Infrastructure
· 9 checks — DNS, redirects, IPv6, crawlability, URL variants, and domain intelligence rolled into one auditable list.FIPv6 ReadinessActionIPv6 records exist but unreachableFIX
Having AAAA records but an unreachable server is worse than no AAAA — clients may experience delays before falling back to IPv4.
Advertising IPv6 (AAAA records) without a reachable server means IPv6-preferring clients silently fail every connection.
Learn more ▾ ▴
Modern browsers prefer IPv6 if AAAA exists (Happy Eyeballs algorithm). If the IPv6 server isn't reachable, browsers fall back to IPv4 — but with seconds of added latency per request. Either fix IPv6 reachability or remove the AAAA records.
Source: RFC 8305 (Happy Eyeballs)
BTLS Certificate Expiry & Recommendations41 days until leaf cert expires — 3 issues to addressREVIEW
Certificate validity
Recommended actions
- Submit your domain to hstspreload.org to be added to the Chrome preload list
- Enable DNSSEC on your domain for DNS spoofing protection
- Enable OCSP stapling on your TLS server to remove a CA roundtrip and protect user privacy
A+DNS Records2 A records, 10 ms lookupPASS
| A | 172.66.134.245, 172.66.137.111 |
| AAAA | 2606:4700:10::ac42:86f5, 2606:4700:10::ac42:896f |
| CNAME | — |
| NS | jeff.ns.cloudflare.com, lucy.ns.cloudflare.com |
| MX | 1 aspmx.l.google.com 5 alt2.aspmx.l.google.com 5 alt1.aspmx.l.google.com 10 aspmx2.googlemail.com 10 aspmx3.googlemail.com |
| TXT | proxy-ssl.webflow.com sendinblue-site-verification=4794744 brevo-code:1af3e8bb9f0b4211d6e27bb86d4e73c0 Sendinblue-code:34d700f1b575b8a982e48df7fdaae9a8 facebook-domain-verification=jbzhsmqwdxjzdp1xcu5aq6msw9hx1d google-site-verification=Fb8TEfSkdtdBs6GDgeJYPyKQRGJAvS9smdhLR9GHQTc SPF v=spf1 include:_spf.google.com include:spf.sendinblue.com include:amazonses.com ... |
| CAA | Lookup not available with standard resolver |
CAA record lookup requires a specialized DNS resolver. This check will be available in a future update.
Informational: CAA (Certification Authority Authorization) records weren't checked in this scan.
A+Redirect ChainNo redirects — direct accessPASS
https://trezor.io
121 ms · HTTP/1.1 FINAL
| # | URL | Status | Time | Protocol | Server |
|---|---|---|---|---|---|
| 1 | https://trezor.io | 200 | 121 ms | HTTP/1.1 | cloudflare |
A+Crawlabilityrobots.txt present, sitemap with 6 URLsPASS
User-Agent: *
Disallow: /cart
Disallow: /checkout/*
Disallow: /order/*
Disallow: /order-detail/*
Disallow: /order-failed/*
Disallow: /order-underpaid/*
Disallow: /order-3dsecure/*
Disallow: /mobile-download
Sitemap: https://trezor.io/content/sitemaps/production/sitemap-en.xml
Sitemap: https://trezor.io/content/sitemaps/production/sitemap-cs.xml
Sitemap: https://trezor.io/content/sitemaps/production/sitemap-ja.xml
Sitemap: https://trezor.io/content/sitemaps/production/sitemap-de.xml
Sitemap: https://trezor.io/content/sitemaps/production/sitemap-es-ES.xml
Sitemap: https://trezor.io/content/sitemaps/production/sitemap-fr.xml
Sitemap: https://trezor.io/content/sitemaps/production/sitemap-pt-BR.xml
A+URL Variantswww/non-www, trailing slash, HTTP→HTTPSPASS
www / non-www
Preferred variant: non-www
HTTP → HTTPS
Consistent
A+Domain Intelligencetrezor.io — via Cloudflare, Inc, 11 years, 11 months old, hosted on CloudflarePASS
735 days
July 21, 2028
41 days
Issued by Let's Encrypt
11 years, 11 months
Registered July 21, 2014
Status unknown
Protects against DNS spoofing
Cloudflare
ASN AS13335
172.66.137.111
Cloudflare, Inc
Expiry timeline
Domain cannot be transferred without explicit unlock from the registrar. This protects against unauthorized transfers.
Registrar lock (clientTransferProhibited et al.) prevents unauthorized domain transfers — strongest defense against domain hijacking.
Source: ICANN / domain-security best practice