Infrastructure
· 9 checks — DNS, redirects, IPv6, crawlability, URL variants, and domain intelligence rolled into one auditable list.CIPv6 ReadinessActionNo IPv6 supportREVIEW
IPv6 support is increasingly important for global accessibility. About 40% of internet users have IPv6 connectivity.
No AAAA records — same impact as 'no IPv6 (AAAA) records'; IPv6-preferring clients pay extra latency falling back to IPv4.
Source: Google IPv6 stats
BCrawlabilityno robots.txt, no sitemapREVIEW
robots.txt is optional but recommended. It tells search engine crawlers which pages to index.
No robots.txt — crawlers fetch /robots.txt and get 404; not breaking but means default crawl behavior with no directives or sitemap reference.
Learn more ▾ ▴
A minimal robots.txt with `User-agent: * / Allow: / / Sitemap: https://example.com/sitemap.xml` covers the basics. Without it, crawlers behave fine but lose the sitemap signal and can't be selectively blocked from crawl-traps.
Source: robotstxt.org
A sitemap helps search engines discover and index your pages more efficiently.
No sitemap.xml — Google relies on crawl-graph discovery alone, slowing indexing of deep or fresh URLs.
Learn more ▾ ▴
A sitemap accelerates Google's discovery of new and updated content. Most CMSes auto-generate one; static-site frameworks need a build-step plugin. Reference it from robots.txt and submit in Search Console to confirm Google can fetch it.
Source: sitemaps.org / Google Search Central
No robots.txt found
This is fine for most sites — a missing robots.txt allows all crawling by default.
No sitemap found
Adding a sitemap helps search engines discover your pages.
BTLS Certificate Expiry & Recommendations201 days until leaf cert expires — 3 issues to addressREVIEW
Certificate validity
Recommended actions
- Enable HSTS: Strict-Transport-Security: max-age=31536000; includeSubDomains
- Enable DNSSEC on your domain for DNS spoofing protection
- Enable OCSP stapling on your TLS server to remove a CA roundtrip and protect user privacy
BCDN & DeliveryAWS CloudFront (FunctionGeneratedResponse from cloudfront)REVIEW
A+DNS Records3 A records, 81 ms lookupPASS
| A | 3.173.21.37, 3.173.22.37, 3.173.23.37 |
| AAAA | — |
| CNAME | — |
| NS | a12-65.akam.net, a5-64.akam.net, edns7.ultradns.com, edns7.ultradns.org, a1-74.akam.net, a20-66.akam.net |
| MX | 10 mxz3.klarna.com 10 mxz4.klarna.com 10 mxz2.klarna.com 10 mxz1.klarna.com |
| TXT | atlassian-sending-domain-verification=338b9828-abdc-47ba-a7cc-ff43879cd676 onetrust-domain-verification=f1cfcf5a17a1443a9840ee7d7d20517b h1-domain-verification=nX5CSVt8BnnqxGYyqqg2HgidsrZtt4sJQyVEm7oVmzyV2CMe stripe-verification=3d6a91bc028dbc33342d46b7ecdaed2d9b852f14f6c7140357eb3ffc42de... miro-verification=d95c8724c999fa1af903df65701afb9eaa7be836 amazonses:KykgeBpcrVVB9Zr3IrycvCOP0+7mILa+kqVe5RGn0HM= mixpanel-domain-verify=9b202fdc-ac1f-4a22-ab31-530379358732 cursor-domain-verification-fw4z39=YTxxRNgiXUaYUUzKO4plYQJnj notion_verify_GyxABFCztKqRR0DncwDUmHw4eNgV36qRwJmsyPbgEWHr310J2eAonkwC0JVexfxagY... apple-domain-verification=acfAqA586hLCUcGk google-site-verification=1x1qTESbVdqnmbawTLX6-6Ur6KRsgpoMw8KzgLLxeJM google-site-verification=5NxGwc5EEmujkfXUtK7b88RuhR6PL72PYKpBKYGfZpk ibmid=c0cb393f-6a6b-4875-9119-fc1ef607d660 twilio-domain-verification=a4d26b83fcbaddd8936c2e1cf73acef9 h1-domain-verification=wdWifkw4XsHWcYgFJZyrGw6ffvhzYkRzkY4pxz4DFMyp4gjE MS=AFBE0235AEF59FC78040593B2746870430B60F53 SPF v=spf1 include:sendgrid.net include:_spf.google.com include:_spf.atlassian.net i... facebook-domain-verification=kpv70oz0on4y0be27rsk0wqpu0llc9 loom-verification=4832737805 google-site-verification=tSivwC8Gmcgf0MUeFzuF0kkDXhlwUi_KeWqCGfnZtao ms-domain-verification=d1c65262-3b90-4d5d-8c44-f862a882b419 