Is opengwas.io safe to use as a vendor?

opengwas.io scored 70/100 on LynxRadar's security posture assessment. The domain partially meets security requirements with some gaps to address. 7 checks passed, 5 warnings, 2 critical issues across 14 passive checks including TLS, DMARC, security headers, breaches, and CVEs.

Does opengwas.io have security headers configured?

opengwas.io has 0 of 5 recommended security headers. Missing: CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy.

opengwas.io Security Report — Grade C- (70/100)

Q: What TLS version does opengwas.io use?

opengwas.io uses TLSv1.3 with TLS_AES_256_GCM_SHA384. TLSv1.3 negotiated with TLS_AES_256_GCM_SHA384 (256-bit). Strong configuration with no deprecated protocols or weak ciphers detected.

Q: Does opengwas.io have DMARC configured?

Yes. opengwas.io's DMARC policy is set to 'quarantine'. SPF record: yes. Strengths: DMARC policy set to quarantine; DMARC pct=100 — policy applies to all mail; DKIM alignment: strict (adkim=s); SPF alignment: strict (aspf=s); Aggregate reports (rua) configured; Forensic reports (ruf) configured; SPF soft-fail (~all) configured; SPF DNS lookup count: 3/10 (within limit). Issues: DMARC policy is 'quarantine', not 'reject' — spoofed mail is moved to spam rather than blocked outright; No DKIM records found for common selectors (domain may use custom selectors — this is not a confirmed gap).

Q: Does opengwas.io use HSTS?

No. Strict-Transport-Security header is missing. Connections can be downgraded to HTTP via man-in-the-middle attacks. If this domain is in the browser HSTS preload list, browsers may still enforce HTTPS — but the header should be present for full coverage.

Q: Is opengwas.io's SSL certificate valid?

Yes. Strengths: Certificate valid, 58 days remaining; Issued by Let's Encrypt; 106 certificates logged in CT.

Q: Does opengwas.io have DNSSEC enabled?

No. Strengths: 4 nameservers configured (ns2.p201.dns.oraclecloud.net, ns3.p201.dns.oraclecloud.net, ns4.p201.dns.oraclecloud.net, ns1.p201.dns.oraclecloud.net); SOA record present and MNAME consistent with NS set; Zone transfers properly restricted on all nameservers; Address records present: 1 A record(s). Issues: All nameservers are from a single provider (oraclecloud.net) — a provider outage takes down the domain; DNSSEC not configured — DNS responses can be spoofed or tampered with in transit (DNS cache poisoning).

C-

70/100

opengwas.io

June 09, 2026 ·

1+ Warnings 7 Passed

AI Summary

opengwas.io scored 70/100, meeting baseline requirements but with 5 findings that require attention. The vendor can proceed with a remediation timeline agreement.

Critical gaps in: HSTS Header, Security Headers. Positive signals: MX Records & Mail Provider, TLS Configuration, Known Breaches all passed.

4 action items identified, including 0 critical. The issues are configuration gaps, not architectural problems. A focused remediation effort of 2–5 days could address all findings.

Better than 42% of 2677 companies scanned.

042th pct100

A+

A-

B+

B-

C+

C-

D+

D-

HSTS Header

Security Headers

MTA-STS & TLS Reporting

DNS CAA Records

DNS Configuration

DMARC / Email Security

security.txt (RFC 9116)

MX Records & Mail Provider

TLS Configuration

Known Breaches

Cookie Security

TLS Protocol Support

CVE Exposure

Certificate Hygiene

C-

opengwas.io

70/100

No critical issues — great work!

Enable HSTS (HTTP Strict Transport Security)

HSTS Header

< 1 hour High

The HSTS header is missing on opengwas.io. Without it, connections can be downgraded from HTTPS to HTTP via man-in-the-middle attacks. This is a straightforward server configuration change.

PCI-DSS 4.0Req 6.4.1

Required application security controls

NIST 800-53SC-8

Transmission confidentiality and integrity

How to fix this

1Add header: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

2Verify all subdomains support HTTPS before adding includeSubDomains

3Test with: curl -sI https://opengwas.io | grep -i strict

4Submit to hstspreload.org after confirming the header is correct

3 items locked

Unlock the full action plan

Report unlocked.

At a glance

Full data from this scan

TLS Version

TLSv1.3

TLSv1.3 negotiated with TLS_AES_256_GCM_SHA384 (256-bit). Strong configuration with no deprecated protocols or weak ciphers detected.

DMARC Policy

p=quarantine

Strengths: DMARC policy set to quarantine; DMARC pct=100 — policy applies to all mail; DKIM alignment: strict (adkim=s); SPF alignment: strict (aspf=s); Aggregate reports (rua) configured; Forensic reports (ruf) configured; SPF soft-fail (~all) configured; SPF DNS lookup count: 3/10 (within limit). Issues: DMARC policy is 'quarantine', not 'reject' — spoofed mail is moved to spam rather than blocked outright; No DKIM records found for common selectors (domain may use custom selectors — this is not a confirmed gap).

SPF Record

Present

v=spf1 include:rp.oracleemaildelivery.com include:ap.rp.oracleemaildelivery.com include:eu.rp.oracle

Security Headers

0/5 present

Missing: CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy

HSTS

Not enabled

Strict-Transport-Security header is missing. Connections can be downgraded to HTTP via man-in-the-middle attacks. If this domain is in the browser HSTS preload list, browsers may still enforce HTTPS — but the header should be present for full coverage.

SSL Certificate

Valid

Strengths: Certificate valid, 58 days remaining; Issued by Let's Encrypt; 106 certificates logged in CT.

DNSSEC

Not enabled

Strengths: 4 nameservers configured (ns2.p201.dns.oraclecloud.net, ns3.p201.dns.oraclecloud.net, ns4.p201.dns.oraclecloud.net, ns1.p201.dns.oraclecloud.net); SOA record present and MNAME consistent with NS set; Zone transfers properly restricted on all nameservers; Address records present: 1 A record(s). Issues: All nameservers are from a single provider (oraclecloud.net) — a provider outage takes down the domain; DNSSEC not configured — DNS responses can be spoofed or tampered with in transit (DNS cache poisoning).

Similar companies

Other domains with comparable security profiles.