Infrastructure - https://bombas.com BeaverCheck Audit

C

IPv6 Readiness

Action

No IPv6 support

REVIEW

No IPv6 support

No IPv6 (AAAA) records found

IPv6 support is increasingly important for global accessibility. About 40% of internet users have IPv6 connectivity.

No IPv6 Support

About 40% of internet users have IPv6. Consider adding AAAA records.

IPv6 support is increasingly important for global accessibility. About 40% of internet users have IPv6 connectivity.

Why this matters

No AAAA records — same impact as 'no IPv6 (AAAA) records'; IPv6-preferring clients pay extra latency falling back to IPv4.

Source: Google IPv6 stats

B

HTTP Probe Timing

Total 1458 ms — DNS, TCP, TLS, TTFB, content transfer breakdown

REVIEW

DNS Lookup

36 ms

TCP Connect

1 ms

TLS Handshake

47 ms

Time to First Byte

953 ms

Total Time

1.46 s

Connection waterfall

DNS Lookup 36 ms TCP Connect 1 ms TLS Handshake 47 ms Server Processing 869 ms Content Transfer 506 ms

B

TLS Certificate Expiry & Recommendations

32 days until leaf cert expires — 3 issues to address

REVIEW

Certificate validity

32

days left

0d 30d 60d 90d+

Recommended actions

Add the preload directive and submit to hstspreload.org once max-age + includeSubDomains are in place
Enable DNSSEC on your domain for DNS spoofing protection
Enable OCSP stapling on your TLS server to remove a CA roundtrip and protect user privacy

A+

DNS Records

1 A records, 121 ms lookup

PASS

1 A records, 121 ms lookup

Resolves to 1 IPv4 address(es)

Got: 76.76.21.21

Single A record — no DNS redundancy

Multiple A records provide failover if one server goes down.

No IPv6 (AAAA) records

4 nameserver(s) configured

Got: ns-935.awsdns-52.net, ns-1670.awsdns-16.co.uk, ns-1146.awsdns-15.org, ns-144.awsdns-18.com

4 mail exchanger(s) configured

CAA records not checked

CAA record lookup requires a specialized DNS resolver. This check will be available in a future update.

SPF record present in TXT

DNS resolution time: 121 ms

Got: 121 ms

A	76.76.21.21
AAAA	—
CNAME	—
NS	ns-935.awsdns-52.net, ns-1670.awsdns-16.co.uk, ns-1146.awsdns-15.org, ns-144.awsdns-18.com
MX	1 aspmx.l.google.com 5 alt1.aspmx.l.google.com 5 alt2.aspmx.l.google.com 10 aspmx2.googlemail.com
TXT	MS=ms56575032 docusign=c9762c22-a116-4ae9-be13-9a586946c10c shopify-verification-code=lt1CDfYsRy8hUL9oWSJ6hVTkJGa5nR notion-domain-verification=cAUyfHILRTsgFiLhdsOV09nMl9LaiaiJB01VQ1fIqCC 1password-site-verification=MZTECT33NVDXBHPZ35ES3BM5XY SPF v=spf1 include:_spf.google.com include:shops.shopify.com include:mailgun.org inc... CA70EB7D36 apple-domain-verification=lBi61rxxfM1-zrbqYpYnsshIHdzk-veSgjH4XGPdmJY atlassian-domain-verification=B0lCQEz1i2GuiRjCaiuatLqpVJGgcv/aSzlVFYcnffkEfa32W5... google-site-verification=vBNZdrdvuZWNK0Tc84eafSwwlrznhJrM_q5w7ipe27Y google-site-verification=fxF4eXHh-mG8lhyfh7GF_JavSXb8T2QjM3tFUPuwDFQ google-site-verification=xMKHOgpPp2vn0Yj2ex1Ti9KX-a-bjNnW5jV6oSTuvsI google-site-verification=7TNuFONnKpx2RjAmkDn9dbYDTSNXZ7uYp3hY19HB4Xo google-site-verification=kpIH3cqwrgKfApxcsnjvw4kQDVFsAJNXOnpMT0emu4Y shopify_verification_shop= 01J8KX789T0TMFN7A17E8092G0 dropbox-domain-verification=6cbc43mk7qyd facebook-domain-verification=j50axg3n9b3408cbv690uclmdf61xy openai-domain-verification=dv-D8O0T6X3Er9F07um9vm9jYhZ 49n9rx785mqfzj6cd9ypb3msctv2chn2 adobe-idp-site-verification=37a1af793716d9bbcdd18def637f4615b82da1aff64bd63bd988... onetrust-domain-verification=db9790d8abdc4f539c21140dfd7f6340 onetrust-domain-verification=7272213c2ecf4861a2e2e14c75cb8a46 smartsheet-site-validation=-k9lcWZz7Fm8AHqsAV0wv1jgyAvkoK6p slack-domain-verification=JO6wKhCoIgZDRnNiRpUFwypTvUoHKjwI37FylJKq pinterest-site-verification=ff8bcf37a23dc9e9128b733fd2d87665 ZOOM_verify_0sbNKciI7T4nn4qJFP1owl stripe-verification=a60daf997e27a31fd58fe80776e77a155a65d2607b73cb85cabc912520ab... rippling-domain-verification=a7e73cdc08097d91
CAA	Lookup not available with standard resolver

Resolved in 121 ms

Multiple A records provide failover if one server goes down.

