Infrastructure
· 9 checks — DNS, redirects, IPv6, crawlability, URL variants, and domain intelligence rolled into one auditable list.FIPv6 ReadinessActionIPv6 records exist but unreachableFIX
Having AAAA records but an unreachable server is worse than no AAAA — clients may experience delays before falling back to IPv4.
Advertising IPv6 (AAAA records) without a reachable server means IPv6-preferring clients silently fail every connection.
Learn more ▾ ▴
Modern browsers prefer IPv6 if AAAA exists (Happy Eyeballs algorithm). If the IPv6 server isn't reachable, browsers fall back to IPv4 — but with seconds of added latency per request. Either fix IPv6 reachability or remove the AAAA records.
Source: RFC 8305 (Happy Eyeballs)
BTLS Certificate Expiry & Recommendations49 days until leaf cert expires — 4 issues to addressREVIEW
Certificate validity
Recommended actions
- Add includeSubDomains to the HSTS directive
- Add the preload directive and submit to hstspreload.org once max-age + includeSubDomains are in place
- Enable DNSSEC on your domain for DNS spoofing protection
- Enable OCSP stapling on your TLS server to remove a CA roundtrip and protect user privacy
A+DNS Records2 A records, 130 ms lookupPASS
| A | 104.18.41.159, 172.64.146.97 |
| AAAA | 2606:4700:4400::ac40:9261, 2606:4700:4400::6812:299f |
| CNAME | — |
| NS | ns-1448.awsdns-53.org, ns-1614.awsdns-09.co.uk, ns-310.awsdns-38.com, ns-743.awsdns-28.net |
| MX | 1 matterport-com.mail.protection.outlook.com |
| TXT | 6B2B460550 MS=ms17692392 asv=f4975b3108810aaefd92af12e04f4088 atlassian-domain-verification=9xxIAWrS23Ihj1rny90c09ULGrlF5QqIeRDHoM9h/mDK9dQfmC... atlassian-domain-verification=LAkz2FUxxMo9oBp9qlpKyMPkFQT3p7fXn2F/dz0S07Gt8LASUo... atlassian-domain-verification=lfeyjhJXIpvCNouH8ejMr6NUntf7kUabbUpXZTzjqWkeKPL58n... ca3-85a1719435594b5f93c9e318d7485beb canva-site-verification=Tui_vJHU3e_a4iywkdq8wA dtm-domain-verification=LPaQJkenRqU_f27zmdlYQK42LWuvXJQoKligBJlzvh4 dtm-domain-verification=_s4A7auBgbYFYdK8-62k6WFWp4VdGOzSS0iWyvREECY facebook-domain-verification=bc4rjv1ne6lmmpmkm0dq4w8mq6kyqj globalsign-domain-verification=wvdz6fqNpGYoUxoyCbEUOYrkz-Z8Nh2zXAoS8lsLRh google-site-verification=2G72f8437RoiCxStrbrcLFkvHHgYvy0JUNqzf6ES4Es google-site-verification=3ZOIhwSinmrngLCu1nQLMusR5RRUcf-MwS-hu1SN_Hg google-site-verification=8qjCuwNezcNWRFnLRQj_fDQAJtVWow1iQbGD62NcoNo google-site-verification=DnYYEkwPRHn8Dg9ZKrnzdzFzTk_TA8V2NTA-AmfDiGY google-site-verification=QO6VzZEFNQZ08fk4Hit50xOJsCpBvc2AJQmfLbGgHes google-site-verification=tizVD9Eh7Sse2J2yTT51pSTLRjTYwNfS6siPy6b3_dw h1-domain-verification=EsJUSsUfzCVBxTxm9dE5a6XQVKzq3cRFULHDPbLRwPY7hgDf hj-ownership='}.{,fnM8cL"3]Y1#jk= logmein-verification-code=dbf38ade-d1da-40bb-9306-0f0b0dd9c0d5 lucid-verification=vua-JDB4fzu!gdz0day miro-verification=abebac7038b5f980a0bd4544366810d9459d428d pardot142351=3cf0ade33fae2580b0de32ab64393c42c2705841847282c2e7bccd5e4e5558c4 pardot142351=54ebecfb45dc6b5b885c036da118544f3e471dcbc3e09dca37075b4b950f8d81 pardot142351=67c0d37fef5ae2399a2acce99fe85be770a171c4ff0e7865207fe17fb7321ca1 pardot142351=c6c3e6f80337ef032ad926b0f2b3f5405796fcd0d386dbba45be0f9648ab96c9 pardot_142351_*=7cd93fad920495c0a26d20a785e89892cb2de331ed91de0418876a2de5ff32c6 stripe-verification=a3215338f55b346cabc52be7f3d51bc2f0fc2fa1f17fd1f7c1f77d89e9fe... unbounce=613597 SPF v=spf1 include:costar.com include:spf.protection.outlook.com ip4:168.203.32.239 ... zendeskverification=509e4ebfdda8bd33 |
| CAA | Lookup not available with standard resolver |
CAA record lookup requires a specialized DNS resolver. This check will be available in a future update.
