SSL Certificate Analysis for terveystalo.com - Security Grade & TLS Configuration

Open Cached · just now

86/100 SECURITY SCORE

Certificate Information

Subject

C=FI, L=Helsinki, O=Suomen Terveystalo Oy, CN=terveystalo.com

Issuer

C=US, O=SSL Corporation, CN=Entrust OV TLS Issuing RSA CA 1

Valid From

April 16, 2025

Valid Until

May 14, 2026 160 days

Public Key

RSA 2048 bit Adequate

Signature Algorithm

SHA256-RSA

SHA-256 Fingerprint

F5:B7:EA:4B:87:77:63:25:E2:CF:44:31:CE:4C:F0:26:A6:F5:71:0E:ED:5C:71:73:A4:A1:22:78:22:37:FC:76

Alternative Names

2 domains

Security Configuration

TLS Protocols

TLS 1.2 TLS 1.3

Forward Secrecy

Supported (Modern clients use PFS)

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=5184000; preload

Content-Security-Policy

Basic

default-src; script-src; style-src; +4 more

default-src 'self' svc-prod-eu.liveshopping.bambuser.com feed.mfn.modfin.se widget.datablocks.se consent.app.cookieinformation.com policy.app.cookieinformation.com adservice.google.com app.vwo.com *.azureedge.net blob: data: *.dynamics.com feedback-api.lumoa.me fonts.googleapis.com *.litix.io maps.googleapis.com *.ninchat.com ninchat.com pagead2.googlesyndication.com *.sleeknote.com staz-ada-we-fe-test-www-app.azurewebsites.net:* terveystalo.piwik.pro *.visualwebsiteoptimizer.com *.zef.fi *.wistia.com *.google.com piwik.api.terveystalo.com terveystalo.containers.piwik.pro;script-src 'self' resources.terveystalo.com piwik.api.terveystalo.com *.mfn.se widget.datablocks.se policy.app.cookieinformation.com lcx-embed-eu.bambuser.com lcx-embed.bambuser.com app.vwo.com *.azureedge.net blob cdn.pushcrew.com dynamics.com googleads.g.doubleclick.net/pagead/viewthroughconversion* googleadservices.com/pagead/conversion* googletagmanager.com/gtag/js fast.wistia.net *.jobylon.com *.lfeeder.com maps.googleapis.com ninchat.com s2.adform.net/banners/scripts/st/trackpoint-async.js *.sleeknote.com terveystalo.piwik.pro terveystalo.containers.piwik.pro track.adform.net *.visualwebsiteoptimizer.com *.wistia.com 'nonce-sw7yOoCkzge1VU2wqeMmXwS/no+umsknrSyVmhkv+x8=' 'unsafe-eval' 'unsafe-inline';style-src 'self' piwik.api.terveystalo.com ninchat.s3.amazonaws.com app.vwo.com analytics-consent-manager.azureedge.net analytics-consent-manager-test.azureedge.net analytics-consent-manager-prod.azureedge.net fonts.googleapis.com ninchat.com s3.amazonaws.com sleeknotestaticcontent.sleeknote.com terveystalo.containers.piwik.pro *.visualwebsiteoptimizer.com 'unsafe-inline';font-src 'self' assets.terveystalo.com data: fonts.gstatic.com ninchat.com sleeknotestaticcontent.sleeknote.com staz-ada-we-fe-test-www-app.azurewebsites.net:* terveystalo.containers.piwik.pro *.wistia.com;img-src 'self' analytics.sleeknote.com *.mfn.se widget.datablocks.se app.vwo.com azureedge.net blob: data: dev.visualwebsiteoptimizer.com *.dynamics.com google.com www.google.com google.fi www.google.fi *.googletagmanager.com i.ytimg.com *.jobylon.com *.lfeeder.com maps.googleapis.com maps.gstatic.com *.piwik.pro *.sleeknote.com storage.zef.fi *.terveystalo.com *.wistia.com;frame-ancestors 'self' https://*.terveystalo.com;frame-src 'self' policy.app.cookieinformation.com lcx-player-eu.bambuser.com lcx-player.bambuser.com analytics-consent-manager.azureedge.net analytics-consent-manager-test.azureedge.net analytics-consent-manager-prod.azureedge.net analytics-consent-manager-v2-prod.azureedge.net app.vwo.com apps.myzef.com cdn.jobylon.com e.infogram.com *.google.com fast.wistia.net *.investis.com news.alertir.com ninchat.com *.sleeknote.com *.svc.dynamics.com terveystalo.gw.efectecloud.com td.doubleclick.net track.adform.net *.visualwebsiteoptimizer.com zef.fi *.zef.fi *.youtube.com *.googletagmanager.com

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

CAA Records (Certificate Authority Authorization)

CAA Records

Not Configured (Any CA can issue certificates)

CAA Issues

• No CAA records configured - any CA can issue certificates

Recommendations

• Implement CAA records to restrict which CAs can issue certificates for your domain
• This adds an extra layer of security against unauthorized certificate issuance
• Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
• Consider adding 'iodef' record to receive security incident reports

Subject Alternative Names

2 domains

terveystalo.com www.terveystalo.com