Overview
Findings
Details
Related
AI-Generated Summary
What this means
varpix.com scored 100/100, demonstrating a strong security posture. Minor improvements are noted below.
Positive signals: DNS CAA Records, TLS Configuration, TLS Protocol Support all passed.
How varpix.com compares
Grade distribution across 2611 companies we've scanned. varpix.com scores better than 99% of them.
85
A+
25
A
189
A-
197
B+
75
B
362
B-
132
C+
114
C
333
C-
121
D+
95
D
255
D-
628
F
varpix.com — Grade A+ (100/100)
2611 companies scanned
Security checks
Each check inspects a different part of varpix.com's public security setup. Green means healthy, yellow needs attention, red is a problem.
MX Records & Mail Provider
Strengths: Mail handled by mail.varpix.com; 1 MX record(s) configured. Issues: Only 1 MX record — no failover if primary mail server is unavailable.
MTA-STS & TLS Reporting
Strengths: SMTP TLS Reporting (TLSRPT) configured — delivery failures will be reported. Issues: No MTA-STS configured — email in transit is vulnerable to TLS downgrade attacks. Sending servers cannot verify that your mail server requires TLS.
security.txt (RFC 9116)
No security.txt found. Publishing a security.txt at /.well-known/security.txt is the industry standard (RFC 9116) for vulnerability disclosure policies. Its absence may indicate a less mature security program.
DNS CAA Records
Strengths: CAA records configured (11 record(s)); Authorized CAs: comodoca.com, digicert.com; cansignhttpexchanges=yes, letsencrypt.org, pki.goog; cansignhttpexchanges=yes, ssl.com; Violation reporting (iodef) configured.
TLS Configuration
TLSv1.3 negotiated with TLS_AES_256_GCM_SHA384 (256-bit). Strong configuration with no deprecated protocols or weak ciphers detected.
TLS Protocol Support
Strengths: TLS 1.3 supported; TLS 1.2 supported; TLS 1.3 supported (strongest). Protocol support: TLS 1.3: Yes, TLS 1.2: Yes, TLS 1.1: No, TLS 1.0: No.
DNS Configuration
Strengths: 2 nameservers configured (nadia.ns.cloudflare.com., luke.ns.cloudflare.com.); 1 MX records present; DNSSEC enabled; Zone transfers properly restricted.
Known Breaches
No known breaches found in public disclosure databases.
DMARC / Email Security
Strengths: DMARC policy set to quarantine; SPF record present with hard-fail (-all). Issues: No DKIM records found for common selectors (domain may use custom selectors — this is not a confirmed gap).
HSTS Header
HSTS enabled: max-age=31536000s (365 days) with includeSubDomains and preload. Meets best-practice configuration.
Security Headers
All 5 recommended security headers present: CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy.
Cookie Security
Strengths: 1 cookie(s) analyzed; All cookies have Secure flag; All cookies have HttpOnly flag; All cookies have SameSite attribute.
CVE Exposure
Detected technologies: cloudflare. (cloudflare detected but excluded from CVE matching — upstream infrastructure). All detected technologies are upstream CDN/proxy infrastructure. No application-level software versions exposed.
Certificate Hygiene
Strengths: Certificate valid, 52 days remaining; Issued by Google Trust Services. Note: Wildcard certificate in use (*.domain) — covers all subdomains. Common practice; worth noting that compromise would affect all subdomains.
At a glance
Key data points from the scan.
TLS Version
TLSv1.3
TLSv1.3 negotiated with TLS_AES_256_GCM_SHA384 (256-bit). Strong configuration with no deprecated protocols or weak ciphers detected.
DMARC Policy
p=quarantine
Strengths: DMARC policy set to quarantine; SPF record present with hard-fail (-all). Issues: No DKIM records found for common selectors (domain may use custom selectors — this is not a confirmed gap).
SPF Record
Present
v=spf1 mx -all
Security Headers
5/5 present
All headers configured.
HSTS
Enabled
HSTS enabled: max-age=31536000s (365 days) with includeSubDomains and preload. Meets best-practice configuration.
SSL Certificate
Valid
Strengths: Certificate valid, 52 days remaining; Issued by Google Trust Services. Note: Wildcard certificate in use (*.domain) — covers all subdomains. Common practice; worth noting that compromise would affect all subdomains.
DNSSEC
Enabled
Strengths: 2 nameservers configured (nadia.ns.cloudflare.com., luke.ns.cloudflare.com.); 1 MX records present; DNSSEC enabled; Zone transfers properly restricted.