Skip to content
https://cbs.com

Infrastructure

· 9 checks — DNS, redirects, IPv6, crawlability, URL variants, and domain intelligence rolled into one auditable list.
SCORE
94
GRADE
A
FIX
1
REVIEW
2
PASS
6
INFO
0
Probed from New York, United Stated
301 Moved Permanently
Checks
9
6 PASS 2 REVIEW 1 FIX
D
CDN & Delivery
Action
No CDN detected
FIX
No CDN detected
Warning::
No CDN detected
A CDN can significantly improve load times for users around the world by caching content at edge nodes closer to them.
No CDN detected

Consider using a CDN to improve global delivery speed and reduce origin load.

B
URL Variants
www/non-www, trailing slash, HTTP→HTTPS
REVIEW
www/non-www, trailing slash, HTTP→HTTPS
Critical::
Both www and non-www versions serve content
Got: Both variants return 200 Expected: One variant 301-redirects to the other
Info::
HTTP correctly 301-redirects to HTTPS

www / non-www

200https://www.cbs.com/
200https://cbs.com/

Inconsistent — duplicate content risk

HTTP → HTTPS

301http://cbs.com/ https://www.cbs.com/

Consistent

B
TLS Certificate Expiry & Recommendations
51 days until leaf cert expires — 4 issues to address
REVIEW