Why this matters

Single A record means a single point of failure — if that IP goes down, your site is unreachable until DNS TTL expires.

Learn more ▾

Add multiple A records for round-robin failover, or use a managed DNS provider with health-checked failover (Route 53, Cloudflare, NS1). Short TTL (60-300s) lets clients recover faster on outages.

Source: SRE practice / DNS architecture

CAA record lookup requires a specialized DNS resolver. This check will be available in a future update.

Why this matters

Informational: CAA (Certification Authority Authorization) records weren't checked in this scan.

A+

Redirect Chain

No redirects — direct access

PASS

No redirects — direct access

Got: https://bombas.com

https://bombas.com

854 ms · HTTP/1.1 FINAL

#	URL	Status	Time	Protocol	Server
1	https://bombas.com	200	854 ms	HTTP/1.1	Vercel

A+

Crawlability

robots.txt present, sitemap with 1498 URLs

PASS

robots.txt present, sitemap with 1498 URLs

robots.txt is present

Got: 3403 bytes

sitemap.xml is present

sitemap.xml is valid XML

sitemap.xml contains 1498 entries

robots.txt references sitemap

robots.txt 200 OK

Size 3403 B Sitemaps referenced 3 User-agents MJ12bot, Pinterest, *, adsbot-google, Nutch, AhrefsBot, AhrefsSiteAudit Blocking No — crawling allowed

# we use Shopify as our ecommerce platform

User-agent: *
Disallow: /a/downloads/-/*
Disallow: /admin
Disallow: /cart
Disallow: /orders
Disallow: /checkouts/
Disallow: /checkout
Disallow: /11195850/checkouts
Disallow: /11195850/orders
Disallow: /carts
Disallow: /account
Disallow: *page-status
Disallow: /blogs/*+*
Disallow: /blogs/*%2B*
Disallow: /blogs/*%2b*
Disallow: /*/blogs/*+*
Disallow: /*/blogs/*%2B*
Disallow: /*/blogs/*%2b*
Disallow: /*?*oseid=*
Disallow: /*preview_theme_id*
Disallow: /*preview_script_id*
Disallow: /policies/
Disallow: /*/policies/
Disallow: /*/*?*ls=*&ls=*
Disallow: /*/*?*ls%3D*%3Fls%3D*
Disallow: /*/*?*ls%3d*%3fls%3d*
Disallow: /search
Disallow: /apple-app-site-association
Disallow: /.well-known/shopify/monorail
Disallow: /cdn/wpm/*.js
Disallow: /recommendations/products
Disallow: /*/recommendations/products
Disallow: *buy-again
Disallow: *forgot-password
Disallow: *exclusive25
Disallow: *test
Disallow: *gpc
Sitemap: https://bombas.com/sitemap.xml

# Google adsbot ignores robots.txt unless specifically named!
User-agent: adsbot-google
Disallow: /checkouts/
Disallow: /checkout
Disallow: /carts
Disallow: *page-status
Disallow: /orders
Disallow: /11195850/checkouts
Disallow: /11195850/orders
Disallow: /*?*oseid=*
Disallow: /*preview_theme_id*
Disallow: /*preview_script_id*
Disallow: /cdn/wpm/*.js
Disallow: *gpc

User-agent: Nutch
Disallow: /

User-agent: AhrefsBot
Crawl-delay: 10
Disallow: /a/downloads/-/*
Disallow: /admin
Disallow: /cart
Disallow: /orders
Disallow: *page-status
Disallow: /checkouts/
Disallow: /checkout
Disallow: /11195850/checkouts
Disallow: /11195850/orders
Disallow: /carts
Disallow: /account
Disallow: /blogs/*+*
Disallow: /blogs/*%2B*
Disallow: /blogs/*%2b*
Disallow: /*/blogs/*+*
Disallow: /*/blogs/*%2B*
Disallow: /*/blogs/*%2b*
Disallow: /*?*oseid=*
Disallow: /*preview_theme_id*
Disallow: /*preview_script_id*
Disallow: /policies/
Disallow: /*/policies/
Disallow: /*/*?*ls=*&ls=*
Disallow: /*/*?*ls%3D*%3Fls%3D*
Disallow: /*/*?*ls%3d*%3fls%3d*
Disallow: /search
Disallow: /apple-app-site-association
Disallow: /.well-known/shopify/monorail
Disallow: /cdn/wpm/*.js
Disallow: /recommendations/products
Disallow: /*/recommendations/products
Disallow: *buy-again
Disallow: *forgot-password
Disallow: *exclusive25
Disallow: *test
Disallow: *gpc
Sitemap: https://bombas.com/sitemap.xml

