Skip to content
https://paramount.com

Infrastructure

· 9 checks — DNS, redirects, IPv6, crawlability, URL variants, and domain intelligence rolled into one auditable list.
SCORE
90
GRADE
A
FIX
1
REVIEW
2
PASS
6
INFO
0
Probed from Sao Paulo, Brazil
301 Moved Permanently
Checks
9
6 PASS 2 REVIEW 1 FIX
D
CDN & Delivery
Action
No CDN detected
FIX
No CDN detected
Warning::
No CDN detected
A CDN can significantly improve load times for users around the world by caching content at edge nodes closer to them.
No CDN detected

Consider using a CDN to improve global delivery speed and reduce origin load.

C
IPv6 Readiness
Action
No IPv6 support
REVIEW
No IPv6 support
Info::
No IPv6 (AAAA) records found
IPv6 support is increasingly important for global accessibility. About 40% of internet users have IPv6 connectivity.
No IPv6 Support
About 40% of internet users have IPv6. Consider adding AAAA records.

IPv6 support is increasingly important for global accessibility. About 40% of internet users have IPv6 connectivity.

Why this matters

No AAAA records — same impact as 'no IPv6 (AAAA) records'; IPv6-preferring clients pay extra latency falling back to IPv4.

Source: Google IPv6 stats

B
TLS Certificate Expiry & Recommendations
30 days until leaf cert expires — 4 issues to address
REVIEW

