Infrastructure
· 9 checks — DNS, redirects, IPv6, crawlability, URL variants, and domain intelligence rolled into one auditable list.DCDN & DeliveryActionNo CDN detectedFIX
Consider using a CDN to improve global delivery speed and reduce origin load.
BURL Variantswww/non-www, trailing slash, HTTP→HTTPSREVIEW
www / non-www
Inconsistent — duplicate content risk
HTTP → HTTPS
Consistent
BTLS Certificate Expiry & Recommendations51 days until leaf cert expires — 4 issues to addressREVIEW
Certificate validity
Recommended actions
- Add includeSubDomains to the HSTS directive
- Add the preload directive and submit to hstspreload.org once max-age + includeSubDomains are in place
- Enable DNSSEC on your domain for DNS spoofing protection
- Enable OCSP stapling on your TLS server to remove a CA roundtrip and protect user privacy
A+DNS Records3 A records, 15 ms lookupPASS
| A | 100.28.104.175, 98.83.184.133, 54.157.108.158 |
| AAAA | 2600:1f18:297:ba18:6ddc:5d8f:6053:f003, 2600:1f18:297:ba0e:7900:f622:48a8:f266, 2600:1f18:297:ba24:b508:76de:f4a:df34 |
| CNAME | — |
| NS | dns1.p09.nsone.net, ns0243.secondary.cloudflare.com, dns2.p09.nsone.net, dns3.p09.nsone.net, dns4.p09.nsone.net, ns0004.secondary.cloudflare.com |
| MX | 0 mxb-00262c01.gslb.pphosted.com 0 mxa-00262c01.gslb.pphosted.com |
| TXT | 06lbvwmgw17v9lcjddt2xv8krnby1sy7 458111aa584c42ff93f3847e07351879 90cdadc0e313448e9e53b744f2a8bcb7 9c2e4682d62e4bc1b83fd096b19b4133 Dynatrace-site-verification=2c825a10-c7d2-4d0d-ad9d-b3a297b87389__garjptoag7b575... Fastly-Verify-s8dk39din4n5jajsd8 I4PDudah320pFzRklVfDTkn9SIJHO4WKPRz7RsrLwWtjGL4Vqc78gFXDisko2giT3g+QTwfvYb4cPZy/... MS=ms19625380 MS=ms33190795 MS=ms66906550 MS=ms68193247 _9wqjcd0f9p5hunqt2p6enolap3ckxbv _globalsign-domain-verification=KRYUAaIdI2Hm0sL3et24xMRZ1Z04xSIOipNqTFowDv adobe-idp-site-verification=9b12eeee86b1217caefd9bbbc36da8e767b6c0cca5d2d3bf31c4... adobe-sign-verification=68cebdbe443dcb16df9d0a70159ea1b4 ahrefs-site-verification_a090368a0301a92f7320d0221998037d0a4585cfac2ea7f19842b55... anthropic-domain-verification-gza3ps=IbXgCu5n0ntv2zdI90Lo0PxMQ apple-domain-verification=8eUiChfwCLb5sgRU appspace-domain-verification=95717daa24b5c09519b505de173a1b8d2d0d37ec64cb70ce7d6... atlassian-domain-verification=E+wiTTQbdi+aIBlOe7MvMyDmxBdCed/oDG6hRZquh5QIu+JegS... atlassian-domain-verification=naOIwEMBtdvHkw+IbFFLC3NjVyvxpx+lz8FkxRTnOkMNCka9n9... cursor-domain-verification-w3k7jb=Mmgep5pBpOeN01mmeuk7k9UM8 docker-verification=998fe766-03cd-4edd-89ec-686a9bdb8ffd docusign=386b0618-baa0-4cdb-9a7f-8ab02ec40558 edisen-verification-key=8f029dc6-1fd2-4bdc-8ee5-073a334f3eaa elevenlabs=H5kuOqr8fZrhkFwf4r_Yujuxp6wI5N_aiKWp1i0QbN4 elevenlabs=oLxS0_BBKCrkY4U1UA2b2CNL58srDC1eIcrGISL79RE fastly_delegation-x6tUm3FMIioXHPmJtUf4-356335-2021-0325 flexera-domain-verification-llinghxwqvjodvhz google-site-verification:jycEA9SnsRqxr4yRvO178BZVLPhGVMXGjrjjmiIxaWs google-site-verification=ZH9b78AnoW-I4pg9tjWF2lKKfA0Dyqwm3p_SOGuSJo4 google-site-verification=wfRkqvYvkuHwHrdobgtemVB0CnFS2hXVus5ht3LAT3o jamf-site-verification=a3Fj5VQCdAtGX43rqyj1mQ jumpdesktop=b4fa936a2391b2c031678520a28921add6f4a4ac3124925307ed23a5d0cd mongodb-site-verification=Da5cIXJAed1ruJ6eaJM8TZbPwjpOBZNk mongodb-site-verification=T62Bm0WB86kaJUIZ4oCf0K3y7fjhW1LH mongodb-site-verification=WFelJyPKc7eyMd0LDavgsUk4sVH0TLPA mongodb-site-verification=zKDU5qGhEc0p64kdgWDPRGB2iIDxJsH9 onetrust-domain-verification=40c996e736cc495ca304800c7d770182 onetrust-domain-verification=61d8a6aba17340b3b5f0101aeae999eb openai-domain-verification=dv-cT9qwiInKClYkXoNTBhyJuzU openai-domain-verification=dv-r9tHTSsnvIsv2rnpBDBWwgYk parallels-domain-verification=19f7e985539e42cca485ea9a8dc3dd94c6f9931d85d8423b8e... smartsheet-site-validation=6fRfOip63D5bQxcxIgBuQ3nnkqKfkSL_ smartsheet-site-validation=nOrfn3FHZ5ADEze-eJlaIFva5NEYK4HJ SPF v=spf1 ip4:170.20.0.0/16 ip4:192.238.125.248/29 ip4:192.238.127.124/30 ip4:192.2... wiz-domain-verification=6fd13e7cdaff683d7d119656d141ce4e9caeec911c829518efb28e9a... wombat-verification=3KwxVCQV1HEp-aRXRTKKaZ5G0frhk zapier-domain-verification-challenge=182a380e-d8cb-48d0-8e86-3415469bd188 |
| CAA | Lookup not available with standard resolver |
CAA record lookup requires a specialized DNS resolver. This check will be available in a future update.
