https://lazada.sg
Security
· 12 checks — HTTP headers, CSP, TLS handshake, and cookie hygiene rolled into one auditable list.SCORE
73
GRADE
C
FIX
2
REVIEW
5
PASS
5
INFO
0
Checks
125 PASS 5 REVIEW 2 FIX
FSubresource IntegrityAction0 of 43 external resources have SRIFIX
Subresource Integrity
Action0 of 43 external resources have SRI
0 of 43 external resources have SRI
Warning::
External script from g.lazcdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://g.lazcdn.com/g/AWSC/fireyejs/1.231.69/fireyejs.js
Warning::
External script from g.lazcdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://g.lazcdn.com/g/??/sd/baxia/2.5.36/baxiaCommon.js
Warning::
External script from g.alicdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://g.alicdn.com/secdev/sufei_data/3.9.14/index.js
Warning::
External script from g.lazcdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://g.lazcdn.com/g/AWSC/et/1.83.41/et_f.js
Warning::
External script from g.lazcdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://g.lazcdn.com/g/lzd_sec/epssw/0.0.48/epssw.js
Warning::
External script from g.lazcdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://g.lazcdn.com/g/??/AWSC/AWSC/awsc.js,/sd/baxia-entry/baxiaCommon.js
Warning::
External link from g.lazcdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //g.lazcdn.com/g/code/npm/@ali/lazada-buyer-im-pc/1.0.17/index.css
Warning::
External script from sg.mmstat.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://sg.mmstat.com/eg.js
Warning::
External link from g.lazcdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://g.lazcdn.com/g/code/npm/@ali/multimod-lzd-member__signup-login-pop/1.1.7/lib-signuppop/index.umd.es5.production.css
Warning::
External script from g.lazcdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //g.lazcdn.com/g/??code/npm/@ali/lzdrwb-seometa/5.0.3/index-pc.js,code/npm/@ali/lzdrwb-homepage-react/1.3.4/index-pc.js,code/npm/@ali/gcom-lang-i18n/1.0.0/index.js,code/npm/@ali/lzdrwb-homepage-react/1.3.4/vendor.cjs.es5.production.js
Warning::
External script from sg.mmstat.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://sg.mmstat.com/eg.js
Warning::
External script from sg.mmstat.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://sg.mmstat.com/eg.js
Warning::
External script from sg.mmstat.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://sg.mmstat.com/eg.js
Warning::
External script from sg.mmstat.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://sg.mmstat.com/eg.js
Warning::
External script from sg.mmstat.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://sg.mmstat.com/eg.js
Warning::
External script from fourier.taobao.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://fourier.taobao.com/rp?ext=51&data=jm_null&random=6889261302237598&href=https%3A%2F%2Fwww.lazada.sg%2F%23%3F&protocol=https:&callback=jsonpCallback
Warning::
External script from sg.mmstat.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://sg.mmstat.com/eg.js
Warning::
External script from sg.mmstat.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://sg.mmstat.com/eg.js
Warning::
External script from g.lazcdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //g.lazcdn.com/res-d/alilog/mlog/aplus/202980191.js
Warning::
External link from g.lazcdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //g.lazcdn.com/g/psolution/lzd-head-foot/1.4.5/css/615.css
Warning::
External link from g.lazcdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //g.lazcdn.com/g/psolution/lzd-head-foot/1.4.5/css/p_index-index.css
Warning::
External script from g.lazcdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //g.lazcdn.com/g/mtb/lib-mtop/2.7.3/mtop.js
