Open
Cached
·
just now
79/100
SECURITY SCORE
Certificate Information
Subject
UNKNOWN={:asn1_OPENTYPE, <<12, 20, 80, 114, 105, 118, 97, 116, 101, 32, 79, 114, 103, 97, 110, 105, 122, 97, 116, 105, 111, 110>>}, UNKNOWN={:asn1_OPENTYPE, <<19, 2, 85, 83>>}, UNKNOWN={:asn1_OPENTYPE, "\f\nCalifornia"}, UNKNOWN=C0806592, C=US, ST=California, L=Cupertino, O=Apple Inc., CN=np-edge.itunes.apple.com
Issuer
C=US, O=Apple Inc., CN=Apple Public EV Server RSA CA 1 - G1
Valid From
February 12, 2026
Valid Until
August 19, 2026
115 days
Public Key
RSA
2048 bit
Adequate
Signature Algorithm
SHA256-RSA
SHA-256 Fingerprint
74:A4:20:98:9D:F1:51:BB:BB:79:45:E7:E0:26:90:61:F5:E1:6D:5F:DA:FA:95:1F:1D:2F:A5:AB:F7:21:54:4D
Alternative Names
Security Configuration
TLS Protocols
TLS 1.2
TLS 1.3
Forward Secrecy
Supported
(Modern clients use PFS)
HTTP Security Headers
Status
Strict-Transport-Security
Good
max-age=31536000; includeSubDomains
X-Frame-Options
Missing
Not configured
X-Content-Type-Options
Missing
Not configured
Referrer-Policy
Missing
Not configured
Permissions-Policy
Missing
Not configured
Recommendations
- • Consider adding 'preload' to HSTS for maximum security
- • Add Content-Security-Policy header to prevent XSS attacks
- • Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
- • Add X-Content-Type-Options: nosniff
- • Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
- • Consider adding Permissions-Policy to control browser features
CAA Records (Certificate Authority Authorization)
CAA Records
Not Configured
(Any CA can issue certificates)
CAA Issues
- • No CAA records configured - any CA can issue certificates
Recommendations
- • Implement CAA records to restrict which CAs can issue certificates for your domain
- • This adds an extra layer of security against unauthorized certificate issuance
- • Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
- • Consider adding 'iodef' record to receive security incident reports
Subject Alternative Names
50 domains
buylite.apps.apple.com
buylite.books.apple.com
buylite.itunes.apple.com
buylite.link.apple.com
buylite.music.apple.com
buylite.podcasts.apple.com
buylite.podcastsconnect.apple.com
buylite.tv.apple.com
client-api.itunes.apple.com
commerce.itunes.apple.com
entitlements-edge.apps.apple.com
entitlements-edge.books.apple.com
entitlements-edge.itunes.apple.com
entitlements-edge.music.apple.com
entitlements-edge.podcasts.apple.com
entitlements-edge.podcastsconnect.apple.com
entitlements-edge.tv.apple.com
entitlements.apps.apple.com
entitlements.books.apple.com
entitlements.itunes.apple.com
entitlements.music.apple.com
entitlements.podcasts.apple.com
entitlements.podcastsconnect.apple.com
entitlements.tv.apple.com
fpinit.itunes.apple.com
musicstatus.apps.apple.com
musicstatus.books.apple.com
musicstatus.itunes.apple.com
musicstatus.music.apple.com
musicstatus.podcasts.apple.com
musicstatus.podcastsconnect.apple.com
musicstatus.tv.apple.com
np-edge.itunes.apple.com
np.itunes.apple.com
play-anon.itunes.apple.com
play-edge-anon.itunes.apple.com
play-edge.itunes.apple.com
play.itunes.apple.com
se2.itunes.apple.com
speedysub.apps.apple.com
speedysub.books.apple.com
speedysub.itunes.apple.com
speedysub.link.apple.com
speedysub.music.apple.com
speedysub.podcasts.apple.com
speedysub.podcastsconnect.apple.com
speedysub.tv.apple.com
uts-api-web-marketing.itunes.apple.com
uts-api.itunes.apple.com
client.storekit.itunes.apple.com