SSL Certificate Analysis for yliving.com - Security Grade & TLS Configuration

SSL Verification Bypassed

The server's SSL certificate could not be verified. The analysis was completed using insecure mode. Data may be less reliable.

Reason:

Hostname Mismatch - certificate is issued for *.yliving.com, not for yliving.com

Open Cached · just now

91/100 SECURITY SCORE

Certificate Information

Subject

CN=*.yliving.com

Issuer

C=US, O=Amazon, CN=Amazon RSA 2048 M03

Valid From

July 23, 2025

Valid Until

August 21, 2026 209 days

Public Key

RSA 2048 bit Adequate

Signature Algorithm

SHA256-RSA

SHA-256 Fingerprint

CB:FE:CB:76:E9:7B:E7:4D:6D:2C:A3:68:C3:34:73:DF:D1:1B:DE:A8:92:FE:92:42:EF:E5:BC:14:F5:12:A4:88

Alternative Names

1 domains

Security Configuration

TLS Protocols

TLS 1.2 TLS 1.3

Forward Secrecy

Supported (Modern clients use PFS)

HTTP Security Headers

Status

Strict-Transport-Security

Weak

max-age=0

Content-Security-Policy

Basic

default-src; base-uri; block-all-mixed-content; +12 more

default-src 'self' https: http:; base-uri 'self' *.cloudfront.net; block-all-mixed-content; font-src 'self' https: data:; frame-ancestors 'self' https: data:; frame-src 'self' https: data:; img-src 'self' data: blob: *.newrelic.com *.commercecloud.salesforce.com *.lumens.com *.signifyd.com *.online-metrix.net s7d1.scene7.com s7d5.scene7.com images.ctfassets.net storage.googleapis.com cdn.ywxi.net www.gstatic.com *.google.com *.paypal.com *.bing.com *.facebook.com *.everesttech.net *.omtrdc.net *.ydesigngroup.com *.listrakbi.com *.doubleclick.net *.liadm.com *.agkn.com *.rtactivate.com *.dtstmio.com *.cloudfront.net *.datasteam.io *.equalweb.com *.cookielaw.org *.googletagmanager.com *.demdex.net *.espssl.com *.powerreviews.com sdk.helloextend.com api.helloextend.com api-demo.helloextend.com *.cloudinary.com *.facebook.net *.clarity.ms *.modernimpact.com *.amazonaws.com *.adnxs.com *.ojrq.net *.gladly.com *.smooch.io; manifest-src 'self' https: http:; media-src 'self' https: http: data: blob:; object-src 'self' https: http:; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: *.online-metrix.net *.newrelic.com *.nr-data.net runtime.commercecloud.com *.googleapis.com *.lumens.com cdn.gladly.qa *.gladly.com *.smooch.io d1fc8wv8zag5ca.cloudfront.net cdnjs.cloudflare.com www.googlecommerce.com *.curalate.com *.google.com *.googletagmanager.com *.google-analytics.com js.cnnx.link *.paypal.com *.datasteam.io *.facebook.net *.impactradius-event.com *.pinimg.com *.googleadservices.com *.usabilla.com *.zi-scripts.com *.bing.com *.taboola.com *.adobedtm.com cnstrc.com *.cnstrc.com *.listrakbi.com *.omtrdc.net *.listrak.com *.equalweb.com tags.pw.adn.cloud www.paypalobjects.com *.stape.ma *.pinterest.com *.agkn.com *.zoominfo.com *.adn.cloud *.facebook.com *.cookielaw.org *.bing-int.com *.powerreviews.com sdk.helloextend.com api.helloextend.com api-demo.helloextend.com *.signifyd.com *.iesnare.com *.doubleclick.net *.gladly.chat *.clarity.ms *.kyc.red *.tintup.com *.publitas.com *.cquotient.com *.newrelic.com *.scene7.com *.verygoodvault.com; script-src-attr 'self' 'unsafe-inline' 'unsafe-hashes' https: http:; style-src 'self' https: 'unsafe-inline'; connect-src 'self' runtime.commercecloud.com *.lumens.com *.signifyd.com *.newrelic.com *.nr-data.net cdn.gladly.qa *.gladly.com *.smooch.io d1fc8wv8zag5ca.cloudfront.net cdnjs.cloudflare.com www.googlecommerce.com *.google.com *.googletagmanager.com *.google-analytics.com js.cnnx.link *.paypal.com *.datasteam.io *.facebook.net *.impactradius-event.com *.pinimg.com *.googleadservices.com *.usabilla.com *.zi-scripts.com *.bing.com *.taboola.com *.adn.cloud *.demdex.net *.omtrdc.net *.doubleclick.net *.listrak.com *.cnstrc.com *.listrakbi.com *.mobify-storefront.com *.evyy.net *.impct.site *.pinterest.com *.stape.ma *.zoominfo.com *.equalweb.com *.facebook.com *.run.app *.cookielaw.org *.onetrust.com *.powerreviews.com sdk.helloextend.com api.helloextend.com api-demo.helloextend.com *.cloudinary.com *.gladly.chat wss://*.gladly.chat *.clarity.ms *.ydesigngroup.com *.sinter-collect.com *.verygoodvault.com; upgrade-insecure-requests

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Present

same-origin

Permissions-Policy

Present

accelerometer=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Improve CSP by adding more specific directives and removing 'unsafe-inline'

CAA Records (Certificate Authority Authorization)

CAA Records

Not Configured (Any CA can issue certificates)

CAA Issues

• No CAA records configured - any CA can issue certificates

Recommendations

• Implement CAA records to restrict which CAs can issue certificates for your domain
• This adds an extra layer of security against unauthorized certificate issuance
• Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
• Consider adding 'iodef' record to receive security incident reports

Subject Alternative Names

1 domain

*.yliving.com