Warning::
External script from g.lazcdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://g.lazcdn.com/g/lzd/assets/1.2.13/??react/16.8.0/react.production.min.js,react-dom/16.8.0/react-dom.production.min.js
Warning::
External script from g.lazcdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //g.lazcdn.com/g/lzd/??polyfill/0.0.1/index.js
Warning::
External script from g.lazcdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //g.lazcdn.com/g/lzd/assets/0.0.5/next/0.19.21/next.min.js
Warning::
External script from g.lazcdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //g.lazcdn.com/g/woodpeckerx/itrace-next/??itrace-jserror.iife.js,itrace-interface.iife.js,itrace-perf.iife.js,itrace-flow.iife.js,itrace-blank.iife.js,itrace-resource.iife.js,itrace.iife.js
Warning::
External script from g.lazcdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://g.lazcdn.com/res-o/lzdfe/lzd-h5-itrace/index-module.js
Warning::
External script from g.lazcdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //g.lazcdn.com/g/??mui/feloader/5.0.5/feloader-min.js,code/npm/@ali/pnpm-react/18.2.0/6a96e9f5.js,code/npm/@ali/pnpm-react/18.2.0/index.js,code/npm/@ali/pnpm-react-dom/18.2.1/280b565f.js,code/npm/@ali/pnpm-react-dom/18.2.1/client.js,code/npm/@ali/pnpm-react-dom/18.2.1/index.js,code/npm/@ali/gcom-lzd-sites/1.7.0/index.js,code/npm/@ali/gcom-lzd-cookie/1.7.0/index.js,code/npm/@ali/gcom-lzd-env/1.5.0/index.js,code/npm/@ali/gcom-lzd-qs/1.3.4/index.js,code/npm/@ali/gcom-jsonp/1.4.0/index.js,code/npm/@ali/gcom-lzd-mtop/1.3.0/index.js,code/npm/@ali/gcom-lzd-data-prefetch/1.4.0/index.js,code/npm/@ali/gcom-lzd-resize/1.5.4/index.js,code/npm/@ali/pnpm-react/18.2.0/jsx-runtime.js,code/npm/@ali/gcom-lzd-version-compare/1.4.0/index.js,code/npm/@ali/gcom-lzd-device/0.0.1/index.js,code/npm/@ali/gcom-lzd-push/0.0.16/index.js,code/npm/@ali/gcom-lzd-render-v3/1.0.110/index.js
Warning::
External script from g.lazcdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //g.lazcdn.com/g/code/npm/@ali/gcom-pc-anonymous-cart-sdk/1.0.3/lib_anonymousCart/index.umd.es5.production.js
Warning::
External link from g.lazcdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //g.lazcdn.com/g/lazada-search-fe/lzd-searchbox/0.4.26/index.css
Warning::
External script from g.lazcdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //g.lazcdn.com/g/lazada-search-fe/lzd-searchbox/0.4.26/index.js
Warning::
External script from g.lazcdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //g.lazcdn.com/g/code/npm/@ali/multimod-lzd-member__signup-login-pop/1.1.7/lib-signuppop/index.umd.es5.production.js
Warning::
External script from g.lazcdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //g.lazcdn.com/g/??mmfe/cps-rt-tracking/0.0.6/index.js,lzdmod/back-to-third-party-app/5.0.2/m/button.js
Warning::
External script from g.lazcdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //g.lazcdn.com/g/psolution/lzd-head-foot/1.4.5/js/809.js
Warning::
External script from g.lazcdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //g.lazcdn.com/g/psolution/lzd-head-foot/1.4.5/js/772.js
Warning::
External script from g.lazcdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //g.lazcdn.com/g/psolution/lzd-head-foot/1.4.5/js/432.js
Warning::
External script from g.lazcdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //g.lazcdn.com/g/psolution/lzd-head-foot/1.4.5/js/158.js
Warning::
External script from g.lazcdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //g.lazcdn.com/g/psolution/lzd-head-foot/1.4.5/js/p_index-index.js
Warning::
