SSL Certificate Analysis for support.code.dev-theguardian.com - Security Grade & TLS Configuration

Open Cached · just now

91/100 SECURITY SCORE

Certificate Information

Subject

CN=theguardian.com

Issuer

C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2025 Q3

Valid From

October 07, 2025

Valid Until

November 08, 2026 309 days

Public Key

RSA 2048 bit Adequate

Signature Algorithm

SHA256-RSA

SHA-256 Fingerprint

CE:76:B8:5C:EB:C2:5F:5F:2B:AF:02:EF:3D:95:77:42:86:D0:EC:3E:79:F4:00:4E:F9:46:F2:E9:90:D5:82:D2

Alternative Names

32 domains

Security Configuration

TLS Protocols

TLS 1.2 TLS 1.3

Forward Secrecy

Supported (Modern clients use PFS)

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=300

Content-Security-Policy

Good

default-src; frame-ancestors; object-src; +1 more

default-src 'self' https://support.code.dev-theguardian.com https://td.doubleclick.net https://pagead2.googlesyndication.com https://ccpa-pm.sp-prod.net https://cdn.privacy-mgmt.com https://gdpr-tcfv2.sp-prod.net https://ccpa-service.sp-prod.net https://ccpa-notice.sp-prod.net https://sourcepoint.theguardian.com https://ccpa.sp-prod.net https://services.postcodeanywhere.co.uk https://stripe-intent-code.support.guardianapis.com www.paypalobjects.com t.paypal.com/ members-data-api.code.dev-theguardian.com metric-push-api-code.support.guardianapis.com www.paypal.com www.sandbox.paypal.com js.stripe.com ophan.theguardian.com j.ophan.co.uk media.guim.co.uk i.guim.co.uk uploads.guim.co.uk www.googletagmanager.com tagmanager.google.com assets.guim.co.uk www.googleadservices.com googleads.g.doubleclick.net www.google.com www.google.co.uk static.ads-twitter.com bat.bing.com bid.g.doubleclick.net t.co analytics.twitter.com stats.g.doubleclick.net www.youtube-nocookie.com connect.facebook.net www.facebook.com checkout.stripe.com fonts.googleapis.com ssl.gstatic.com www.gstatic.com fonts.gstatic.com sentry.io *.quantummetric.com blob: data: wss: 'unsafe-inline' q.stripe.com payment.code.dev-guardianapis.com https://interactive.guim.co.uk/ https://www.theguardian.com/ https://theguardian.com/ https://tickets.theguardian.live/ https://www.tickettailor.com/ https://cdn.tickettailor.com/js/widgets/min/widget.js https://cdn.tickettailor.com/js/widgets/min/widget.css https://feast-events.guardianapis.com/web-vitals https://observer.co.uk/favicon.png https://observer.co.uk/favicon.ico https://profile.code.dev-theguardian.com/; frame-ancestors https://theguardian.newspapers.com https://gnmtouchpoint--dev1--c.cs88.visual.force.com https://gnmtouchpoint--dev1.lightning.force.com https://m.code.dev-theguardian.com https://gnmtouchpoint--dev1--c.sandbox.vf.force.com https://gnmtouchpoint--dev1.sandbox.lightning.force.com; object-src 'none'; base-uri 'none'

X-Frame-Options

Excellent

DENY

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Present

origin-when-cross-origin, strict-origin-when-cross-origin

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Strengthen CSP by removing 'unsafe-eval'
• Consider adding Permissions-Policy to control browser features

CAA Records (Certificate Authority Authorization)

CAA Records

Not Configured (Any CA can issue certificates)

CAA Issues

• No CAA records configured - any CA can issue certificates

Recommendations

• Implement CAA records to restrict which CAs can issue certificates for your domain
• This adds an extra layer of security against unauthorized certificate issuance
• Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
• Consider adding 'iodef' record to receive security incident reports