Certificate validity

30
days left
0d 30d 60d 90d+

Recommended actions

  • Renew certificate — 30 days remaining
  • Enable HSTS: Strict-Transport-Security: max-age=31536000; includeSubDomains
  • Enable DNSSEC on your domain for DNS spoofing protection
  • Enable OCSP stapling on your TLS server to remove a CA roundtrip and protect user privacy
A+
DNS Records
2 A records, 15 ms lookup
PASS
2 A records, 15 ms lookup
Info::
Resolves to 2 IPv4 address(es)
Got: 76.223.34.124, 13.248.160.137
Info::
No IPv6 (AAAA) records
Info::
6 nameserver(s) configured
Got: dns1.p09.nsone.net, dns2.p09.nsone.net, dns3.p09.nsone.net, dns4.p09.nsone.net, ns0004.secondary.cloudflare.com, ns0243.secondary.cloudflare.com
Info::
2 mail exchanger(s) configured
Info::
CAA records not checked
CAA record lookup requires a specialized DNS resolver. This check will be available in a future update.
Info::
SPF record present in TXT
Info::
DNS resolution time: 15 ms
Got: 15 ms
A76.223.34.124, 13.248.160.137
AAAA
CNAME
NSdns1.p09.nsone.net, dns2.p09.nsone.net, dns3.p09.nsone.net, dns4.p09.nsone.net, ns0004.secondary.cloudflare.com, ns0243.secondary.cloudflare.com
MX
10 mxa-00262c01.gslb.pphosted.com
10 mxb-00262c01.gslb.pphosted.com
TXT
3alfm4lqlr1nvigrjhpv947ku1
eudgtb2qf9l0tqr0gmq737hqv2
00d8c0000083agaeai
2lfg9qk9d7l0fo76dmsnren5l5
MS=ms93353093
TAILSCALE-ZlWPbfUFvX5RVmqdWWNl
_mgu60aqp5wsxunyjr0xu84i2pq5kyeq
_v0fa5c46ljga3dl12il4va1xxtedjx8
anthropic-domain-verification-0wv6j3=sOGAQtN35ANml3NNqQbZetnhv
apple-domain-verification=CA9nRLZIrWbwJYiZ
appspace-domain-verification=95717daa24b5c09519b505de173a1b8d2d0d37ec64cb70ce7d6...
atlassian-domain-verification=E+wiTTQbdi+aIBlOe7MvMyDmxBdCed/oDG6hRZquh5QIu+JegS...
atlassian-sending-domain-verification=ae08c2c6-2020-4935-a227-fc8a4fbac4e2
autodesk-domain-verification=9gcLtPfq1SBxE_HmL0wi
autodesk-domain-verification=M3mXoTw53n3dOQaobatN
bluebeam-verification=xo6p1zqtqt109qielj3c1jsz551pfn
cursor-domain-verification-2vmq3k=MpgHlmjz5z1umdT7G5qS4BGsr
docker-verification=596ab5bd-b50e-4e16-bed2-13146dd269c4
docusign=40044c74-ba1f-463e-b87a-c4f172912cd1
docusign=5325d27d-5bd3-404e-99f0-042f85954ae0
edisen-verification-key=8f029dc6-1fd2-4bdc-8ee5-073a334f3eaa
elevenlabs=faPwC2pMHcAD_9v_dWGSPvNh3QpdgUeclYfyYjaSjes
fCt698S/G4QwV/LbxgR9U0i2MrZ29D0S2igCVmih1tEV/Sy+z3rD8BzCr4qTe+0BPcXZhuVc7aAkanQn...
fastly-domain-delegation-pp9t9nwcdibabjmivaqq-567265-2023-01-25
flexera-domain-verification-wrbrmwrxkxdauhmi
google-gws-recovery-domain-verification=41403009
google-site-verification=L0j1Oua7r3P1DPaSuf7URZ91J6PQPKwUoxfoUSzZ4dw
google-site-verification=fh3sj8xpUdoOlCa8iUxrnEEmouL-A0lTbQb3wP4T-Ak
hpe-greenlake-domain-verification=44724c3858497470526b50306c54743348383433626c45...
htjqrqxdntswxbgtbwwrjw3p809y04w4
include:sendgrid.net ip4:149.72.251.202 ip4:149.72.63.221
intersight=4eeede849b350d28bab871540591cb6798d2adf6de76b7494efa476d343f7f99
jamf-site-verification=6L9yM9lBMk4WTEP9wzkcIQ
jumpdesktop=bd1f4ef76bcca6e378e4e84901b430143137693c75dcfca3d3cf8828757d
ku4k4ttu80f0ad6puat57jvb3m
mandrill_verify.g1wZXKP3lBYYCq-0r3Km6w
miro-verification=483c4e3e077e887092a23834ca42c64ace9d23d6
mongodb-site-verification=1Q7yMbqhHv65HpPHQBTapWVwFZl5fiDb
mongodb-site-verification=DEW7mDk0Zx3JSB9LTVJKfITyaJlC26Lm
mongodb-site-verification=O8XvBn4BtBEykZiZvCsVZDTtX9emIWqz
mongodb-site-verification=S4lk8yD2yDGqgYYsM0Sb47OOmtRulXU2
nqTA6wYS9vAxkENGjP0MYTZSbcK/FiphuFvqkjruM/JS5YdBU1hKQOHiuqFxHKRH/t4oA6GKdIjD7DjM...
onetrust-domain-verification=0aea1d6cacf74f468a9b7fb2e6e69faf
onetrust-domain-verification=91ebabf2cd4d42a582b279896decfe60
onetrust-domain-verification=e26530ee19fd42a2ad984756df53db0d
openai-domain-verification=dv-v20U7A1nVRkSENh3Xi5aZ8iT
parallels-domain-verification=19f7e985539e42cca485ea9a8dc3dd94c6f9931d85d8423b8e...
pardot1068592=d9ab4c8de5af3a4151168cd81138c52d4b476efbd0d125519cdd9f40b5784740
pardot873291=97b3ced0abc14627873d586b94bf4d89758d3fc8ac2022dd43aced31ee82d641
postman-domain-verification=a0ea2072cff6f69c4fbe6717a632b0c7a15889d87d2da77e1190...
qtibf5uh2lij90jntu7a966iug
sending_domain1068592=a4bf2f064d8a59d584c6db0cfccb0aecf92075ee30a2d97f0b3096a72b...
sending_domain873291=c9e128c35ffc904a10fe1ac709498a50b4b3862a2a8e0d6828083f2e8f2...
smartsheet-site-validation=1m0sjmUKKkHAS4c0sHzLK_fGrE1y5IE9
smartsheet-site-validation=Rdl7IUINBtNWKsa6wd3Mium1D6cl0iPS
successfactors-site-verification=Yjg1MjAwNThhMWE3OTAwNjI0NTA2MzFjZDM5ZTdmNDQ4OTI...
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55zd/IQ/J/mRwSR...
v=msv1 t=F4A58993-A138-4F29-BADB-170CF3A9E779
SPF v=spf1 include:_netblocks.viacom.com include:spf.protection.outlook.com include:...
wiz-domain-verification=6fd13e7cdaff683d7d119656d141ce4e9caeec911c829518efb28e9a...
wombat-verification=3KwxVCQV1HEp-aRXRTKKaZ5G0frhk
y9kn97kf46mnl8vfpk6rmc6bk5vnsnzs
zapier-domain-verification-challenge=d41edf8b-6fe5-4bc2-a09f-6e19a3d1e561
CAALookup not available with standard resolver
Resolved in 15 ms

CAA record lookup requires a specialized DNS resolver. This check will be available in a future update.

