SSL Certificate Analysis for wiz.io - Security Grade & TLS Configuration

Open Cached · just now

89/100 SECURITY SCORE

Certificate Information

Subject

CN=wiz.io

Issuer

C=US, O=Let's Encrypt, CN=R12

Valid From

October 25, 2025

Valid Until

January 23, 2026 60 days

Public Key

RSA 2048 bit Adequate

Signature Algorithm

SHA256-RSA

SHA-256 Fingerprint

6D:C8:A0:F3:90:F6:05:F7:1D:A5:6E:C7:5E:98:C9:AC:9B:00:72:A3:A0:32:98:DE:EF:07:1A:01:AF:12:DE:10

Alternative Names

1 domains

Security Configuration

TLS Protocols

TLS 1.2 TLS 1.3

Forward Secrecy

Supported (Modern clients use PFS)

HTTP Security Headers

Status

Strict-Transport-Security

Excellent

max-age=31536000; includeSubDomains; preload

Content-Security-Policy

Basic

child-src; default-src; frame-src; +10 more

child-src 'self' *.vimeo.com *.vimeocdn.com www.youtube.com *.qualified.com; default-src 'self' 'unsafe-inline' vitals.vercel-insights.com *.vimeo.com *.hotjar.com *.hotjar.io wss://*.hotjar.com; frame-src *.qualified.com player.vimeo.com vars.hotjar.com www.facebook.com t.sharethis.com *.qualified.com *.company-target.com https://challenges.cloudflare.com https://wizlympics-website.vercel.app https://asteroids-website.vercel.app https://path-man-website.vercel.app *.navattic.com *.wiz.io forms.office.com docs.google.com platform.twitter.com syndication.twitter.com cdn.syndication.twimg.com www.youtube.com cdn.forms-content.sg-form.com boards.greenhouse.io job-boards.greenhouse.io https://a26988130118.cdn.optimizely.com https://a26988130118.cdn-pci.optimizely.com hemsync.clickagy.com; worker-src 'self' blob:; connect-src 'self' vitals.vercel-insights.com *.qualified.com wss://*.qualified.com www.google-analytics.com analytics.google.com/g/collect *.vimeo.com vimeo.com *.ingest.sentry.io www.datocms-assets.com www.youtube.com legal.wiz.io *.algolia.net *.algolianet.com *.algolia.io *.company-target.com *.demandbase.com *.hotjar.com *.hotjar.io wss://*.hotjar.com cdn.bizible.com bat.bing.com cdn.cookielaw.org tracking.g2crowd.com static.hotjar.com script.hotjar.com *.sharethis.com a.clarity.ms/collect *.onetrust.com *.clarity.ms j.6sc.co snap.licdn.com *.redditstatic.com static.ads-twitter.com ws.zoominfo.com connect.facebook.net tkr.techtarget.com epsilon.6sense.com ipv6.6sc.co c.6sc.co ib.adbnxs.com trk.techtarget.com ib.adnxs.com munchkin.marketo.net 120-tfk-810.mktoutil.com 120-tfk-810.mktoresp.com secure.adnxs.com www.facebook.com cdn.linkedin.oribi.io epsilon-cloudfront.6sense.com tags.clickagy.com *.doubleclick.net ws://localhost:3000 https://logx.optimizely.com https://*.optimizely.com js.zi-scripts.com aorta.clickagy.com hemsync.clickagy.com tags.srv.stackadapt.com *.googleapis.com ctf.wiz-research.com staging-ctf.wiz-research.com api.cr-relay.com analytics.tiktok.com *.tiktokw.us *.mux.com; font-src 'self' fonts.googleapis.com fonts.gstatic.com *.hotjar.com data:; img-src 'self' 'unsafe-eval' data: https: http: *.hotjar.com tags.srv.stackadapt.com https://ct.capterra.com; media-src 'self' https: blob: mediastream: *.qualified.com; object-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' va.vercel-scripts.com vitals.vercel-insights.com tagmanager.google.com apis.google.com www.googleadservices.com www.googletagmanager.com www.google-analytics.com js.qualified.com *.vimeo.com *.vimeocdn.com *.newrelic.com *.nr-data.net *.hotjar.com *.demandbase.com *.quora.com https://challenges.cloudflare.com tags.srv.stackadapt.com *.navattic.com bwa.marketplace.awsstatic.com cdn.cr-relay.com analytics.tiktok.com platform.twitter.com syndication.twitter.com cdn.syndication.twimg.com www.youtube.com cdn.forms-content.sg-form.com boards.greenhouse.io job-boards.greenhouse.io cdn.bizible.com bat.bing.com cdn.cookielaw.org tracking.g2crowd.com static.hotjar.com script.hotjar.com *.sharethis.com a.clarity.ms/collect *.onetrust.com *.clarity.ms j.6sc.co snap.licdn.com *.redditstatic.com static.ads-twitter.com ws.zoominfo.com connect.facebook.net tkr.techtarget.com epsilon.6sense.com ipv6.6sc.co c.6sc.co ib.adbnxs.com trk.techtarget.com ib.adnxs.com munchkin.marketo.net 120-tfk-810.mktoutil.com 120-tfk-810.mktoresp.com secure.adnxs.com www.facebook.com cdn.linkedin.oribi.io epsilon-cloudfront.6sense.com tags.clickagy.com *.doubleclick.net https://*.optimizely.com https://optimizely.s3.amazonaws.com https://cdn-assets-prod.s3.amazonaws.com ws-assets.zoominfo.com js.zi-scripts.com tags.clickagy.com schedule.zoominfo.com; style-src 'self' 'unsafe-inline' tagmanager.google.com fonts.googleapis.com *.vimeocdn.com *.qualified.com *.hotjar.com tags.srv.stackadapt.com; form-action 'self' www.facebook.com; frame-ancestors 'self' https://partners.wiz.io https://www.wiz.io;

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin-when-cross-origin

Permissions-Policy

Missing

Not configured

Recommendations

• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Consider adding Permissions-Policy to control browser features

CAA Records (Certificate Authority Authorization)

CAA Records

Not Configured (Any CA can issue certificates)

CAA Issues

• No CAA records configured - any CA can issue certificates

Recommendations

• Implement CAA records to restrict which CAs can issue certificates for your domain
• This adds an extra layer of security against unauthorized certificate issuance
• Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
• Consider adding 'iodef' record to receive security incident reports

Subject Alternative Names

1 domain

wiz.io