External script from g.lazcdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //g.lazcdn.com/g/psolution/lzd-head-foot/1.4.5/js/framework.js
Warning::
External script from g.lazcdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //g.lazcdn.com/g/psolution/lzd-head-foot/1.4.5/js/386.js
Warning::
External script from g.lazcdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //g.lazcdn.com/g/psolution/lzd-head-foot/1.4.5/js/main.js
Warning::
External script from g.lazcdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //g.lazcdn.com/res-o/lzd_sec/LWSC/index.js
Warning::
External script from g.lazcdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //g.lazcdn.com/g/code/npm/@ali/lazada-buyer-im-pc/1.0.17/index.js
SRI Coverage 0 / 43 of external resources have integrity hashes
| Tag | Domain | Integrity |
|---|---|---|
| <script> | g.lazcdn.com | ✗ Missing |
| <script> | g.lazcdn.com | ✗ Missing |
| <script> | g.alicdn.com | ✗ Missing |
| <script> | g.lazcdn.com | ✗ Missing |
| <script> | g.lazcdn.com | ✗ Missing |
| <script> | g.lazcdn.com | ✗ Missing |
| <link> | g.lazcdn.com | ✗ Missing |
| <script> | sg.mmstat.com | ✗ Missing |
| <link> | g.lazcdn.com | ✗ Missing |
| <script> | g.lazcdn.com | ✗ Missing |
| <script> | sg.mmstat.com | ✗ Missing |
| <script> | sg.mmstat.com | ✗ Missing |
| <script> | sg.mmstat.com | ✗ Missing |
| <script> | sg.mmstat.com | ✗ Missing |
| <script> | sg.mmstat.com | ✗ Missing |
| <script> | fourier.taobao.com | ✗ Missing |
| <script> | sg.mmstat.com | ✗ Missing |
| <script> | sg.mmstat.com | ✗ Missing |
| <script> | g.lazcdn.com | ✗ Missing |
| <link> | g.lazcdn.com | ✗ Missing |
| <link> | g.lazcdn.com | ✗ Missing |
| <script> | g.lazcdn.com | ✗ Missing |
| <script> | g.lazcdn.com | ✗ Missing |
| <script> | g.lazcdn.com | ✗ Missing |
| <script> | g.lazcdn.com | ✗ Missing |
| <script> | g.lazcdn.com | ✗ Missing |
| <script> | g.lazcdn.com | ✗ Missing |
| <script> | g.lazcdn.com | ✗ Missing |
| <script> | g.lazcdn.com | ✗ Missing |
| <link> | g.lazcdn.com | ✗ Missing |
| <script> | g.lazcdn.com | ✗ Missing |
| <script> | g.lazcdn.com | ✗ Missing |
| <script> | g.lazcdn.com | ✗ Missing |
| <script> | g.lazcdn.com | ✗ Missing |
| <script> | g.lazcdn.com | ✗ Missing |
| <script> | g.lazcdn.com | ✗ Missing |
| <script> | g.lazcdn.com | ✗ Missing |
| <script> | g.lazcdn.com | ✗ Missing |
| <script> | g.lazcdn.com | ✗ Missing |
| <script> | g.lazcdn.com | ✗ Missing |
| <script> | g.lazcdn.com | ✗ Missing |
| <script> | g.lazcdn.com | ✗ Missing |
| <script> | g.lazcdn.com | ✗ Missing |
DPermissions-PolicyActionNo header setFIX
Permissions-Policy
ActionNo header set
No header set
Warning::
No Permissions-Policy header
Consider adding a Permissions-Policy header to restrict browser feature access from embedded content.
No Permissions-Policy header set.
Without this header, embedded iframes can request access to sensitive device features.
Suggested header
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=()
BSecurity Headers6 of 10 headers properly configuredREVIEW
Security Headers
6 of 10 headers properly configured
6 of 10 headers properly configured
Warning::
HSTS is missing includeSubDomains
Without includeSubDomains, subdomains can still be accessed over HTTP.
Got: max-age=31536000 Expected: max-age=31536000; includeSubDomains
Info::
X-Content-Type-Options is properly configured
Got: nosniff
Info::
X-Frame-Options is properly configured
Got: SAMEORIGIN
Info::
Referrer-Policy is properly configured
Got: no-referrer-when-downgrade
Warning::
Permissions-Policy header is missing
Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.
