Open
Cached
·
just now
83/100
SECURITY SCORE
Certificate Information
Subject
CN=operavore.org
Issuer
C=US, O=Amazon, CN=Amazon RSA 2048 M01
Valid From
September 19, 2025
Valid Until
October 18, 2026
266 days
Public Key
RSA
2048 bit
Adequate
Signature Algorithm
SHA256-RSA
SHA-256 Fingerprint
2B:3D:2E:18:FF:4A:6F:F7:18:F9:60:09:5D:22:F6:E8:71:D0:A1:9F:97:84:2B:A2:FF:30:B9:B7:53:3B:D8:CD
Alternative Names
Security Configuration
TLS Protocols
TLS 1.2
TLS 1.3
Forward Secrecy
Supported
(Modern clients use PFS)
HTTP Security Headers
Status
Strict-Transport-Security
Present
max-age=31536000; includeSubdomains;
Content-Security-Policy
Basic
default-src; connect-src; script-src; +6 more
default-src https: 'unsafe-inline' 'unsafe-eval'; connect-src 'unsafe-inline' 'unsafe-eval' *; script-src 'unsafe-inline' 'unsafe-eval' *; img-src * data: about:; frame-src 'self' *; worker-src blob:; object-src https://wnyc-project-prod.s3.amazonaws.com; frame-ancestors 'self' localhost *; media-src 'self' *;
X-Frame-Options
Missing
Not configured
X-Content-Type-Options
Good
nosniff
Referrer-Policy
Missing
Not configured
Permissions-Policy
Missing
Not configured
Recommendations
- • Increase HSTS max-age to at least 1 year and add includeSubDomains
- • Improve CSP by adding more specific directives and removing 'unsafe-inline'
- • Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
- • Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
- • Consider adding Permissions-Policy to control browser features
CAA Records (Certificate Authority Authorization)
CAA Records
Not Configured
(Any CA can issue certificates)
CAA Issues
- • No CAA records configured - any CA can issue certificates
Recommendations
- • Implement CAA records to restrict which CAs can issue certificates for your domain
- • This adds an extra layer of security against unauthorized certificate issuance
- • Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
- • Consider adding 'iodef' record to receive security incident reports
Subject Alternative Names
82 domains
thegreenespace.com
prod.nypr.digital
operavore.org
otherboxproject.com
otherboxproject.org
ourcommonnaturepodcast.com
ourcommonnaturepodcast.org
picklepodcast.com
picklepodcast.org
pieceofworkpodcast.com
pieceofworkpodcast.org
podcastfleas.com
podcastfleas.org
podcasthasfleas.com
podcasthasfleas.org
politicswithamywalter.com
politicswithamywalter.org
privacyparadox.com
privacyparadox.org
q2live.com
q2live.org
q2music.net
q2music.org
qtwo.org
qtwomusic.org
qxr2.org
radiolabforkids.org
radiorookies.com
radiorookies.net
radiorookies.org
scatteredpodcast.org
scishowtangents.org
smartbinge.com
smartbinge.org
somanywhiteguys.com
somanywhiteguys.org
sooomanywhiteguys.com
soundcheck.org
soundcheckblog.org
soundcheckradio.org
soundcheckstudio.org
terrestrialspodcast.com
terrestrialspodcast.org
theanthropocenereviewed.org
theexperimentpodcast.org
thegothamistpodcast.com
thegothamistpodcast.org
thegreenespace.net
thegreenespace.org
thejonathanchannel.com
thejonathanchannel.net
thejonathanchannel.org
themostperfectalbum.com
themostperfectalbum.org
thenewyorkerradiohour.com
thenewyorkerradiohour.org
theopenearsproject.org
theotherlatif.org
therealness.org
therealnesspodcast.org
theseasonpodcast.com
theseasonpodcast.net
theseasonpodcast.org
thestakes.org
thestakespodcast.com
thestakespodcast.org
thetakeaway.org
thispodcasthasfleas.com
thispodcasthasfleas.org
transportationnation.org
trumpincpodcast.com
trumpincpodcast.org
twodopequeens.org
unitedstatesofanxiety.org
wethecommuters.com
wethecommuters.org
wnyckids.com
wnyckids.org
wnyckidspodcast.com
wnyckidspodcast.org
wqxr2.com
wqxr2.org
Other domains in certificate