Certificate validity

51
days left
0d 30d 60d 90d+

Recommended actions

  • Add includeSubDomains to the HSTS directive
  • Add the preload directive and submit to hstspreload.org once max-age + includeSubDomains are in place
  • Enable DNSSEC on your domain for DNS spoofing protection
  • Enable OCSP stapling on your TLS server to remove a CA roundtrip and protect user privacy
A+
DNS Records
3 A records, 15 ms lookup
PASS
3 A records, 15 ms lookup
Info::
Resolves to 3 IPv4 address(es)
Got: 100.28.104.175, 98.83.184.133, 54.157.108.158
Info::
Has 3 IPv6 (AAAA) record(s)
Got: 2600:1f18:297:ba18:6ddc:5d8f:6053:f003, 2600:1f18:297:ba0e:7900:f622:48a8:f266, 2600:1f18:297:ba24:b508:76de:f4a:df34
Info::
6 nameserver(s) configured
Got: dns1.p09.nsone.net, ns0243.secondary.cloudflare.com, dns2.p09.nsone.net, dns3.p09.nsone.net, dns4.p09.nsone.net, ns0004.secondary.cloudflare.com
Info::
2 mail exchanger(s) configured
Info::
CAA records not checked
CAA record lookup requires a specialized DNS resolver. This check will be available in a future update.
Info::
SPF record present in TXT
Info::
DNS resolution time: 15 ms
Got: 15 ms
A100.28.104.175, 98.83.184.133, 54.157.108.158
AAAA2600:1f18:297:ba18:6ddc:5d8f:6053:f003, 2600:1f18:297:ba0e:7900:f622:48a8:f266, 2600:1f18:297:ba24:b508:76de:f4a:df34
CNAME
NSdns1.p09.nsone.net, ns0243.secondary.cloudflare.com, dns2.p09.nsone.net, dns3.p09.nsone.net, dns4.p09.nsone.net, ns0004.secondary.cloudflare.com
MX
0 mxb-00262c01.gslb.pphosted.com
0 mxa-00262c01.gslb.pphosted.com
TXT
06lbvwmgw17v9lcjddt2xv8krnby1sy7
458111aa584c42ff93f3847e07351879
90cdadc0e313448e9e53b744f2a8bcb7
9c2e4682d62e4bc1b83fd096b19b4133
Dynatrace-site-verification=2c825a10-c7d2-4d0d-ad9d-b3a297b87389__garjptoag7b575...
Fastly-Verify-s8dk39din4n5jajsd8
I4PDudah320pFzRklVfDTkn9SIJHO4WKPRz7RsrLwWtjGL4Vqc78gFXDisko2giT3g+QTwfvYb4cPZy/...
MS=ms19625380
MS=ms33190795
MS=ms66906550
MS=ms68193247
_9wqjcd0f9p5hunqt2p6enolap3ckxbv
_globalsign-domain-verification=KRYUAaIdI2Hm0sL3et24xMRZ1Z04xSIOipNqTFowDv
adobe-idp-site-verification=9b12eeee86b1217caefd9bbbc36da8e767b6c0cca5d2d3bf31c4...
adobe-sign-verification=68cebdbe443dcb16df9d0a70159ea1b4
ahrefs-site-verification_a090368a0301a92f7320d0221998037d0a4585cfac2ea7f19842b55...
anthropic-domain-verification-gza3ps=IbXgCu5n0ntv2zdI90Lo0PxMQ
apple-domain-verification=8eUiChfwCLb5sgRU
appspace-domain-verification=95717daa24b5c09519b505de173a1b8d2d0d37ec64cb70ce7d6...
atlassian-domain-verification=E+wiTTQbdi+aIBlOe7MvMyDmxBdCed/oDG6hRZquh5QIu+JegS...
atlassian-domain-verification=naOIwEMBtdvHkw+IbFFLC3NjVyvxpx+lz8FkxRTnOkMNCka9n9...
cursor-domain-verification-w3k7jb=Mmgep5pBpOeN01mmeuk7k9UM8
docker-verification=998fe766-03cd-4edd-89ec-686a9bdb8ffd
docusign=386b0618-baa0-4cdb-9a7f-8ab02ec40558
edisen-verification-key=8f029dc6-1fd2-4bdc-8ee5-073a334f3eaa
elevenlabs=H5kuOqr8fZrhkFwf4r_Yujuxp6wI5N_aiKWp1i0QbN4
elevenlabs=oLxS0_BBKCrkY4U1UA2b2CNL58srDC1eIcrGISL79RE
fastly_delegation-x6tUm3FMIioXHPmJtUf4-356335-2021-0325
flexera-domain-verification-llinghxwqvjodvhz
google-site-verification:jycEA9SnsRqxr4yRvO178BZVLPhGVMXGjrjjmiIxaWs
google-site-verification=ZH9b78AnoW-I4pg9tjWF2lKKfA0Dyqwm3p_SOGuSJo4
google-site-verification=wfRkqvYvkuHwHrdobgtemVB0CnFS2hXVus5ht3LAT3o
jamf-site-verification=a3Fj5VQCdAtGX43rqyj1mQ
jumpdesktop=b4fa936a2391b2c031678520a28921add6f4a4ac3124925307ed23a5d0cd
mongodb-site-verification=Da5cIXJAed1ruJ6eaJM8TZbPwjpOBZNk
mongodb-site-verification=T62Bm0WB86kaJUIZ4oCf0K3y7fjhW1LH
mongodb-site-verification=WFelJyPKc7eyMd0LDavgsUk4sVH0TLPA
mongodb-site-verification=zKDU5qGhEc0p64kdgWDPRGB2iIDxJsH9
onetrust-domain-verification=40c996e736cc495ca304800c7d770182
onetrust-domain-verification=61d8a6aba17340b3b5f0101aeae999eb
openai-domain-verification=dv-cT9qwiInKClYkXoNTBhyJuzU
openai-domain-verification=dv-r9tHTSsnvIsv2rnpBDBWwgYk
parallels-domain-verification=19f7e985539e42cca485ea9a8dc3dd94c6f9931d85d8423b8e...
smartsheet-site-validation=6fRfOip63D5bQxcxIgBuQ3nnkqKfkSL_
smartsheet-site-validation=nOrfn3FHZ5ADEze-eJlaIFva5NEYK4HJ
SPF v=spf1 ip4:170.20.0.0/16 ip4:192.238.125.248/29 ip4:192.238.127.124/30 ip4:192.2...
wiz-domain-verification=6fd13e7cdaff683d7d119656d141ce4e9caeec911c829518efb28e9a...
wombat-verification=3KwxVCQV1HEp-aRXRTKKaZ5G0frhk
zapier-domain-verification-challenge=182a380e-d8cb-48d0-8e86-3415469bd188
CAALookup not available with standard resolver
Resolved in 15 ms

CAA record lookup requires a specialized DNS resolver. This check will be available in a future update.