Informational: CAA (Certification Authority Authorization) records weren't checked in this scan.
A+Redirect ChainNo redirects — direct accessPASS
https://matterport.com
75 ms · HTTP/1.1 FINAL
| # | URL | Status | Time | Protocol | Server |
|---|---|---|---|---|---|
| 1 | https://matterport.com | 200 | 75 ms | HTTP/1.1 | cloudflare |
A+Crawlabilityrobots.txt present, sitemap with 14504 URLsPASS
User-Agent: *
Allow: /
Sitemap: https://matterport.com/sitemap.xml
A+URL Variantswww/non-www, trailing slash, HTTP→HTTPSPASS
www / non-www
Preferred variant: non-www
HTTP → HTTPS
Consistent
ADomain Intelligencematterport.com — via NameSilo, LLC, 15 years, 1 months old, hosted on CloudflarePASS
EXPIRED
June 9, 2026
49 days
Issued by DigiCert Inc
15 years, 1 months
Registered June 9, 2011
Not enabled
Protects against DNS spoofing
Cloudflare
ASN AS13335
104.18.41.159
NameSilo, LLC
Expiry timeline
Recommended actions
- Domain has EXPIRED — renew immediately to avoid total site outage
- Enable DNSSEC to protect visitors from DNS spoofing
- Enable registrar lock (clientTransferProhibited) to block unauthorized domain transfers
Consider enabling auto-renewal to prevent accidental expiration.
Domain expiry approaching — renew immediately and ensure auto-renew + alerting are configured.
Source: ICANN renewal policy
DNSSEC protects against DNS spoofing attacks. While not required, enabling DNSSEC adds an additional layer of security. Contact your DNS provider to enable it.
Without DNSSEC, an attacker who can poison your DNS can hijack your domain — and SSL certs alone don't stop them.
Learn more ▾ ▴
DNSSEC adds cryptographic signatures to DNS records, preventing forged responses from poisoning resolver caches. Without it, an attacker who controls the network path can redirect your domain to a malicious server before any HTTPS handshake happens. Most modern registrars (Cloudflare, Google Domains, Route 53) enable it with one toggle.
Source: ICANN / RFC 4033
The domain can be transferred without an unlock step. Enable registrar lock (clientTransferProhibited) in your registrar's control panel to protect against unauthorized or accidental transfers.
Without registrar lock, an attacker who phishes your registrar credentials can transfer the domain in minutes — total brand hijack.
Learn more ▾ ▴
Registrar lock (clientTransferProhibited, clientUpdateProhibited, clientDeleteProhibited) requires extra verification before any transfer/update/delete. Every major registrar offers it free. Combined with 2FA on your registrar account, it's the strongest defense against domain hijacking.
Source: ICANN / domain-security best practice