User-agent: AhrefsSiteAudit
Crawl-delay: 10
Disallow: /a/downloads/-/*
Disallow: /admin
Disallow: /cart
Disallow: /orders
Disallow: /checkouts/
Disallow: /checkout
Disallow: /11195850/checkouts
Disallow: /11195850/orders
Disallow: /carts
Disallow: /account
Disallow: *page-status
Disallow: /blogs/*+*
Disallow: /blogs/*%2B*
Disallow: /blogs/*%2b*
Disallow: /*/blogs/*+*
Disallow: /*/blogs/*%2B*
Disallow: /*/blogs/*%2b*
Disallow: /*?*oseid=*
Disallow: /*preview_theme_id*
Disallow: /*preview_script_id*
Disallow: /policies/
Disallow: /*/policies/
Disallow: /*/*?*ls=*&ls=*
Disallow: /*/*?*ls%3D*%3Fls%3D*
Disallow: /*/*?*ls%3d*%3fls%3d*
Disallow: /search
Disallow: /apple-app-site-association
Disallow: /.well-known/shopify/monorail
Disallow: /cdn/wpm/*.js
Disallow: /recommendations/products
Disallow: /*/recommendations/products
Disallow: *buy-again
Disallow: *forgot-password
Disallow: *exclusive25
Disallow: *test
Disallow: *gpc
Sitemap: https://bombas.com/sitemap.xml

User-agent: MJ12bot
Crawl-delay: 10

User-agent: Pinterest
Crawl-delay: 1

sitemap.xml 200 OK

Type URL Set URLs 1498 entries Valid XML Yes

Sample URLs:

A

URL Variants

www/non-www, trailing slash, HTTP→HTTPS

PASS

www/non-www, trailing slash, HTTP→HTTPS

HTTP→HTTPS redirect uses 302 instead of 301

Got: 302 temporary redirect Expected: 301 permanent redirect

www / non-www

308https://www.bombas.com/

200https://bombas.com/

HTTP → HTTPS

308http://bombas.com/ → https://bombas.com/

Use 301 (permanent) instead of 302 (temporary)

A+

Domain Intelligence

bombas.com — via Amazon Registrar, Inc., 26 years, 7 months old, hosted on AWS

PASS

bombas.com — via Amazon Registrar, Inc., 26 years, 7 months old, hosted on AWS

Domain registered until Jan 12, 2027 (9 months remaining)

DNSSEC is not enabled

DNSSEC protects against DNS spoofing attacks. While not required, enabling DNSSEC adds an additional layer of security. Contact your DNS provider to enable it.

Registrar: Amazon Registrar, Inc.

Hosting: AWS

Got: AS16509

Domain expiry

230 days

January 12, 2027

SSL certificate

32 days

Issued by Let's Encrypt

Domain age

26 years, 7 months

Registered January 12, 2000

DNSSEC

Not enabled

Protects against DNS spoofing

Hosting

AWS

ASN AS16509

76.76.21.21

Registrar

Amazon Registrar, Inc.

Lock status unknown 4 NS records

Expiry timeline

Today

+1 year

Domain expiry SSL expiry Danger zone (≤30 days)

Recommended actions

Enable DNSSEC to protect visitors from DNS spoofing

Registrar Amazon Registrar, Inc.

Created January 12, 2000 (26 years, 7 months ago)

Expires January 12, 2027 (9 months)

Last Updated December 8, 2025

Name Servers ns-1146.awsdns-15.org, ns-144.awsdns-18.com, ns-1670.awsdns-16.co.uk, ns-935.awsdns-52.net

DNSSEC Not enabled

Hosting

IP Address 76.76.21.21

ASN AS16509 (AMAZON-02 - Amazon.com, Inc., US)

Provider AWS

Data source: rdap (0.2s)

DNSSEC protects against DNS spoofing attacks. While not required, enabling DNSSEC adds an additional layer of security. Contact your DNS provider to enable it.

Why this matters

Without DNSSEC, an attacker who can poison your DNS can hijack your domain — and SSL certs alone don't stop them.

Learn more ▾

DNSSEC adds cryptographic signatures to DNS records, preventing forged responses from poisoning resolver caches. Without it, an attacker who controls the network path can redirect your domain to a malicious server before any HTTPS handshake happens. Most modern registrars (Cloudflare, Google Domains, Route 53) enable it with one toggle.

Source: ICANN / RFC 4033

A

CDN & Delivery

Vercel (MISS)

PASS

Vercel (MISS)

Site is served via Vercel CDN

Got: x-vercel-id: cdg1::iad1::wgmmd-1775635887167-e5b9e3001697

CDN cache status: MISS

CDN Detected: Vercel

Provider Vercel Cache Status MISS Evidence x-vercel-id: cdg1::iad1::wgmmd-1775635887167-e5b9e3001697