Infrastructure
· 9 checks — DNS, redirects, IPv6, crawlability, URL variants, and domain intelligence rolled into one auditable list.CURL VariantsActionwww/non-www, trailing slash, HTTP→HTTPSREVIEW
www / non-www
Inconsistent — duplicate content risk
HTTP → HTTPS
Use 301 (permanent) instead of 302 (temporary)
BTLS Certificate Expiry & Recommendations148 days until leaf cert expires — 2 issues to addressREVIEW
Certificate validity
Recommended actions
- Enable HSTS: Strict-Transport-Security: max-age=31536000; includeSubDomains
- Enable OCSP stapling on your TLS server to remove a CA roundtrip and protect user privacy
BCDN & DeliveryAzure CDN (CONFIG_NOCACHE)REVIEW
A+DNS Records2 A records, 9 ms lookupPASS
| A | 13.107.226.59, 13.107.253.59 |
| AAAA | 2603:1061:14:167::1 |
| CNAME | — |
| NS | asa.ns.cloudflare.com, chase.ns.cloudflare.com |
| MX | 50 state-ca-gov.mail.protection.outlook.com |
| TXT | kgSwb3w MS=ms59950388 SPF v=spf1 mx -all 77fek9plf3e7i9vm9i500vm79s 82fgh9e11st6ge8dl2rq79oc7i b7jiemf9q2qic0t9aeacpttms2 gdji41f1cacv1m2d198if0vuli geosa84pa0ki84l70vcsmk0cim ksup9h9t5g8g74rhldhm47cg6n lrjs205tl4cmbvoti54b0sfp1i nca8d34k023s42jrh0qp73goej ne8qkje7bm8jqtic2s1ujk84i0 p5lck45mvcofc4bchcjkotdlj1 q2scl20oh8gvb2o285fbkhpeoi qermsaauqjler4v89gh0jstbob skmqov2no0k6pf53qf52qst3uv ns1-dns-e3mK#CzdtDGTf8G6@X%U 7l325lj420cvll7ynrqf9sw8w0wd5rjp 8dl8gsrz2v7brrn7v7kd8zzh5hpx3z4p jwmfns694xyfsn25rjfpltj5yk1qs86k n2brbxs1rfbk9wcqt6hs3fbn2hndvjmh p231t8bkybdbk8t66pn33w6c713hqs0c qmb32gz71shlys2xfzxk6hh4v8lv5h6c v=msv1 t=F21F2D2B-4B5C-4E0B-BEA8-3D3B29925C55 facebook-domain-verification=vfdn4y9d67uzhc1fkevfdw6vc8yxmk globalsign-domain-verification=38B38A0B432C8AD7EDFFE1BEA68CB8E2 globalsign-domain-verification=4FF8F31FE5B78F8ACA66434C225C85F1 globalsign-domain-verification=61295C85139CE4E7A8F740AFB9FA7985 globalsign-domain-verification=6d18491e811464bf27d5dcab935885fa globalsign-domain-verification=c7d5859219ca1ba4709a5503db56b280 google-site-verification=42Ovi7Pr56lkzjWNDeRK4GtOPqgY5NaLb_KuFPzFlpY google-site-verification=I_4SiFiZFFjYQ_z4uwg-E0OAQTkyrTAH4YxgvABb9Kk google-site-verification=eQVZSMDGCQ9hXfmUMCwZy-oQFyLqiM08hcr61PVAfuw google-site-verification=hDm2HGXkWMfFFhXQz8T6wQGFQfey88XgQNdNtQW-X8w google-site-verification=kZQX6fsWQ23tQL5UaTX8fi4qJvgFyoCZMaqciFhWQ7k |
| CAA | Lookup not available with standard resolver |
CAA record lookup requires a specialized DNS resolver. This check will be available in a future update.
Informational: CAA (Certification Authority Authorization) records weren't checked in this scan.
ARedirect Chain1 redirect(s), 720 ms totalPASS
https://ca.gov
25 ms · HTTP/1.1
https://www.ca.gov/
696 ms · HTTP/1.1 FINAL
| # | URL | Status | Time | Protocol | Server |
|---|---|---|---|---|---|
| 1 | https://ca.gov | 301 | 25 ms | HTTP/1.1 | |
| 2 | https://www.ca.gov/ | 200 | 696 ms | HTTP/1.1 |
See the visual redirect chain in the HTTP Probe tab →
A+IPv6 ReadinessIPv6 reachable (1 ms)PASS
A+Crawlabilityrobots.txt present, sitemap with 6 URLsPASS
User-agent: *
Allow: /
# Recommended for all sites
Disallow: /ads.txt
Disallow: /app-ads.txt
Disallow: /.well-known/assetlinks.json
Disallow: /.well-known/apple-app-site-association
Disallow: /apple-app-site-association
# www.ca.gov specificly, reduces 404 crawl attempts
Disallow: /state/portal/
Disallow: /state/govsite/
Sitemap: https://www.ca.gov/sitemaps/sitemapindex.xml
A+Domain Intelligenceca.gov — via get.gov, 28 years, 11 months oldPASS
51 days
September 2, 2026
148 days
Issued by DigiCert Inc
28 years, 11 months
Registered October 2, 1997
Enabled
Protects against DNS spoofing
Unknown
2620:1ec:29:1::59
get.gov
Expiry timeline
Recommended actions
- Renew the domain or enable auto-renewal to prevent accidental expiry
- Enable registrar lock (clientTransferProhibited) to block unauthorized domain transfers
The domain can be transferred without an unlock step. Enable registrar lock (clientTransferProhibited) in your registrar's control panel to protect against unauthorized or accidental transfers.
Without registrar lock, an attacker who phishes your registrar credentials can transfer the domain in minutes — total brand hijack.
Learn more ▾ ▴
Registrar lock (clientTransferProhibited, clientUpdateProhibited, clientDeleteProhibited) requires extra verification before any transfer/update/delete. Every major registrar offers it free. Combined with 2FA on your registrar account, it's the strongest defense against domain hijacking.
Source: ICANN / domain-security best practice