Expected: geolocation=(), camera=(), microphone=()
Info::
Content-Security-Policy is present
Got: default-src 'self' *.lazada.sg *.slatic.net *.lazcdn.com *.alicdn.com
Warning::
Cross-Origin-Opener-Policy header is missing
COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.
Expected: same-origin
Warning::
Cross-Origin-Embedder-Policy header is missing
COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.
Expected: require-corp
Info::
X-Powered-By header is not present
Info::
Server header is present without version info
Got: Tengine/Aserver
Without includeSubDomains, subdomains can still be accessed over HTTP.
Expected:
max-age=31536000; includeSubDomainsWhy this matters
Without includeSubDomains, a forgotten dev subdomain over HTTP can set malicious cookies that ride to the apex.
Learn more ▾ ▴
HSTS without includeSubDomains protects only the exact domain. Cookies set on a non-HSTS subdomain can ride to the apex via cookie-scope attacks. The fix is one directive append. Verify all subdomains support HTTPS first — adding includeSubDomains to a domain with HTTP-only subdomains breaks them.
Source: RFC 6797
Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.
Expected:
geolocation=(), camera=(), microphone=()Why this matters
Permissions-Policy locks down browser APIs you don't use — without it, every page can request camera/mic/geolocation if XSS lands.
Learn more ▾ ▴
By default every page can request the camera, microphone, geolocation, payment APIs, and dozens more. Permissions-Policy turns off the ones you don't need so a future bug can't quietly start using them. It's a defense-in-depth header — one line, big surface reduction.
Source: MDN / W3C
COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.
Expected:
same-originWhy this matters
COOP isolates your top-level browsing context from cross-origin windows — without it, popup-based side-channel attacks remain possible.
Learn more ▾ ▴
Cross-Origin-Opener-Policy: same-origin prevents cross-origin pages from sharing a browsing-context group with yours. This blocks cross-window references that enable Spectre-style timing attacks and tab-nabbing. Required if you want to enable SharedArrayBuffer.
Source: MDN / web.dev
COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.
Expected:
require-corpWhy this matters
COEP enforces that all embedded resources opt-in to cross-origin embedding — required for cross-origin isolation features.
Learn more ▾ ▴
Cross-Origin-Embedder-Policy: require-corp ensures every embedded resource (script, iframe, image) explicitly allows being loaded cross-origin. Combined with COOP, this enables the cross-origin-isolated context that unlocks SharedArrayBuffer, high-resolution timers, and other powerful APIs.
Source: MDN / web.dev
BContent Security Policy5 of 10 CSP checks passedREVIEW
Content Security Policy
5 of 10 CSP checks passed
5 of 10 CSP checks passed
Info::
Raw CSP policy
Got: default-src 'self' *.lazada.sg *.slatic.net *.lazcdn.com *.alicdn.com
Info::
default-src directive is set
Got: default-src 'self' *.lazada.sg *.slatic.net *.lazcdn.com *.alicdn.com
Info::
No 'unsafe-inline' in script source
Info::
No 'unsafe-eval' in script source
Info::
No wildcard in script source
Info::
object-src falls back to default-src
Warning::
base-uri directive is missing
Without base-uri, attackers can inject a <base> tag to hijack relative URLs. Set it to 'self' or 'none'.
Expected: base-uri 'self'
Warning::
frame-ancestors directive is missing
frame-ancestors controls who can embed your page, preventing clickjacking. Set it to 'self' or 'none'.
Expected: frame-ancestors 'self'
Warning::
form-action directive is missing
form-action restricts where forms can submit data, preventing form hijacking.
Expected: form-action 'self'
Info::
upgrade-insecure-requests is not set
This directive upgrades HTTP resources to HTTPS automatically, preventing mixed content.
Expected: upgrade-insecure-requests
Without base-uri, attackers can inject a <base> tag to hijack relative URLs. Set it to 'self' or 'none'.
Expected:
base-uri 'self'Why this matters
Missing base-uri in CSP leaves a base-tag injection attack path open even on otherwise strict policies.