Why this matters

Informational: CAA (Certification Authority Authorization) records weren't checked in this scan.

A
Redirect Chain
1 redirect(s), 563 ms total
PASS
1 redirect(s), 563 ms total
Info::
Single redirect
Got: https://paramount.com → https://www.paramount.com/ (301)
Info::
WWW normalization redirect
Info::
Redirect overhead: 563 ms total
Got: 563 ms

https://paramount.com

533 ms · HTTP/1.1

301

https://www.paramount.com/

30 ms · HTTP/1.1 FINAL

#URLStatusTimeProtocolServer
1https://paramount.com301533 msHTTP/1.1urllo
2https://www.paramount.com/20030 msHTTP/1.1

See the visual redirect chain in the HTTP Probe tab →

A+
Crawlability
robots.txt present, sitemap with 533 URLs
PASS
robots.txt present, sitemap with 533 URLs
Info::
robots.txt is present
Got: 2005 bytes
Info::
sitemap.xml is present
Info::
sitemap.xml is valid XML
Info::
sitemap.xml contains 533 entries
Info::
robots.txt does not reference a sitemap
Add a 'Sitemap:' directive to robots.txt so search engines can discover your sitemap.

Add a 'Sitemap:' directive to robots.txt so search engines can discover your sitemap.

Why this matters

robots.txt omits Sitemap: directive — crawlers must fetch /sitemap.xml by convention; reliable but missing the explicit hint.

Source: sitemaps.org

robots.txt 200 OK
Size 2005 B Sitemaps referenced 0 User-agents * Blocking No — crawling allowed
#
# robots.txt
#
# This file is to prevent the crawling and indexing of certain parts
# of your site by web crawlers and spiders run by sites like Yahoo!
# and Google. By telling these "robots" where not to go on your site,
# you save bandwidth and server resources.
#
# This file will be ignored unless it is at the root of your host:
# Used:    http://example.com/robots.txt
# Ignored: http://example.com/site/robots.txt
#
# For more information about the robots.txt standard, see:
# http://www.robotstxt.org/robotstxt.html

User-agent: *
# CSS, JS, Images
Allow: /core/*.css$
Allow: /core/*.css?
Allow: /core/*.js$
Allow: /core/*.js?
Allow: /core/*.gif
Allow: /core/*.jpg
Allow: /core/*.jpeg
Allow: /core/*.png
Allow: /core/*.svg
Allow: /profiles/*.css$
Allow: /profiles/*.css?
Allow: /profiles/*.js$
Allow: /profiles/*.js?
Allow: /profiles/*.gif
Allow: /profiles/*.jpg
Allow: /profiles/*.jpeg
Allow: /profiles/*.png
Allow: /profiles/*.svg
# Directories
Disallow: /core/
Disallow: /profiles/
# Files
Disallow: /README.md
Disallow: /composer/Metapackage/README.txt
Disallow: /composer/Plugin/ProjectMessage/README.md
Disallow: /composer/Plugin/Scaffold/README.md
Disallow: /composer/Plugin/VendorHardening/README.txt
Disallow: /composer/Template/README.txt
Disallow: /modules/README.txt
Disallow: /sites/README.txt
Disallow: /themes/README.txt
# Paths (clean URLs)
Disallow: /admin/
Disallow: /comment/reply/
Disallow: /filter/tips
Disallow: /node/add/
Disallow: /search/
Disallow: /user/register
Disallow: /user/password
Disallow: /user/login
Disallow: /user/logout
Disallow: /media/oembed
Disallow: /*/media/oembed
# Paths (no clean URLs)
Disallow: /index.php/admin/
Disallow: /index.php/comment/reply/
Disallow: /index.php/filter/tips
Disallow: /index.php/node/add/
Disallow: /index.php/search/
Disallow: /index.php/user/password
Disallow: /index.php/user/register
Disallow: /index.php/user/login
Disallow: /index.php/user/logout
Disallow: /index.php/media/oembed
Disallow: /index.php/*/media/oembed
sitemap.xml 200 OK
Type URL Set URLs 533 entries Valid XML Yes
Sample URLs:
A+
URL Variants
www/non-www, trailing slash, HTTP→HTTPS
PASS
www/non-www, trailing slash, HTTP→HTTPS
Info::
HTTP correctly 301-redirects to HTTPS