Why this matters

Informational: CAA (Certification Authority Authorization) records weren't checked in this scan.

A
Redirect Chain
1 redirect(s), 40 ms total
PASS
1 redirect(s), 40 ms total
Info::
Single redirect
Got: https://cbs.com → https://www.cbs.com/ (301)
Info::
WWW normalization redirect

https://cbs.com

28 ms · HTTP/1.1

301

https://www.cbs.com/

12 ms · HTTP/1.1 FINAL

#URLStatusTimeProtocolServer
1https://cbs.com30128 msHTTP/1.1redirectv2
2https://www.cbs.com/20012 msHTTP/1.1openresty

See the visual redirect chain in the HTTP Probe tab →

A+
IPv6 Readiness
IPv6 reachable (8 ms)
PASS
IPv6 reachable (8 ms)
Info::
IPv6 is configured and reachable at 2600:1f18:297:ba18:6ddc:5d8f:6053:f003, 2600:1f18:297:ba0e:7900:f622:48a8:f266, 2600:1f18:297:ba24:b508:76de:f4a:df34
Got: 8 ms connect
IPv6 Ready
AAAA Records 2600:1f18:297:ba18:6ddc:5d8f:6053:f003, 2600:1f18:297:ba0e:7900:f622:48a8:f266, 2600:1f18:297:ba24:b508:76de:f4a:df34 Connection Reachable (8 ms)
A+
Crawlability
robots.txt present, sitemap with 5477 URLs
PASS
robots.txt present, sitemap with 5477 URLs
Info::
robots.txt is present
Got: 2049 bytes
Info::
sitemap.xml is present
Info::
sitemap.xml is valid XML
Info::
sitemap.xml contains 5477 entries
Info::
robots.txt references sitemap
robots.txt 200 OK
Size 2049 B Sitemaps referenced 1 User-agents * Blocking No — crawling allowed
User-agent: *
Sitemap: https://www.cbs.com/sitemap.xml
Disallow: /shows/upfront_2015/
Disallow: /shows/upfront_2015/simulcast/
Allow: /thunder/canplayer/
Allow: /thunder/player/1_0/partner/can/
Allow: /thunder/player/1_0/partner/cbs/
Allow: /thunder/player/1_0/partner/config/skin_ad.xml
Disallow: /sitemap/
Disallow: /thunder/feeds/
Disallow: /thunder/player/1_0-backup/
Disallow: /thunder/player/1_0-bak/
Disallow: /thunder/player/admin/
Disallow: /thunder/player/chromeless/
Disallow: /thunder/player/fms3_5/
Disallow: /thunder/player/ford/
Disallow: /thunder/css/
Disallow: /thunder/include/
Disallow: /thunder/scripts/
Disallow: /thunder/swf/
Disallow: /thunder/partner/
Disallow: /thunder/player/test/
Disallow: /search/
Disallow: /sitesearch/
Disallow: /casting/includes/
Disallow: /cbs_cares/includes/
Disallow: /cbs_evening_news/includes/
Disallow: /classics/30_days_of_classics/includes/
Disallow: /classics/beauty_and_the_beast/includes/
Disallow: /classics/beverly_hills_90210/includes/
Disallow: /classics/dynasty/includes/
Disallow: /classics/family_ties/includes/
Disallow: /classics/have_gun_will_travel/includes/
Disallow: /classics/hawaii_five_0/includes/
Disallow: /classics/includes/
Disallow: /classics/macgyver/includes/
Disallow: /classics/melrose_place/includes/
Disallow: /classics/perry_mason/includes/
Disallow: /classics/star_trek/includes/
Disallow: /classics/the_ed_sullivan_show/includes/
Disallow: /classics/the_love_boat/includes/
Disallow: /classics/the_twilight_zone/includes/
Disallow: /classics/twin_peaks/includes/
Disallow: /closedcaption/
Disallow: /games/includes/
Disallow: /info/schedule/includes/
Disallow: /info/sitemap/includes/
Disallow: /info/user_feedback/includes/
Disallow: /originals/includes/
Disallow: /originals/inturn3/includes/
Disallow: /originals/stephen_kings_n/includes/
Disallow: /sales/includes/
Disallow: /sitecommon/includes/
Disallow: /sitecommon/includes/cms/includes/
Disallow: /thunder/player/tv/includes/
Disallow: /video/includes/
Disallow: /hounds-of-diana/
Disallow: /upload/