atlassian-domain-verification=kuCcSLhwSU7SWaSfCXQ0pJR783qYIG3A89aiMJH30Zzxef7QUx... 0ed1fe018a58f0d1fd606946a899401ae0d95bcd20 google-site-verification=6_dY5hOGAcQqUZpqOpBDjDr6JaLuvTbZybZ8R8ukw_E google-site-verification=rxTlu7Mi6MqURYuLMviRSrorzH0gYs7nPVtIKEj2MMg docusign=32cd5aff-353b-4525-b6d2-4a13de2e4257 h1-domain-verification=SY9BmbpLLmY7DA9pv5ppqWuRxafjboB611VRf4PJp6kSwiZ3 apple-domain-verification=u_R7G9MxjFepIDYHi_Dh_pb1cHP2JDVi3YjHw6BOihw mixpanel-domain-verify=bc248323-2a3e-4a4d-b594-22069eeacf09 adobe-idp-site-verification=34ebf3613749ecea2f0d07ba91a8c154e6353b68ae1a8176123e... jamf-site-verification=8RO43AzgwKpDVzTrxBPzHg stripe-verification=01edf9ebb08304ab10507250cc4ac81d210810a89dbaa31bc81d850b83fe... mixpanel-domain-verify=0d71a59a-746b-4ac5-a9d3-1fd76f0e4aeb anthropic-domain-verification-zjwwh6=4f79nJP1l04OjYQhOTmuhefC2 anthropic-domain-verification-fn3vqe=ycoyzxdAONanZ2sGPIpe8MZt4 stripe-verification=26377af821e53660c46ef45992cb376fcf48b13fec76e30ab132a33d1b28... openai-domain-verification=dv-Ax6dQektADYw5AWqh5zJQkkz paloaltonetworks-site-verification=9fc7984b6999f3550a11c4ae9036973e9c6483762ac61... _csg9035ikdbiu73g7zsmpudw4q3vyw7 docker-verification=04ef223c-b965-41d9-a49a-7ea3fdb19cc9 |
| CAA | Lookup not available with standard resolver |
CAA record lookup requires a specialized DNS resolver. This check will be available in a future update.
Informational: CAA (Certification Authority Authorization) records weren't checked in this scan.
ARedirect Chain1 redirect(s), 78 ms totalPASS
https://klarna.com
8 ms · HTTP/1.1
https://www.klarna.com/
70 ms · HTTP/1.1 FINAL
| # | URL | Status | Time | Protocol | Server |
|---|---|---|---|---|---|
| 1 | https://klarna.com | 301 | 8 ms | HTTP/1.1 | CloudFront |
| 2 | https://www.klarna.com/ | 202 | 70 ms | HTTP/1.1 | CloudFront |
See the visual redirect chain in the HTTP Probe tab →
A+URL Variantswww/non-www, trailing slash, HTTP→HTTPSPASS
www / non-www
HTTP → HTTPS
Consistent
A+Domain Intelligenceklarna.com — via CSC Corporate Domains, Inc., 17 years, 7 months old, hosted on AWSPASS
150 days
December 12, 2026
201 days
Issued by Amazon
17 years, 7 months
Registered December 12, 2008
Not enabled
Protects against DNS spoofing
AWS
ASN AS16509
3.173.22.37
CSC Corporate Domains, Inc.
Expiry timeline
Recommended actions
- Enable DNSSEC to protect visitors from DNS spoofing
- Enable registrar lock (clientTransferProhibited) to block unauthorized domain transfers
DNSSEC protects against DNS spoofing attacks. While not required, enabling DNSSEC adds an additional layer of security. Contact your DNS provider to enable it.
Without DNSSEC, an attacker who can poison your DNS can hijack your domain — and SSL certs alone don't stop them.
Learn more ▾ ▴
DNSSEC adds cryptographic signatures to DNS records, preventing forged responses from poisoning resolver caches. Without it, an attacker who controls the network path can redirect your domain to a malicious server before any HTTPS handshake happens. Most modern registrars (Cloudflare, Google Domains, Route 53) enable it with one toggle.
Source: ICANN / RFC 4033
The domain can be transferred without an unlock step. Enable registrar lock (clientTransferProhibited) in your registrar's control panel to protect against unauthorized or accidental transfers.
Without registrar lock, an attacker who phishes your registrar credentials can transfer the domain in minutes — total brand hijack.
Learn more ▾ ▴
Registrar lock (clientTransferProhibited, clientUpdateProhibited, clientDeleteProhibited) requires extra verification before any transfer/update/delete. Every major registrar offers it free. Combined with 2FA on your registrar account, it's the strongest defense against domain hijacking.
Source: ICANN / domain-security best practice