www / non-www

403https://www.paramount.com/
200https://paramount.com/

HTTP → HTTPS

301http://paramount.com/ https://www.paramount.com/

Consistent

A+
Domain Intelligence
paramount.com — via MarkMonitor Inc., 32 years, 11 months old, hosted on AWS
PASS
paramount.com — via MarkMonitor Inc., 32 years, 11 months old, hosted on AWS
Info::
Domain registered until Oct 28, 2026 (6 months remaining)
Info::
DNSSEC is not enabled
DNSSEC protects against DNS spoofing attacks. While not required, enabling DNSSEC adds an additional layer of security. Contact your DNS provider to enable it.
Info::
Registrar: MarkMonitor Inc.
Warning::
Registrar lock is NOT enabled
The domain can be transferred without an unlock step. Enable registrar lock (clientTransferProhibited) in your registrar's control panel to protect against unauthorized or accidental transfers.
Info::
Hosting: AWS
Got: AS16509
Domain expiry

134 days

October 28, 2026

SSL certificate

30 days

Issued by Let's Encrypt

Domain age

32 years, 11 months

Registered October 29, 1993

DNSSEC

Not enabled

Protects against DNS spoofing

Hosting

AWS

ASN AS16509

13.248.160.137

Registrar

MarkMonitor Inc.

Unlocked 6 NS records
Expiry timeline
Today
+1 year
Domain expiry SSL expiry Danger zone (≤30 days)
Recommended actions
  • Renew the TLS certificate or verify auto-renewal is working
  • Enable DNSSEC to protect visitors from DNS spoofing
  • Enable registrar lock (clientTransferProhibited) to block unauthorized domain transfers
Registrar MarkMonitor Inc.
Created October 29, 1993 (32 years, 11 months ago)
Expires October 28, 2026 (6 months)
Last Updated September 26, 2025
Name Servers dns1.p09.nsone.net, dns2.p09.nsone.net, dns3.p09.nsone.net, dns4.p09.nsone.net, ns0004.secondary.cloudflare.com, ns0243.secondary.cloudflare.com
DNSSEC Not enabled
Hosting
IP Address 13.248.160.137
ASN AS16509 (AMAZON-02 - Amazon.com, Inc., US)
Provider AWS
Data source: rdap (0.6s)

DNSSEC protects against DNS spoofing attacks. While not required, enabling DNSSEC adds an additional layer of security. Contact your DNS provider to enable it.

Why this matters

Without DNSSEC, an attacker who can poison your DNS can hijack your domain — and SSL certs alone don't stop them.

Learn more

DNSSEC adds cryptographic signatures to DNS records, preventing forged responses from poisoning resolver caches. Without it, an attacker who controls the network path can redirect your domain to a malicious server before any HTTPS handshake happens. Most modern registrars (Cloudflare, Google Domains, Route 53) enable it with one toggle.

Source: ICANN / RFC 4033

The domain can be transferred without an unlock step. Enable registrar lock (clientTransferProhibited) in your registrar's control panel to protect against unauthorized or accidental transfers.

Why this matters

Without registrar lock, an attacker who phishes your registrar credentials can transfer the domain in minutes — total brand hijack.

Learn more

Registrar lock (clientTransferProhibited, clientUpdateProhibited, clientDeleteProhibited) requires extra verification before any transfer/update/delete. Every major registrar offers it free. Combined with 2FA on your registrar account, it's the strongest defense against domain hijacking.

Source: ICANN / domain-security best practice

A
HTTP Probe Timing
Total 526 ms — DNS, TCP, TLS, TTFB, content transfer breakdown
PASS
DNS Lookup DNS Lookup — time to resolve the domain name to an IP address.
4 ms
TCP Connect TCP Connect — time to establish a TCP connection to the server.
1 ms
TLS Handshake TLS Handshake — time to complete the HTTPS encryption handshake.
346 ms
Time to First Byte Time to First Byte — how long the server takes to respond with the first byte of data.
526 ms
Total Time Total request time from DNS lookup through full response.
526 ms

Connection waterfall

DNS Lookup 4 ms TCP Connect 1 ms TLS Handshake 346 ms Server Processing 175 ms Content Transfer 0 ms
All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.

Send Feedback