Informational: CAA (Certification Authority Authorization) records weren't checked in this scan.
ARedirect Chain1 redirect(s), 40 ms totalPASS
https://cbs.com
28 ms · HTTP/1.1
https://www.cbs.com/
12 ms · HTTP/1.1 FINAL
| # | URL | Status | Time | Protocol | Server |
|---|---|---|---|---|---|
| 1 | https://cbs.com | 301 | 28 ms | HTTP/1.1 | redirectv2 |
| 2 | https://www.cbs.com/ | 200 | 12 ms | HTTP/1.1 | openresty |
See the visual redirect chain in the HTTP Probe tab →
A+IPv6 ReadinessIPv6 reachable (8 ms)PASS
A+Crawlabilityrobots.txt present, sitemap with 5477 URLsPASS
User-agent: *
Sitemap: https://www.cbs.com/sitemap.xml
Disallow: /shows/upfront_2015/
Disallow: /shows/upfront_2015/simulcast/
Allow: /thunder/canplayer/
Allow: /thunder/player/1_0/partner/can/
Allow: /thunder/player/1_0/partner/cbs/
Allow: /thunder/player/1_0/partner/config/skin_ad.xml
Disallow: /sitemap/
Disallow: /thunder/feeds/
Disallow: /thunder/player/1_0-backup/
Disallow: /thunder/player/1_0-bak/
Disallow: /thunder/player/admin/
Disallow: /thunder/player/chromeless/
Disallow: /thunder/player/fms3_5/
Disallow: /thunder/player/ford/
Disallow: /thunder/css/
Disallow: /thunder/include/
Disallow: /thunder/scripts/
Disallow: /thunder/swf/
Disallow: /thunder/partner/
Disallow: /thunder/player/test/
Disallow: /search/
Disallow: /sitesearch/
Disallow: /casting/includes/
Disallow: /cbs_cares/includes/
Disallow: /cbs_evening_news/includes/
Disallow: /classics/30_days_of_classics/includes/
Disallow: /classics/beauty_and_the_beast/includes/
Disallow: /classics/beverly_hills_90210/includes/
Disallow: /classics/dynasty/includes/
Disallow: /classics/family_ties/includes/
Disallow: /classics/have_gun_will_travel/includes/
Disallow: /classics/hawaii_five_0/includes/
Disallow: /classics/includes/
Disallow: /classics/macgyver/includes/
Disallow: /classics/melrose_place/includes/
Disallow: /classics/perry_mason/includes/
Disallow: /classics/star_trek/includes/
Disallow: /classics/the_ed_sullivan_show/includes/
Disallow: /classics/the_love_boat/includes/
Disallow: /classics/the_twilight_zone/includes/
Disallow: /classics/twin_peaks/includes/
Disallow: /closedcaption/
Disallow: /games/includes/
Disallow: /info/schedule/includes/
Disallow: /info/sitemap/includes/
Disallow: /info/user_feedback/includes/
Disallow: /originals/includes/
Disallow: /originals/inturn3/includes/
Disallow: /originals/stephen_kings_n/includes/
Disallow: /sales/includes/
Disallow: /sitecommon/includes/
Disallow: /sitecommon/includes/cms/includes/
Disallow: /thunder/player/tv/includes/
Disallow: /video/includes/
Disallow: /hounds-of-diana/
Disallow: /upload/
A+Domain Intelligencecbs.com — via MarkMonitor Inc., 32 years, 9 months oldPASS
150 days
December 15, 2026
51 days
Issued by Let's Encrypt
32 years, 9 months
Registered December 16, 1993
Not enabled
Protects against DNS spoofing
Unknown
2600:1f18:297:ba0e:7900:f622:48a8:f266
MarkMonitor Inc.
Expiry timeline
Recommended actions
- Enable DNSSEC to protect visitors from DNS spoofing
- Enable registrar lock (clientTransferProhibited) to block unauthorized domain transfers
DNSSEC protects against DNS spoofing attacks. While not required, enabling DNSSEC adds an additional layer of security. Contact your DNS provider to enable it.
Without DNSSEC, an attacker who can poison your DNS can hijack your domain — and SSL certs alone don't stop them.
Learn more ▾ ▴
DNSSEC adds cryptographic signatures to DNS records, preventing forged responses from poisoning resolver caches. Without it, an attacker who controls the network path can redirect your domain to a malicious server before any HTTPS handshake happens. Most modern registrars (Cloudflare, Google Domains, Route 53) enable it with one toggle.
Source: ICANN / RFC 4033
The domain can be transferred without an unlock step. Enable registrar lock (clientTransferProhibited) in your registrar's control panel to protect against unauthorized or accidental transfers.
Without registrar lock, an attacker who phishes your registrar credentials can transfer the domain in minutes — total brand hijack.
Learn more ▾ ▴
Registrar lock (clientTransferProhibited, clientUpdateProhibited, clientDeleteProhibited) requires extra verification before any transfer/update/delete. Every major registrar offers it free. Combined with 2FA on your registrar account, it's the strongest defense against domain hijacking.
Source: ICANN / domain-security best practice