Is wikipedia.org safe to use as a vendor?

wikipedia.org scored 80/100 on LynxRadar's security posture assessment. The domain meets baseline security requirements. 10 checks passed, 3 warnings, 1 critical issues across 14 passive checks including TLS, DMARC, security headers, breaches, and CVEs.

Does wikipedia.org have SPF configured?

Yes. SPF record: v=spf1 include:_cidrs.wikimedia.org ~all

Does wikipedia.org have security headers configured?

wikipedia.org has 0 of 5 recommended security headers. Missing: CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy.

B-

80/100

wikipedia.org

Q: What TLS version does wikipedia.org use?

wikipedia.org uses TLSv1.3 with TLS_AES_128_GCM_SHA256. TLSv1.3 negotiated with TLS_AES_128_GCM_SHA256 (128-bit). Strong configuration with no deprecated protocols or weak ciphers detected.

Q: Does wikipedia.org have DMARC configured?

Yes. wikipedia.org's DMARC policy is set to 'reject'. SPF record: yes. Strengths: DMARC policy set to reject (strongest); SPF record present with soft-fail (~all). Issues: No DKIM records found for common selectors (domain may use custom selectors — this is not a confirmed gap).

Q: Does wikipedia.org use HSTS?

Yes. HSTS enabled: max-age=106384710s (1231 days) with includeSubDomains and preload. Meets best-practice configuration.

Q: Is wikipedia.org's SSL certificate valid?

Yes. Strengths: Certificate valid, 78 days remaining; Issued by Let's Encrypt. Note: Wildcard certificate in use (*.domain) — covers all subdomains. Common practice; worth noting that compromise would affect all subdomains.

Q: Does wikipedia.org have DNSSEC enabled?

No. Strengths: 3 nameservers configured (ns0.wikimedia.org., ns1.wikimedia.org., ns2.wikimedia.org.); 2 MX records present; Zone transfers properly restricted. Issues: DNSSEC not configured — DNS responses can be spoofed.

April 19, 2026 ·

1 Critical 3 Warnings 10 Passed 14 checks

Security checks — sorted by severity

Security Headers

None of the 5 recommended security headers are present (missing: CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy). This exposes the application to clickjacking, MIME-sniffing, and other client-side attacks.

Critical

MTA-STS & TLS Reporting

Issues: No MTA-STS configured — email in transit is vulnerable to TLS downgrade attacks. Sending servers cannot verify that your mail server requires TLS; No TLSRPT record — TLS delivery failures won't be reported to domain owner.

Needs work

DNS Configuration

Strengths: 3 nameservers configured (ns0.wikimedia.org., ns1.wikimedia.org., ns2.wikimedia.org.); 2 MX records present; Zone transfers properly restricted. Issues: DNSSEC not configured — DNS responses can be spoofed.

Needs work

DMARC / Email Security

Strengths: DMARC policy set to reject (strongest); SPF record present with soft-fail (~all). Issues: No DKIM records found for common selectors (domain may use custom selectors — this is not a confirmed gap).

Needs work

MX Records & Mail Provider

Strengths: Mail handled by mx-in2001.wikimedia.org; 2 MX record(s) configured; Multiple MX records provide redundancy; All MX records share the same priority (10) — round-robin load balancing (no primary/backup distinction).

Passed

DNS CAA Records

Strengths: CAA records configured (4 record(s)); Authorized CAs: pki.goog, digicert.com, letsencrypt.org; Violation reporting (iodef) configured.

Passed

TLS Configuration

TLSv1.3 negotiated with TLS_AES_128_GCM_SHA256 (128-bit). Strong configuration with no deprecated protocols or weak ciphers detected.

Passed

TLS Protocol Support

Strengths: TLS 1.3 supported; TLS 1.2 supported; TLS 1.3 supported (strongest). Protocol support: TLS 1.3: Yes, TLS 1.2: Yes, TLS 1.1: No, TLS 1.0: No.

Passed

Cookie Security

Strengths: 1 cookie(s) analyzed; All cookies have Secure flag; All cookies have HttpOnly flag; All cookies have SameSite attribute.

Passed

HSTS Header

HSTS enabled: max-age=106384710s (1231 days) with includeSubDomains and preload. Meets best-practice configuration.

Passed

Known Breaches

No known breaches found in public disclosure databases.

Passed

security.txt (RFC 9116)

Strengths: security.txt found with 5 field(s); Contact: mailto:[email protected]; Expires in 1076 days (2029-03-31T09:00:00.000Z); Disclosure policy: https://www.mediawiki.org/wiki/Reporting_security_bugs; Preferred languages: en; Acknowledgments/hall-of-fame link included. Issues: Not PGP signed (recommended for authenticity).

Passed

CVE Exposure

Detected technologies: ATS/9.2.13. No high or critical CVEs found for detected versions.

Passed

Certificate Hygiene

Strengths: Certificate valid, 78 days remaining; Issued by Let's Encrypt. Note: Wildcard certificate in use (*.domain) — covers all subdomains. Common practice; worth noting that compromise would affect all subdomains.

Passed

Recommended actions 1+ items

Steps to improve wikipedia.org's security grade, ranked by impact.

Add missing security headers (CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy)

1–2 hours High

5 of 5 recommended security headers are missing on wikipedia.org: CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy. These headers protect against clickjacking, MIME-sniffing, and unauthorized browser feature access. Adding them is a server configuration change with no application code changes required.

PCI-DSS 4.0Req 6.4.1

Security headers are required application controls

OWASPSecure Headers

Recommended baseline for web applications

How to fix this

1 Add a Content-Security-Policy header. Safe starting value (works with Google Fonts and inline styles/scripts): default-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; script-src 'self' 'unsafe-inline'; upgrade-insecure-requests. Test your site after adding it, then tighten over time by removing 'unsafe-inline'.

2 Add: X-Content-Type-Options: nosniff

3 Add: X-Frame-Options: SAMEORIGIN (use DENY only if you never embed your pages in iframes)

4 Add: Referrer-Policy: strict-origin-when-cross-origin

5 Add: Permissions-Policy: camera=(), microphone=(), geolocation=()

See all 2 remaining recommendations

Enter your work email to unlock the full action plan.

No spam. We only send security-related updates.

Report unlocked.

AI Summary

What this means

wikipedia.org scored 80/100, demonstrating a strong security posture. Minor improvements are noted below.

Critical gaps in: Security Headers. Positive signals: MX Records & Mail Provider, DNS CAA Records, TLS Protocol Support all passed.

3 action items identified, including 0 critical. The issues are configuration gaps, not architectural problems. A focused remediation effort of 2–5 days could address all findings.

How wikipedia.org compares

Grade distribution across 2678 companies we've scanned. wikipedia.org scores better than 64% of them.

64th percentile

0 Percentile rank 100

A+

194

A-

200

B+

376

B-

137

C+

117

347

C-

123

D+

265

D-

632

wikipedia.org — Grade B- (80/100) 2678 companies scanned

At a glance

Key data points from the scan.

TLS Version

TLSv1.3

TLSv1.3 negotiated with TLS_AES_128_GCM_SHA256 (128-bit). Strong configuration with no deprecated protocols or weak ciphers detected.

DMARC Policy

p=reject

SPF Record

Present

v=spf1 include:_cidrs.wikimedia.org ~all

Security Headers

0/5 present

Missing: CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy

HSTS

Enabled

HSTS enabled: max-age=106384710s (1231 days) with includeSubDomains and preload. Meets best-practice configuration.

SSL Certificate

Valid

DNSSEC

Not enabled

Similar companies

Other domains with comparable security profiles.