A+
Domain Intelligence
cbs.com — via MarkMonitor Inc., 32 years, 9 months old
PASS
cbs.com — via MarkMonitor Inc., 32 years, 9 months old
Info::
Domain registered until Dec 15, 2026 (7 months remaining)
Info::
DNSSEC is not enabled
DNSSEC protects against DNS spoofing attacks. While not required, enabling DNSSEC adds an additional layer of security. Contact your DNS provider to enable it.
Info::
Registrar: MarkMonitor Inc.
Warning::
Registrar lock is NOT enabled
The domain can be transferred without an unlock step. Enable registrar lock (clientTransferProhibited) in your registrar's control panel to protect against unauthorized or accidental transfers.
Domain expiry

150 days

December 15, 2026

SSL certificate

51 days

Issued by Let's Encrypt

Domain age

32 years, 9 months

Registered December 16, 1993

DNSSEC

Not enabled

Protects against DNS spoofing

Hosting

Unknown

2600:1f18:297:ba0e:7900:f622:48a8:f266

Registrar

MarkMonitor Inc.

Unlocked 6 NS records
Expiry timeline
Today
+1 year
Domain expiry SSL expiry Danger zone (≤30 days)
Recommended actions
  • Enable DNSSEC to protect visitors from DNS spoofing
  • Enable registrar lock (clientTransferProhibited) to block unauthorized domain transfers
Registrar MarkMonitor Inc.
Created December 16, 1993 (32 years, 9 months ago)
Expires December 15, 2026 (7 months)
Last Updated November 13, 2025
Name Servers dns1.p09.nsone.net, dns2.p09.nsone.net, dns3.p09.nsone.net, dns4.p09.nsone.net, ns0004.secondary.cloudflare.com, ns0243.secondary.cloudflare.com
DNSSEC Not enabled
Hosting
IP Address 2600:1f18:297:ba0e:7900:f622:48a8:f266
Data source: rdap (0.0s)

DNSSEC protects against DNS spoofing attacks. While not required, enabling DNSSEC adds an additional layer of security. Contact your DNS provider to enable it.

Why this matters

Without DNSSEC, an attacker who can poison your DNS can hijack your domain — and SSL certs alone don't stop them.

Learn more

DNSSEC adds cryptographic signatures to DNS records, preventing forged responses from poisoning resolver caches. Without it, an attacker who controls the network path can redirect your domain to a malicious server before any HTTPS handshake happens. Most modern registrars (Cloudflare, Google Domains, Route 53) enable it with one toggle.

Source: ICANN / RFC 4033

The domain can be transferred without an unlock step. Enable registrar lock (clientTransferProhibited) in your registrar's control panel to protect against unauthorized or accidental transfers.

Why this matters

Without registrar lock, an attacker who phishes your registrar credentials can transfer the domain in minutes — total brand hijack.

Learn more

Registrar lock (clientTransferProhibited, clientUpdateProhibited, clientDeleteProhibited) requires extra verification before any transfer/update/delete. Every major registrar offers it free. Combined with 2FA on your registrar account, it's the strongest defense against domain hijacking.

Source: ICANN / domain-security best practice

A+
HTTP Probe Timing
Total 27 ms — DNS, TCP, TLS, TTFB, content transfer breakdown
PASS
DNS Lookup DNS Lookup — time to resolve the domain name to an IP address.
4 ms
TCP Connect TCP Connect — time to establish a TCP connection to the server.
7 ms
TLS Handshake TLS Handshake — time to complete the HTTPS encryption handshake.
10 ms
Time to First Byte Time to First Byte — how long the server takes to respond with the first byte of data.
27 ms
Total Time Total request time from DNS lookup through full response.
28 ms

Connection waterfall

DNS Lookup 4 ms TCP Connect 7 ms TLS Handshake 10 ms Server Processing 7 ms Content Transfer 0 ms
All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.

Send Feedback