Is notion.so safe to use as a vendor?

notion.so scored 75/100 on LynxRadar's security posture assessment. The domain partially meets security requirements with some gaps to address. 4 checks passed, 3 warnings, 1 critical issues across 8 passive checks including TLS, DMARC, security headers, breaches, and CVEs.

Does notion.so have SPF configured?

No. No SPF record found for notion.so.

Does notion.so have security headers configured?

notion.so has 2 of 5 recommended security headers. Present: CSP, Referrer-Policy. Missing: X-Content-Type-Options, X-Frame-Options, Permissions-Policy.

75/100

notion.so

Q: What TLS version does notion.so use?

notion.so uses TLSv1.3 with TLS_AES_256_GCM_SHA384. TLSv1.3 negotiated with TLS_AES_256_GCM_SHA384 (256-bit). Strong configuration with no deprecated protocols or weak ciphers detected.

Q: Does notion.so have DMARC configured?

Yes. notion.so's DMARC policy is set to 'quarantine'. SPF record: no. Strengths: DMARC policy set to quarantine. Issues: No SPF record found; No DKIM records found for common selectors (may use non-standard selectors).

Q: Does notion.so use HSTS?

Yes. HSTS enabled: max-age=31536000 with includeSubDomains and preload. Meets best-practice configuration.

Q: Is notion.so's SSL certificate valid?

Issues detected. Strengths: Certificate valid, 33 days remaining; Issued by Google Trust Services. Issues: Wildcard certificate in use — broader attack surface if compromised.

Q: Does notion.so have DNSSEC enabled?

No. Strengths: 2 nameservers configured (dana.ns.cloudflare.com., woz.ns.cloudflare.com.); Zone transfers properly restricted. Issues: DNSSEC not configured — DNS responses can be spoofed.

February 15, 2026 ·

1 Critical 3 Warnings 4 Passed 8 checks

Security checks — sorted by severity

Security Headers

Only 2/5 security headers present. Missing: X-Content-Type-Options, X-Frame-Options, Permissions-Policy. This exposes the application to clickjacking, MIME-sniffing, and other client-side attacks.

Critical

DNS Configuration

Strengths: 2 nameservers configured (dana.ns.cloudflare.com., woz.ns.cloudflare.com.); Zone transfers properly restricted. Issues: DNSSEC not configured — DNS responses can be spoofed.

Needs work

DMARC / Email Security

Strengths: DMARC policy set to quarantine. Issues: No SPF record found; No DKIM records found for common selectors (may use non-standard selectors).

Needs work

Certificate Hygiene

Strengths: Certificate valid, 33 days remaining; Issued by Google Trust Services. Issues: Wildcard certificate in use — broader attack surface if compromised.

Needs work

TLS Configuration

TLSv1.3 negotiated with TLS_AES_256_GCM_SHA384 (256-bit). Strong configuration with no deprecated protocols or weak ciphers detected.

Passed

Known Breaches

No known breaches found in public disclosure databases.

Passed

CVE Exposure

Detected technologies: cloudflare, Next.js. (cloudflare detected but excluded from CVE matching — upstream infrastructure). No version information exposed — CVE matching not possible (this is good practice).

Passed

HSTS Header

HSTS enabled: max-age=31536000 with includeSubDomains and preload. Meets best-practice configuration.

Passed

Recommended actions 1+ items

Steps to improve notion.so's security grade, ranked by impact.

Strengthen email authentication configuration

2–4 hours High

Email authentication is partially configured for notion.so but has gaps. Actions needed: add SPF record; configure DKIM. Until DMARC enforcement is active, spoofed emails may still reach recipients.

NIST CSFPR.AC-7

Email authentication is a required access control

How to fix this

1 Add SPF record if missing: v=spf1 include:_spf.google.com -all

2 Configure DKIM and publish public key in DNS

3 Verify with: nslookup -type=txt _dmarc.notion.so

See all 3 remaining recommendations

Enter your work email to unlock the full action plan.

No spam. We only send security-related updates.

Report unlocked.

AI Summary

What this means

notion.so scored 75/100, meeting baseline requirements but with 3 findings that require attention. The vendor can proceed with a remediation timeline agreement.

Critical gaps in: Security Headers. Positive signals: TLS Configuration, Known Breaches, CVE Exposure all passed.

4 action items identified, including 0 critical. The issues are configuration gaps, not architectural problems. A focused remediation effort of 2–5 days could address all findings.

How notion.so compares

Grade distribution across 2678 companies we've scanned. notion.so scores better than 55% of them.

55th percentile

0 Percentile rank 100

A+

194

A-

200

B+

376

B-

137

C+

117

347

C-

123

D+

265

D-

632

notion.so — Grade C (75/100) 2678 companies scanned

At a glance

Key data points from the scan.

TLS Version

TLSv1.3

TLSv1.3 negotiated with TLS_AES_256_GCM_SHA384 (256-bit). Strong configuration with no deprecated protocols or weak ciphers detected.

DMARC Policy

p=quarantine

Strengths: DMARC policy set to quarantine. Issues: No SPF record found; No DKIM records found for common selectors (may use non-standard selectors).

SPF Record

Missing

No SPF record found.

Security Headers

2/5 present

Missing: X-Content-Type-Options, X-Frame-Options, Permissions-Policy

HSTS

Enabled

HSTS enabled: max-age=31536000 with includeSubDomains and preload. Meets best-practice configuration.

SSL Certificate

Issues

Strengths: Certificate valid, 33 days remaining; Issued by Google Trust Services. Issues: Wildcard certificate in use — broader attack surface if compromised.

DNSSEC

Not enabled

Strengths: 2 nameservers configured (dana.ns.cloudflare.com., woz.ns.cloudflare.com.); Zone transfers properly restricted. Issues: DNSSEC not configured — DNS responses can be spoofed.

Similar companies

Other domains with comparable security profiles.