Overview
Findings
Actions
Details
Related
AI-Generated Summary
What this means
gov.sg scored 82/100, demonstrating a strong security posture. Minor improvements are noted below.
Positive signals: HSTS Header, Security Headers, Known Breaches all passed.
2 action items identified, including 0 critical. The issues are configuration gaps, not architectural problems. A focused remediation effort of 2–5 days could address all findings.
How gov.sg compares
Grade distribution across 2599 companies we've scanned. gov.sg scores better than 72% of them.
84
A+
25
A
190
A-
196
B+
75
B
362
B-
129
C+
114
C
330
C-
119
D+
95
D
252
D-
628
F
gov.sg — Grade B- (82/100)
2599 companies scanned
Security checks
Each check inspects a different part of gov.sg's public security setup. Green means healthy, yellow needs attention, red is a problem.
TLS Configuration
TLSv1.2 negotiated. Issues: TLS 1.2 negotiated (1.3 preferred).
DMARC / Email Security
Strengths: DMARC policy set to reject (strongest). Issues: No SPF record found; No DKIM records found for common selectors (may use non-standard selectors).
HSTS Header
HSTS enabled: max-age=31536000. Missing includeSubDomains. Missing preload directive.
Security Headers
4/5 security headers present. Missing: Permissions-Policy.
Known Breaches
No known breaches found in public disclosure databases.
CVE Exposure
Detected technologies: AmazonS3, Proxy/CDN. (Proxy/CDN detected but excluded from CVE matching — upstream infrastructure). No version information exposed — CVE matching not possible (this is good practice).
DNS Configuration
Strengths: 4 nameservers configured (dsany2.sgnic.sg., pch.sgzones.sg., dsany3.sgnic.sg., dsany4.sgnic.sg.); DNSSEC enabled; Zone transfers properly restricted.
Certificate Hygiene
Strengths: Certificate valid, 250 days remaining; Issued by GlobalSign nv-sa.
Recommended actions
2 items
Steps to improve gov.sg's security grade, ranked by impact.
1
Strengthen email authentication configuration
Email authentication is partially configured for gov.sg but has gaps. Actions needed: add SPF record; configure DKIM. Until DMARC enforcement is active, spoofed emails may still reach recipients.
Compliance impact
NIST CSFPR.AC-7
Email authentication is a required access control
How to fix this
1
Add SPF record if missing: v=spf1 include:_spf.google.com -all
2
Configure DKIM and publish public key in DNS
3
Verify with: nslookup -type=txt _dmarc.gov.sg
See all recommendations
Enter your work email to unlock the full action plan.
No spam. We only send security-related updates.
Report unlocked.
2
Upgrade to TLS 1.3
gov.sg negotiated TLSv1.2. TLS 1.2 is still compliant under all major security frameworks and is not a vulnerability. TLS 1.3 offers faster handshakes and removes legacy cipher negotiation. This is a best-practice improvement, not a compliance gap.
How to fix this
1
Update web server config to prefer TLS 1.3 (nginx: ssl_protocols TLSv1.2 TLSv1.3)
2
Verify: openssl s_client -connect gov.sg:443 -tls1_3
At a glance
Key data points from the scan.
TLS Version
TLSv1.2
TLSv1.2 negotiated. Issues: TLS 1.2 negotiated (1.3 preferred).
DMARC Policy
p=reject
Strengths: DMARC policy set to reject (strongest). Issues: No SPF record found; No DKIM records found for common selectors (may use non-standard selectors).
SPF Record
Missing
No SPF record found.
Security Headers
4/5 present
Missing: Permissions-Policy
HSTS
Enabled
HSTS enabled: max-age=31536000. Missing includeSubDomains. Missing preload directive.
SSL Certificate
Valid
Strengths: Certificate valid, 250 days remaining; Issued by GlobalSign nv-sa.
DNSSEC
Enabled
Strengths: 4 nameservers configured (dsany2.sgnic.sg., pch.sgzones.sg., dsany3.sgnic.sg., dsany4.sgnic.sg.); DNSSEC enabled; Zone transfers properly restricted.