C+
example.com
78/100
1
Enable HSTS (HTTP Strict Transport Security)
HSTS Header
< 1 hour

The HSTS header is missing on example.com. Without it, connections can be downgraded from HTTPS to HTTP via man-in-the-middle attacks. This is a straightforward server configuration change.

PCI-DSS 4.0Req 6.4.1
Required application security controls
NIST 800-53SC-8
Transmission confidentiality and integrity
How to fix this
1Add header: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
2Verify all subdomains support HTTPS before adding includeSubDomains
3Test with: curl -sI https://example.com | grep -i strict
4Submit to hstspreload.org after confirming the header is correct
TLS Version
TLSv1.3
TLSv1.3 negotiated with TLS_AES_256_GCM_SHA384 (256-bit). Strong configuration with no deprecated protocols or weak ciphers detected.
DMARC Policy
p=reject
Strengths: DMARC policy set to reject (strongest); DMARC pct=100 — policy applies to all mail; DKIM alignment: strict (adkim=s); SPF alignment: strict (aspf=s); SPF hard-fail (-all) configured; SPF DNS lookup count: 0/10 (within limit); DKIM configured (selectors: default, google, selector1, selector2, s1, s2, k1, dkim, mail, proofpoint, pphosted, pp1, pp2, everlytickey1, everlytickey2, mandrill, mxvault, cm, zendesk1, zendesk2, smtpapi, em, amazonses). Issues: DMARC has no aggregate report URI (rua) — policy violations won't be reported.
SPF Record
Present
v=spf1 -all
Security Headers
0/5 present
Missing: CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy
HSTS
Not enabled
Strict-Transport-Security header is missing. Connections can be downgraded to HTTP via man-in-the-middle attacks. If this domain is in the browser HSTS preload list, browsers may still enforce HTTPS — but the header should be present for full coverage.
SSL Certificate
Valid
Strengths: Certificate valid, 55 days remaining; Issued by SSL Corporation. Note: Wildcard certificate in use (*.domain) — covers all subdomains. Common practice; worth noting that compromise would affect all subdomains.
DNSSEC
Not enabled
Strengths: 2 nameservers configured (hera.ns.cloudflare.com, elliott.ns.cloudflare.com); SOA record present and MNAME consistent with NS set; 1 MX record(s) present; DNSSEC enabled: zone signed (DNSKEY present) and chain of trust intact (DS record in parent zone); Zone transfers properly restricted on all nameservers; Address records present: 2 A record(s), 2 AAAA record(s). Issues: All nameservers are from a single provider (cloudflare.com) — a provider outage takes down the domain.