Is whatcms.org safe to use as a vendor?

whatcms.org scored 62/100 on LynxRadar's security posture assessment. The domain partially meets security requirements with some gaps to address. 5 checks passed, 6 warnings, 3 critical issues across 14 passive checks including TLS, DMARC, security headers, breaches, and CVEs.

Does whatcms.org have SPF configured?

Yes. SPF record: v=spf1 include:spf.privateemail.com ~all

Does whatcms.org have security headers configured?

whatcms.org has 0 of 5 recommended security headers. Missing: CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy.

whatcms.org Security Report — Grade D- (62/100)

Q: What TLS version does whatcms.org use?

whatcms.org uses TLSv1.3 with TLS_AES_256_GCM_SHA384. TLSv1.3 negotiated with TLS_AES_256_GCM_SHA384 (256-bit). Strong configuration with no deprecated protocols or weak ciphers detected.

Q: Does whatcms.org have DMARC configured?

No. whatcms.org's DMARC policy is set to 'none'. SPF record: yes. Strengths: SPF record present with soft-fail (~all); DKIM configured (selectors: default). Issues: No DMARC record found — email spoofing is not prevented.

Q: Does whatcms.org use HSTS?

No. Strict-Transport-Security header is missing. Connections can be downgraded to HTTP via man-in-the-middle attacks.

Q: Is whatcms.org's SSL certificate valid?

Yes. Strengths: Certificate valid, 85 days remaining; Issued by Google Trust Services. Note: Wildcard certificate in use (*.domain) — covers all subdomains. Common practice; worth noting that compromise would affect all subdomains.

Q: Does whatcms.org have DNSSEC enabled?

No. Strengths: 2 nameservers configured (noah.ns.cloudflare.com., coco.ns.cloudflare.com.); 2 MX records present; Zone transfers properly restricted. Issues: DNSSEC not configured — DNS responses can be spoofed.

D-

62/100

whatcms.org

May 13, 2026 ·

1+ Warnings 5 Passed

AI Summary

whatcms.org scored 62/100, meeting baseline requirements but with 6 findings that require attention. The vendor can proceed with a remediation timeline agreement.

Critical gaps in: HSTS Header, Security Headers, Cookie Security. Positive signals: MX Records & Mail Provider, TLS Protocol Support, TLS Configuration all passed.

5 action items identified, including 0 critical. The issues are configuration gaps, not architectural problems. A focused remediation effort of 2–5 days could address all findings.

Better than 25% of 2681 companies scanned.

025th pct100

A+

A-

B+

B-

C+

C-

D+

D-

HSTS Header

Security Headers

Cookie Security

MTA-STS & TLS Reporting

DNS CAA Records

DNS Configuration

DMARC / Email Security

security.txt (RFC 9116)

CVE Exposure

MX Records & Mail Provider

TLS Protocol Support

TLS Configuration

Known Breaches

Certificate Hygiene

D-

whatcms.org

62/100

No critical issues — great work!

Enable HSTS (HTTP Strict Transport Security)

< 1 hour High

The HSTS header is missing on whatcms.org. Without it, connections can be downgraded from HTTPS to HTTP via man-in-the-middle attacks. This is a straightforward server configuration change.

PCI-DSS 4.0Req 6.4.1

Required application security controls

NIST 800-53SC-8

Transmission confidentiality and integrity

How to fix this

1Add header: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

2Verify all subdomains support HTTPS before adding includeSubDomains

3Test with: curl -sI https://whatcms.org | grep -i strict

4Submit to hstspreload.org after confirming the header is correct

4 items locked

Unlock the full action plan

Report unlocked.

At a glance

Full data from this scan

TLS Version

TLSv1.3

TLSv1.3 negotiated with TLS_AES_256_GCM_SHA384 (256-bit). Strong configuration with no deprecated protocols or weak ciphers detected.

DMARC Policy

Not configured

Strengths: SPF record present with soft-fail (~all); DKIM configured (selectors: default). Issues: No DMARC record found — email spoofing is not prevented.

SPF Record

Present

v=spf1 include:spf.privateemail.com ~all

Security Headers

0/5 present

Missing: CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy

HSTS

Not enabled

Strict-Transport-Security header is missing. Connections can be downgraded to HTTP via man-in-the-middle attacks.

SSL Certificate

Valid

Strengths: Certificate valid, 85 days remaining; Issued by Google Trust Services. Note: Wildcard certificate in use (*.domain) — covers all subdomains. Common practice; worth noting that compromise would affect all subdomains.

DNSSEC

Not enabled

Strengths: 2 nameservers configured (noah.ns.cloudflare.com., coco.ns.cloudflare.com.); 2 MX records present; Zone transfers properly restricted. Issues: DNSSEC not configured — DNS responses can be spoofed.

Similar companies

Other domains with comparable security profiles.