ociTRE=' 'sha256-aOTKS02cS1DYFDvnu05wssg6XS9PRp/dixdxdVh7ioI=' 'sha256-b9Ie95nOvwhEe9Hi9+dwQCZpCP7ZywQsClRCch8DMSw=' 'sha256-Jb0wOdCesDXxdafb67AmmRPkiiHRSjffdBYCqWytm/k=' 'sha256-wQru5sxHShlWpxT/nwecizNBThR4K8PhqVyc2mlJm7M=' 'sha256-1PNzWOuCr8g+upenwNprAOn3WZVu0HWomIWLsWX+rLg=' 'sha256-ZOa8X2G5qWRs9CiZ5FwQHOad+GnOtYuzGbe3Dt+OL/Q=' 'sha256-i9zis99gljeSD8jnXB7X1lGn51dh7FicTdU03wURvbE=' 'sha256-AAIyCeNkVoMxZQ/5yfTz/BG5v3Ib8KAmuVoTp+Q7psw=' 'sha256-a5kmznv6Sbv8b6fgtyyendMenyUkmGCFnqtvBufglCU=' 'sha256-7zBOkhS2vzHAGaz4pZ7r/FtCmEQ5bNIdVD/yOUnpgnM=' 'sha256-yhgBXYVXKRAhO8Vrs6nLnyx65xWIhNfJvDZuVpNDJbc=' 'sha256-wtAC4tcF3bmes4SrLnCIrvVVUhmyOlnIJAiZGqRWpbg=' 'sha256-9BQpJeeygWRbL7KAwJe4fSWvTuoLqh44ZNMdnD4PHro=' 'sha256-Tai0i/czjnslnZ2EDknVR5V9so039TbnC8mOBg+MmAU=' 'sha256-vK0+VSmPSv66WlmxQYMr/nW0KaajgkHdOnI8gB6soPA=' 'sha256-ajy9PYUtpzQkoj8ZgAmYVLwn8Qo71bhmx/YND44uy2w=' 'sha256-oagjFrRKVmNSOzTEo+ojTMeuFF7QrrKYHe3aVKBtFCo=' 'nonce-+5tV7wXRZBEHYVJIUBFvBmO1b2ujuCBBBj16AB4vgCY='; style-src 'self' 'unsafe-inline' cdnjs.cloudflare.com use.typekit.net p.typekit.net cdn.productboard.com cdn.productboard.info heapanalytics.com maxcdn.bootstrapcdn.com *.marketo.com info.productboard.com optimize.google.com assets.churnkey.co; worker-src 'self' blob:; report-uri /csp_report

X-Frame-Options

Present

ALLOWALL

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin-when-cross-origin

Permissions-Policy

Missing

Not configured

Recommendations

• Strengthen CSP by removing 'unsafe-eval'
• Consider adding Permissions-Policy to control browser features

CAA Records (Certificate Authority Authorization)

CAA Records

Configured (Restricts certificate issuance)

Current Issuer

Authorized (Matches CAA policy)

Authorized CAs

godaddy.com letsencrypt.org pki.goog ; cansignhttpexchanges=yes amazonaws.com digicert.com

Recommendations

• Consider using critical flag (flags=128) for stricter CAA enforcement
• You have authorized 5 CAs - consider limiting to only the CAs you actively use
• Consider adding 'iodef' records to receive notifications about unauthorized certificate issuance attempts
• Consider adding 'issuewild' records to control wildcard certificate issuance

Subject Alternative Names

2 domains

formstack.com *.formstack.com