What is the security rating for box.com?

box.com has a security posture score of 78/100 (Conditional) based on 8 passive checks covering TLS, DMARC, headers, breaches, CVEs, DNS, and certificates. Scanned February 15, 2026.

box.com partially meets LynxRadar's threshold with 78/100. 4 passed, 4 warnings, 0 failures.

Conditional

box.com

Item: box.com
Rating: 78
Author: LynxRadar

Security posture assessment · Scanned February 15, 2026

Findings

4 · 4 · 0

Checks

8 passive

Executive Summary AI-GENERATED

box.com scored 78/100, meeting baseline requirements but with 4 findings that require attention. The vendor can proceed with a remediation timeline agreement.

Positive signals: TLS Configuration, DNS Configuration, Known Breaches all passed.

4 action items identified, including 0 critical. The issues are configuration gaps, not architectural problems. A focused remediation effort of 2–5 days could address all findings.

Action Items

Ordered by priority · 4 items

Strengthen email authentication configuration

Effort: 2–4 hours Owner: IT / DNS administrator

high

Email authentication is partially configured for box.com but has gaps. Actions needed: add SPF record. Until DMARC enforcement is active, spoofed emails may still reach recipients.

Compliance Impact

NIST CSFPR.AC-7

Email authentication is a required access control

Remediation Steps

Add SPF record if missing: v=spf1 include:_spf.google.com -all

Verify with: nslookup -type=txt _dmarc.box.com

🔒

Unlock the full remediation plan

Get detailed steps, compliance mapping, and ownership for all 4 action items. Free — just enter your work email.

No spam. We'll only contact you about this report.

✓ Report unlocked. Scroll down for full details.

Increase HSTS max-age duration

Effort: < 30 minutes Owner: Web server administrator

medium

HSTS is enabled but the max-age (0s) is below the recommended minimum of 15768000s (6 months). A short max-age means browsers forget the HTTPS-only policy quickly, reducing protection between visits.

Compliance Impact

PCI-DSS 4.0Req 6.4.1

Application security header configuration

Remediation Steps

Update header: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Verify: curl -sI https://box.com | grep -i strict

Add optional security headers (Referrer-Policy, Permissions-Policy)

Effort: < 1 hour Owner: Web server administrator

low

box.com has most security headers configured. Missing: Referrer-Policy, Permissions-Policy. These are best-practice additions that reduce the attack surface for client-side vulnerabilities.

Remediation Steps

Add: Referrer-Policy: strict-origin-when-cross-origin

Add: Permissions-Policy: camera=(), microphone=(), geolocation=()

Review certificate configuration

Effort: 1–2 hours Owner: Infrastructure / DevOps

low

Certificate issues found for box.com: wildcard certificate in use. Wildcard certificates have a broader blast radius if compromised. Ensure auto-renewal is configured to prevent expiry. These are operational hygiene items, not immediate security risks.

Remediation Steps

Verify auto-renewal is configured (Let's Encrypt: certbot renew --dry-run)

Consider replacing wildcard cert with individual certs for critical subdomains

Consolidate certificate issuance to 1–2 trusted CAs

Scan Findings

DMARC / Email Security

Warning

HSTS Header

Warning

Security Headers

Warning

Certificate Hygiene

Warning

TLS Configuration

Healthy

DNS Configuration

Healthy

Known Breaches

Healthy

CVE Exposure

Healthy