Infrastructure
· 9 checks — DNS, redirects, IPv6, crawlability, URL variants, and domain intelligence rolled into one auditable list.BTLS Certificate Expiry & Recommendations52 days until leaf cert expires — 4 issues to addressREVIEW
Certificate validity
Recommended actions
- Add includeSubDomains to the HSTS directive
- Add the preload directive and submit to hstspreload.org once max-age + includeSubDomains are in place
- Enable DNSSEC on your domain for DNS spoofing protection
- Enable OCSP stapling on your TLS server to remove a CA roundtrip and protect user privacy
BCDN & DeliveryNetlifyREVIEW
A+DNS Records2 A records, 73 ms lookupPASS
| A | 98.84.224.111, 18.208.88.157 |
| AAAA | 2600:1f18:16e:df01::259, 2600:1f18:16e:df01::258 |
| CNAME | — |
| NS | woz.ns.cloudflare.com, sara.ns.cloudflare.com |
| MX | 1 aspmx.l.google.com 5 alt1.aspmx.l.google.com 5 alt2.aspmx.l.google.com 10 aspmx2.googlemail.com 10 aspmx3.googlemail.com |
| TXT | apple-domain-verification=jiNntnl7jd5HxJ2W cursor-domain-verification-zhnept=Si0arsYVCTEZDCkpV1cMy0Aom SPF v=spf1 include:_spf.google.com include:cmail1.com include:spf.mandrillapp.com in... ahrefs-site-verification_d51316db926b7f8ab3f81f2080d57be72c9d635e9a8888dcbefcb4d... cloudflare_dashboard_sso=01514b4f7cf8ccfb2c6731aba449193c google-site-verification=5Ate8bq8VfHBYziHQlc1d2tkv_SFwQJseqXkX6hg2D4 1password-site-verification=5346HQKPM5HZBGBGWUZ5ZKFUOI status-page-domain-verification=vvyvvt0yn5z4 adn_verification=ghost google-site-verification=CZRMn6O1gf0kzHSuR90yLccVJCc7oTAMWISpNKt9zEg google-site-verification=GIBr_OFEplZnFkkvpsy8qck5wbC3EKnCjpsjcbn72SA |
| CAA | Lookup not available with standard resolver |
CAA record lookup requires a specialized DNS resolver. This check will be available in a future update.
Informational: CAA (Certification Authority Authorization) records weren't checked in this scan.
A+Redirect ChainNo redirects — direct accessPASS
https://ghost.org
99 ms · HTTP/1.1 FINAL
| # | URL | Status | Time | Protocol | Server |
|---|---|---|---|---|---|
| 1 | https://ghost.org | 200 | 99 ms | HTTP/1.1 | Netlify |
A+IPv6 ReadinessIPv6 reachable (7 ms)PASS
A+Crawlabilityrobots.txt present, sitemap with 21 URLsPASS
Sitemap: https://ghost.org/sitemap.xml
User-agent: *
Allow: /
Disallow: /explore/?*sortBy
Disallow: /explore/?*lang
Disallow: /explore/?*query
Disallow: /explore?*sortBy
Disallow: /explore?*lang
Disallow: /explore?*query
- https://ghost.org/sitemap-pages.xml
- https://ghost.org/sitemap-experts.xml
- https://ghost.org/sitemap-integrations.x...
- https://ghost.org/sitemap-themes.xml
- https://ghost.org/sitemap-move-to-ghost....
- https://ghost.org/resources/sitemap-page...
- https://ghost.org/resources/sitemap-post...
- https://ghost.org/resources/sitemap-auth...
- https://ghost.org/resources/sitemap-tags...
- https://ghost.org/help/sitemap-pages.xml
- https://ghost.org/help/sitemap-posts.xml
- https://ghost.org/help/sitemap-authors.x...
- https://ghost.org/help/sitemap-tags.xml
- https://ghost.org/changelog/sitemap-page...
- https://ghost.org/changelog/sitemap-post...
- https://ghost.org/changelog/sitemap-auth...
- https://ghost.org/changelog/sitemap-tags...
- https://ghost.org/tutorials/sitemap-page...
- https://ghost.org/tutorials/sitemap-post...
- https://ghost.org/tutorials/sitemap-auth...
- https://ghost.org/tutorials/sitemap-tags...
A+URL Variantswww/non-www, trailing slash, HTTP→HTTPSPASS
www / non-www
Preferred variant: non-www
HTTP → HTTPS
Consistent
A+Domain Intelligenceghost.org — via 1API GmbH, 21 years oldPASS
1079 days
June 25, 2029
52 days
Issued by Let's Encrypt
21 years
Registered June 25, 2005
Not enabled
Protects against DNS spoofing
Unknown
2600:1f18:16e:df01::258
1API GmbH
Expiry timeline
Recommended actions
- Enable DNSSEC to protect visitors from DNS spoofing
DNSSEC protects against DNS spoofing attacks. While not required, enabling DNSSEC adds an additional layer of security. Contact your DNS provider to enable it.
Without DNSSEC, an attacker who can poison your DNS can hijack your domain — and SSL certs alone don't stop them.
Learn more ▾ ▴
DNSSEC adds cryptographic signatures to DNS records, preventing forged responses from poisoning resolver caches. Without it, an attacker who controls the network path can redirect your domain to a malicious server before any HTTPS handshake happens. Most modern registrars (Cloudflare, Google Domains, Route 53) enable it with one toggle.
Source: ICANN / RFC 4033