Open
Cached
·
just now
93/100
SECURITY SCORE
Certificate Information
Subject
CN=sumex.ch
Issuer
C=FR, O=Gandi SAS, CN=GandiCert
Valid From
October 02, 2025
Valid Until
November 02, 2026
284 days
Public Key
RSA
4096 bit
Strong
Signature Algorithm
SHA256-RSA
SHA-256 Fingerprint
56:5D:0A:B6:D8:55:25:02:0D:EF:C1:70:CF:DA:B0:6D:D3:6B:E0:2C:F5:D2:8E:A5:5F:61:89:BA:5E:4B:3A:55
Alternative Names
Security Configuration
TLS Protocols
TLS 1.2
TLS 1.3
Forward Secrecy
Supported
(Modern clients use PFS)
HTTP Security Headers
Status
Strict-Transport-Security
Weak
max-age= 63072000; includeSubDomains; preload
Content-Security-Policy
Good
default-src; script-src; style-src; +11 more
default-src 'self' elca.ch *.elca.ch sumex.ch *.sumex.ch *.crazyegg.com; script-src 'self' 'nonce-NzI1NzA2YzctM2M0Zi00YjZjLTlkOWItOWEzMThhNWM4MzVj' 'strict-dynamic' 'unsafe-inline' *.crazyegg.com https://*.googletagmanager.com http: https: https://www.gstatic.com; style-src 'self' *.crazyegg.com 'unsafe-inline'; img-src 'self' elca.ch *.elca.ch sumex.ch *.sumex.ch *.crazyegg.com https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://*.g.doubleclick.net https://*.google.com blob: data: https://cdn.addevent.com; connect-src 'self' elca.ch *.elca.ch sumex.ch *.sumex.ch *.crazyegg.com https://script.crazyegg.com https://vimeo.com https://consentcdn.cookiebot.com https://elcawebsites.matomo.cloud https://elcamarketing.azurewebsites.net https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://*.g.doubleclick.net https://*.google.com https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/api/siteverify http://httpproxy:3128; frame-src 'self' elca.ch *.elca.ch sumex.ch *.sumex.ch *.crazyegg.com https://player.vimeo.com https://www.google.com https://consentcdn.cookiebot.com https://www.google.com/recaptcha/; font-src 'self' data:; worker-src 'self' blob:; object-src 'none'; base-uri 'self'; form-action 'self' elca.ch *.elca.ch sumex.ch *.sumex.ch; frame-ancestors 'none'; block-all-mixed-content; upgrade-insecure-requests;
X-Frame-Options
Excellent
DENY
X-Content-Type-Options
Good
nosniff
Referrer-Policy
Good
strict-origin-when-cross-origin
Permissions-Policy
Present
fullscreen=*, microphone=(), geolocation=(), camera=(), bluetooth=()
Recommendations
- • Increase HSTS max-age to at least 1 year and add includeSubDomains
- • Strengthen CSP by removing 'unsafe-eval'
CAA Records (Certificate Authority Authorization)
CAA Records
Not Configured
(Any CA can issue certificates)
CAA Issues
- • No CAA records configured - any CA can issue certificates
Recommendations
- • Implement CAA records to restrict which CAs can issue certificates for your domain
- • This adds an extra layer of security against unauthorized certificate issuance
- • Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
- • Consider adding 'iodef' record to receive security incident reports