SSL Certificate Analysis for tradier.com - Security Grade & TLS Configuration

Open Cached · just now

92/100 SECURITY SCORE

Certificate Information

Subject

C=US, ST=North Carolina, L=Charlotte, O=Tradier Inc., CN=*.tradier.com

Issuer

C=US, O=DigiCert Inc, CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1

Valid From

February 28, 2025

Valid Until

March 01, 2026 61 days

Public Key

RSA 2048 bit Adequate

Signature Algorithm

SHA256-RSA

SHA-256 Fingerprint

98:34:AF:C2:A7:33:E2:E4:13:58:E4:D0:24:3A:2E:D4:4D:66:98:F9:0D:AE:4C:3F:DF:79:44:3E:BA:6E:51:FC

Alternative Names

3 domains

Security Configuration

TLS Protocols

TLS 1.2 TLS 1.3

Forward Secrecy

Supported (Modern clients use PFS)

HTTP Security Headers

Status

Strict-Transport-Security

Good

max-age=31536000; includeSubDomains

Content-Security-Policy

Good

default-src; script-src; script-src-elem; +7 more

default-src 'self' stonly.com *.stonly.com; script-src 'self' 'nonce-alpine-MaLc0onroV' 'nonce-alpine-qS9DMu3gQ1' 'nonce-alpine-qNqU8FaR3S' 'nonce-tradier-OaJPZFGS2o' 'nonce-tradier-e7I7ezUpVY' 'nonce-tradier-767oCEojoK' 'nonce-tradier-QvH5UIzAaB' 'nonce-tradier-9bicLG8b25' 'nonce-tradier-T1sY0OxPFY' 'nonce-tradier-luIFuFKAp9' 'nonce-tradier-uq3w1Vr51E' 'nonce-tradier-8TMzHh1C8V' 'nonce-tradier-dET8k2kJQl' 'nonce-tradier-vE0oJwx3HO' 'nonce-tradier-j10EVOLasq' 'nonce-tradier-4LAjh2qL21' 'nonce-stonly-tYLDXOjX76' 'nonce-stonly-WTm0JyEsqM' embed.typeform.com js.hsforms.net www.googletagmanager.com *.doubleclick.net d.adroll.com s.adroll.com googleads.g.doubleclick.net *.wisepops.com app.getwisp.co wisepops.net cdn.wisepops.net stonly.com *.stonly.com; script-src-elem 'self' netlify-rum.netlify.app vercel.live/_next-live/feedback/feedback.js connect.facebook.net www.googletagmanager.com www.google-analytics.com embed.typeform.com js.hsforms.net js.hs-scripts.com *.adroll.com js.hs-banner.com js.hsadspixel.net js.hs-analytics.net cdn.mxpnl.com *.wisepops.com wisepops.net stonly.com *.stonly.com 'nonce-alpine-MaLc0onroV' 'nonce-alpine-qS9DMu3gQ1' 'nonce-alpine-qNqU8FaR3S' 'nonce-tradier-OaJPZFGS2o' 'nonce-tradier-e7I7ezUpVY' 'nonce-tradier-767oCEojoK' 'nonce-tradier-QvH5UIzAaB' 'nonce-tradier-9bicLG8b25' 'nonce-tradier-T1sY0OxPFY' 'nonce-tradier-luIFuFKAp9' 'nonce-tradier-uq3w1Vr51E' 'nonce-tradier-8TMzHh1C8V' 'nonce-tradier-dET8k2kJQl' 'nonce-tradier-vE0oJwx3HO' 'nonce-tradier-j10EVOLasq' 'nonce-tradier-4LAjh2qL21' 'nonce-tradier-zJ3IZeGBJ0' 'nonce-stonly-tYLDXOjX76' 'nonce-stonly-WTm0JyEsqM' 'sha256-19DqsmrnI20bW+i+IGzv5rjMPP7Sp+JNbNxF+f4dkf0=' 'sha256-Nl2+22hl1U2LDEbzm5bmkay6skuCPFMaO/KZBO+1/Vg=' 'sha256-BiaLSZnJ9+OYVc64TceNbbXiOVmWPtl64B4sNfxJb/M=' 'sha256-FnvgEoQt5vCXD4dgabs37oYOvMmXYIihB9fpPUGb/WY=' 'sha256-RMQCssDiZCoGbV1rRYb4DZHAQaIq/Ehmup6CfEhCyjg=' 