SSL Certificate Analysis for sherwoodmedia.com - Security Grade & TLS Configuration

Open Cached · just now

89/100 SECURITY SCORE

Certificate Information

Subject

CN=robinhood.com

Issuer

C=US, O=Amazon, CN=Amazon RSA 2048 M03

Valid From

January 07, 2025

Valid Until

February 06, 2026 79 days

Public Key

RSA 2048 bit Adequate

Signature Algorithm

SHA256-RSA

SHA-256 Fingerprint

AE:E8:56:62:59:2D:1B:1D:46:D4:54:9B:C4:98:01:51:32:26:BA:45:D9:6B:61:1F:F6:0F:27:81:B5:56:66:38

Alternative Names

6 domains

Security Configuration

TLS Protocols

TLS 1.2 TLS 1.3

Forward Secrecy

Supported (Modern clients use PFS)

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=31536000

Content-Security-Policy

Basic

default-src; script-src; worker-src; +12 more

default-src 'none'; script-src 'self' cdn.robinhood.com cdn.pdst.fm/ping.min.js 'unsafe-inline' www.google-analytics.com www.googletagmanager.com www.google.com/recaptcha/ www.gstatic.com/recaptcha/ tagmanager.google.com ssl.google-analytics.com connect.facebook.net sc-static.net d.impactradius-event.com www.redditstatic.com analytics.tiktok.com boards.greenhouse.io bat.bing.com www.googleadservices.com googleads.g.doubleclick.net/pagead/viewthroughconversion/ web-sdk-cdn.singular.net/singular-gtm-interface/latest/singular-gtm-interface.js web-sdk-cdn.singular.net/singular-sdk/latest/singular-sdk.js static.ads-twitter.com s.yimg.com *.usercentrics.eu snap.licdn.com collector-47804.us.tvsquared.com/tv2track.js public.flourish.studio/resources/embed.js csi.gstatic.com cdn.parsely.com *.doubleclick.net *.googlesyndication.com *.googletagservices.com platform.twitter.com/ platform.instagram.com/ www.instagram.com/embed.js www.threads.net/embed.js www.tiktok.com/embed.js lf16-tiktok-web.tiktokcdn-us.com/ www.facebook.com/ www.youtube.com/ ak.sail-horizon.com *.celtra.com *.heapanalytics.com heapanalytics.com cdn.us.heap-api.com *.doubleverify.com *.infogram.com cdn.concert.io *.adtrafficquality.google hymnal-prod.vox-cdn.com www.documentcloud.org/notes/loader.js truthsocial.com/embed.js embed.reddit.com/widgets.js embed.bsky.app/static/embed.js *.permutive.app 'unsafe-inline' 'unsafe-eval' ; worker-src 'self' blob: ; frame-src www.google.com/recaptcha/ www.youtube.com/iframe_api/ www.youtube.com/embed/ www.googletagmanager.com boards.greenhouse.io tr6.snapchat.com tr.snapchat.com fcm.quick1fr.com *.usercentrics.eu https://preview.widgets.ninetailed.io/ https://*.fls.doubleclick.net/ *.googlesyndication.com *.doubleclick.net *.googletagservices.com platform.twitter.com/ www.instagram.com/ www.tiktok.com/ www.facebook.com/ www.linkedin.com/ www.threads.net/ flo.uri.sh/ datawrapper.dwcdn.net/ www.googleadservices.com *.adtrafficquality.google *.twitch.tv *.infogram.com embed.documentcloud.org www.documentcloud.org open.spotify.com/ kalshi.com/ playlist.megaphone.fm/ truthsocial.com embed.reddit.com embed.bsky.app cdn.robinhood.com assets.pinterest.com ; style-src 'self' 'unsafe-inline' cdn.robinhood.com tagmanager.google.com fonts.googleapis.com heapanalytics.com *.googletagmanager.com ; font-src 'self' cdn.robinhood.com data: fonts.gstatic.com *.celtra.com heapanalytics.com *.auryc.com ; media-src 'self' cdn.robinhood.com *.usercentrics.eu *.celtra.com *.imgix.net ; img-src 'self' images.robinhood.com cdn.robinhood.com www.google-analytics.com stats.g.doubleclick.net i.ytimg.com/vi/ images.ctfassets.net downloads.ctfassets.net www.googletagmanager.com ssl.gstatic.com www.gstatic.com www.facebook.com www.google.com www.googleadservices.com tr.snapchat.com tr6.snapchat.com bat.bing.com googleads.g.doubleclick.net ad.doubleclick.net pixel.pointmediatracker.com cnv.event.prod.bidr.io/log/cnv data: alb.reddit.com analytics.twitter.com t.co sp.analytics.yahoo.com *.usercentrics.eu cdn.blisspointmedia.com/assets/img/ px.ads.linkedin.com collector-47804.us.tvsquared.com/tv2track.php blob: * ; frame-ancestors 'self' ; manifest-src 'self' cdn.robinhood.com ; connect-src 'self' robinhood.com *.robinhood.com *.x1creditcard.com *.apollo.rhinternal.net www.google-analytics.com stats.g.doubleclick.net bat.bing.com/actionp/ bat.bing.com/p/conversions/ us-central1-adaptive-growth.cloudfunctions.net/pdst-events-prod-sink ssl.google-analytics.com analytics.google.com sentry.io o62437.ingest.sentry.io www.googletagmanager.com tagmanager.google.com www.google.com/ccm/collect www.google.com/gmp/conversion www.google.com/pagead/1p-conversion/ www.google.com/recaptcha/ www.googleadservices.com/pagead/conversion/ www.facebook.com/privacy_sandbox/topics/registration/ ad.doubleclick.net www.redditstatic.com/ads/conversions-config/v1/pixel/config/ pixel-config.reddit.com/pixels/ conversions-config.reddit.com/v1/pixel/ analytics.tiktok.com sdk-api-v1.singular.net/api/v1/event boards-api.greenhouse.io preview.contentful.com cdn.contentful.com experience.ninetailed.co s.yimg.com *.usercentrics.eu api.instagram.com/ px.ads.linkedin.com mjml-api.apollo.rhinternal.net *.parsely.com *.doubleclick.net *.googlesyndication.com api.sail-personalize.com api.sail-track.com csi.gstatic.com *.celtra.com api.sailthru.com heapanalytics.com c.us.heap-api.com *.auryc.com *.google.com *.doubleverify.com *.imgix.net cdn.concert.io *.adtrafficquality.google *.permutive.app api.permutive.com https://ingest.insights.ninetailed.co ; upgrade-insecure-requests; block-all-mixed-content; report-uri https://o62437.ingest.sentry.io/api/1336410/security/?sentry_key=dadc326d25814a55b5486cb04f439a29; base-uri 'self'

X-Frame-Options

Excellent

deny

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin-when-cross-origin

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Consider adding Permissions-Policy to control browser features

CAA Records (Certificate Authority Authorization)

CAA Records

Not Configured (Any CA can issue certificates)

CAA Issues

• No CAA records configured - any CA can issue certificates

Recommendations

• Implement CAA records to restrict which CAs can issue certificates for your domain
• This adds an extra layer of security against unauthorized certificate issuance
• Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
• Consider adding 'iodef' record to receive security incident reports

Subject Alternative Names

6 domains

sherwoodmedia.com *.sherwoodmedia.com

Other domains in certificate

robinhood.com *.robinhood.com

sherwood.news *.sherwood.news