Infrastructure
· 9 checks — DNS, redirects, IPv6, crawlability, URL variants, and domain intelligence rolled into one auditable list.DCDN & DeliveryActionNo CDN detectedFIX
Consider using a CDN to improve global delivery speed and reduce origin load.
BRedirect Chain1 redirect(s), 1534 ms totalREVIEW
https://va.gov
713 ms · HTTP/1.1
https://www.va.gov/
821 ms · HTTP/1.1 FINAL
| # | URL | Status | Time | Protocol | Server |
|---|---|---|---|---|---|
| 1 | https://va.gov | 301 | 713 ms | HTTP/1.1 | |
| 2 | https://www.va.gov/ | 200 | 821 ms | HTTP/1.1 |
See the visual redirect chain in the HTTP Probe tab →
BURL Variantswww/non-www, trailing slash, HTTP→HTTPSREVIEW
www / non-www
Inconsistent — duplicate content risk
HTTP → HTTPS
Consistent
BTLS Certificate Expiry & Recommendations272 days until leaf cert expires — 3 issues to addressREVIEW
Certificate validity
Recommended actions
- Prefer TLS 1.3 — TLS 1.2 is acceptable but TLS 1.3 removes RSA key exchange and improves latency
- Add includeSubDomains to the HSTS directive
- Enable OCSP stapling on your TLS server to remove a CA roundtrip and protect user privacy
ADNS Records1 A records, 279 ms lookupPASS
| A | 152.131.96.221 |
| AAAA | 2600:8030:0:28::30:221 |
| CNAME | — |
| NS | ns3x.va.gov, ns1x.va.gov, ns4x.va.gov, ns2x.va.gov |
| MX | 10 mx20.va.gov |
| TXT | MS=ms28494616 docusign=1df408c8-ae62-42aa-81fb-cbacef5c7561 _5ri78mzgbmvox0mvm8ou5wxkmpx9woh _w1ybjynlrsafrjumudrp5ilvgsom6hq docusign=31552c45-f8a2-4607-9542-acf2c7b6ddff SPF v=spf1 mx ip4:152.130.26.32/27 ip4:152.131.26.32/27 ip4:152.132.26.32/27 ip4:152... _44pf4890rcbprrl4m69yuzocued8hj3 _ymhmp4c6qowov1llhzi4znjsgw7klp9 google-site-verification=RkAwuvE_HJPBMMNduSFoIOZBXDdFYV8pyziOb8CoqUU webexdomainverification.4NWTE=159c226b-8398-4ffd-8683-22977242d145 iwIqL1PYelzu9mfBv8t6UAmaBw1PFaM5w0LM/0gDrTOHD9lq2P6biza3ebVIxm4PJbbupeZlfQMuJvET... m6SyqGL+aO06ndrOtI3kDiZQFVKqPWAGXV+ygrs7DMs= tbi14aj28g0up3db1th77u1h1s adobe-idp-site-verification=021f36dcd17c888ff7efe04d03905876a7443340c8a69372bf05... |
| CAA | Lookup not available with standard resolver |
Multiple A records provide failover if one server goes down.
Single A record means a single point of failure — if that IP goes down, your site is unreachable until DNS TTL expires.
Learn more ▾ ▴
Add multiple A records for round-robin failover, or use a managed DNS provider with health-checked failover (Route 53, Cloudflare, NS1). Short TTL (60-300s) lets clients recover faster on outages.
Source: SRE practice / DNS architecture
CAA record lookup requires a specialized DNS resolver. This check will be available in a future update.
Informational: CAA (Certification Authority Authorization) records weren't checked in this scan.
Slow DNS adds latency to every page load. Consider a faster DNS provider.
DNS resolution is slow — anycast DNS providers (Cloudflare, Route 53) typically resolve <50ms globally.
Source: DNS performance benchmarks
A+IPv6 ReadinessIPv6 reachable (116 ms)PASS
A+Crawlabilityrobots.txt present, sitemap with 2 URLsPASS
User-agent: usasearch
Allow: /
# existing disallow on va.gov (may not be needed)
User-agent: Synapse
Disallow: /
# block Amazon's AI training crawler
User-agent: Amazonbot
Disallow: /
# existing disallow from vets.gov
User-Agent: *
Disallow: /analytics-opt-out.html
Disallow: /cgi-bin/
Disallow: /drupal
Disallow: /covid19screen
Disallow: /sitemap.xml
# disallow WIP VAMCs
# make sure to add a trailing slash at the end of the path
# to prevent sub-directories from being indexed
# see https://developers.google.com/search/docs/advanced/robots/create-robots-txt#useful-robots.txt-rules
# sitemap index
Sitemap: https://www.va.gov/sitemap_index.xml
Sitemap: https://www.va.gov/sitemap-cb.xml
Sitemap: https://www.va.gov/sitemap-nb.xml
A+Domain Intelligenceva.gov — via get.gov, 28 years, 11 months oldPASS
23 days
August 4, 2026
272 days
Issued by Sectigo Limited
28 years, 11 months
Registered October 2, 1997
Enabled
Protects against DNS spoofing
Unknown
2600:8030:0:28::30:221
get.gov
Expiry timeline
Recommended actions
- Renew the domain or enable auto-renewal to prevent accidental expiry
- Enable registrar lock (clientTransferProhibited) to block unauthorized domain transfers
The domain can be transferred without an unlock step. Enable registrar lock (clientTransferProhibited) in your registrar's control panel to protect against unauthorized or accidental transfers.
Without registrar lock, an attacker who phishes your registrar credentials can transfer the domain in minutes — total brand hijack.
Learn more ▾ ▴
Registrar lock (clientTransferProhibited, clientUpdateProhibited, clientDeleteProhibited) requires extra verification before any transfer/update/delete. Every major registrar offers it free. Combined with 2FA on your registrar account, it's the strongest defense against domain hijacking.
Source: ICANN / domain-security best practice