'sha256-beo5y8GViOdNuaTEDJTJ/KKB5ycglCnF5Zc8ujhdd80=' 'sha256-gPjlli1HEdLlR0AZTY971/wQVOdSkl9mEinLnxrPpJw=' 'sha256-NzhNJEDf732CUfDm8e4e6VoMw1yscVBzSAPNJIiDDkQ=' 'sha256-THe0h+/0EY0lOHit6yyuvCXAJ28BrMYPWYGXHhwXJ8Y=' 'sha256-+YCYJj/3Q5ySNQ8NROQl+od78SQRjNAaBBMWlRUuuwU=' 'sha256-0FfP5/LVuEKfAPBK35jqnQfeHDDlwBnMQxnqM+Cx5GY=' 'sha256-qVa8eMpTUS9t+MnUr5yr+OyBTGW9XGCgoUc4WqM8osg=' 'sha256-4cvDi3C1V91CpX65rMsWSIu7i4mNA/RaNZ0tGW9r4nY='; connect-src 'self' *.nsvcs.net ingesteer.services-prod.nsvcs.net www.facebook.com analytics.google.com www.google-analytics.com region1.analytics.google.com translate.googleapis.com *.doubleclick.net *.google.com www.google.com forms.hsforms.com api.hubapi.com *.wisepops.com app.getwisp.co wisepops.net api-js.mixpanel.com forms-na1.hubspot.com https://hubspot-forms-static-embed.s3.amazonaws.com/prod/4862349/2c66c612-81a4-4370-abc9-6d7626326280.json.gz https://hubspot-forms-static-embed.s3.amazonaws.com/prod/4862349/74913fba-84fd-4c73-861e-38c9498b90c8.json.gz https://hubspot-forms-static-embed.s3.amazonaws.com/prod/4862349/550fe60c-6808-4d5a-94b0-d3a15587bdad.json.gz stonly.com *.stonly.com; img-src 'self' translate.google.com fonts.gstatic.com www.google.com www.googletagmanager.com img.youtube.com forms.hsforms.com forms-na1.hsforms.com *.facebook.com d.adroll.com s.adroll.com googleads.g.doubleclick.net ipv4.d.adroll.com x.adroll.com track.hubspot.com *.wisepops.com wisp-production-storage.s3.amazonaws.com *.wisepops.net data: media.stonly.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com embed.typeform.com; base-uri 'self'; form-action 'self' forms.hsforms.com; font-src 'self' fonts.gstatic.com data:; frame-src 'self' youtube.com www.youtube.com www.googletagmanager.com form.typeform.com forms.hsforms.com *.doubleclick.net *.adroll.com *.wisepops.com wisepops.net ibportal.gainfutures.com demoform.cqg.com vercel.live stonly.com *.stonly.com *.tradier.com;

X-Frame-Options

Excellent

DENY

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin

Permissions-Policy

Missing

Not configured

Recommendations

• Consider adding 'preload' to HSTS for maximum security
• Strengthen CSP by removing 'unsafe-eval'
• Consider adding Permissions-Policy to control browser features

CAA Records (Certificate Authority Authorization)

CAA Records

Not Configured (Any CA can issue certificates)

CAA Issues

• No CAA records configured - any CA can issue certificates

Recommendations

• Implement CAA records to restrict which CAs can issue certificates for your domain
• This adds an extra layer of security against unauthorized certificate issuance
• Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
• Consider adding 'iodef' record to receive security incident reports

Subject Alternative Names

3 domains

tradier.com *.tradier.com staging.api.tradier.com