Learn more ▾ ▴
A common omission: developers add CSP for script-src and frame-ancestors but forget base-uri. The result is a CSP that looks strict but lets an attacker rewrite every URL on the page via <base href>. Add `base-uri 'self'` to close the gap.
Source: MDN CSP
frame-ancestors controls who can embed your page, preventing clickjacking. Set it to 'self' or 'none'.
Expected:
frame-ancestors 'self'Why this matters
Security gaps expose your site and users to attacks, eroding trust.
form-action restricts where forms can submit data, preventing form hijacking.
Expected:
form-action 'self'Why this matters
Security gaps expose your site and users to attacks, eroding trust.
This directive upgrades HTTP resources to HTTPS automatically, preventing mixed content.
Expected:
upgrade-insecure-requestsWhy this matters
Without upgrade-insecure-requests, any HTTP subresource link survives as a mixed-content warning instead of auto-upgrading.
Learn more ▾ ▴
Adding `upgrade-insecure-requests` to your CSP turns every http:// subresource fetch into https:// at the browser layer. One-line defense against accidental mixed content from legacy links or third-party widgets.
Source: MDN CSP
Parsed Policy
default-src 'self'*.lazada.sg*.slatic.net*.lazcdn.com*.alicdn.com
BInformation LeakageCritical exposure detectedREVIEW
Information Leakage
Critical exposure detected
Critical exposure detected
Critical::
/.svn/entries is publicly accessible
Version control directory is accessible. This exposes source code and potentially secrets. Block access in your web server configuration.
Info::
security.txt is present — good practice
Critical exposure: sensitive files are publicly accessible.
| Path | Status | Category | Risk |
|---|---|---|---|
| /.git/HEAD | ✓ Not found | Version Control | — |
| /.git/config | ✓ Not found | Version Control | — |
| /.svn/entries | ✗ Exposed | Version Control | Critical |
| /.env | ✓ Not found | Configuration | — |
| /.env.local | ✓ Not found | Configuration | — |
| /.env.production | ✓ Not found | Configuration | — |
| /wp-config.php | ✓ Not found | Configuration | — |
| /.htaccess | ✓ Not found | Configuration | — |
| /phpinfo.php | ✓ Not found | Debug | — |
| /server-status | ✓ Not found | Debug | — |
| /server-info | ✓ Not found | Debug | — |
| /.well-known/security.txt | ✗ Exposed | Security Policy | Info |
BCORS ConfigurationNo CORS headersREVIEW
CORS Configuration
No CORS headers
No CORS headers
Info::
No CORS headers present — secure default
CORS Configuration ✓ Secure
No CORS headers detected.
Cross-origin requests are blocked by browser same-origin policy.
Origin reflection test
Some servers mirror the request Origin header, which can be exploited. Test manually:
curl -sI -H "Origin: https://evil.com" <url> | grep -i access-control
Bsecurity.txtPublished with 0 contact(s)REVIEW
security.txt
Published with 0 contact(s)
security.txt
A+TLS & CertificatesTLS 1.2, 7 checks passedPASS
TLS & Certificates
TLS 1.2, 7 checks passed
TLS 1.2, 7 checks passed
Info::
TLS 1.2 is used
Got: TLS 1.2
Info::
TLS 1.3 is not negotiated
TLS 1.3 offers improved performance and security. Consider enabling it.
Got: TLS 1.2
Info::
Strong cipher suite is used
Got: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Info::
HTTP/2 is not negotiated
HTTP/2 provides multiplexing and header compression for better performance.
Got: http/1.1
Info::
Certificate is valid (expires in 76 days)
Got: 2026-07-08T05:56:01Z
Info::
Certificate chain has 3 certificates
Info::
Certificate uses modern signature algorithm
Got: SHA256-RSA
Info::
Certificate covers 147 domain(s)
Got: *.lazada.com, *.3plportal.lazada.com, *.admin2.lazada.com, *.adsense.lazada.co.id, *.adsense.lazada.co.th, *.adsense.lazada.com.my, *.adsense.lazada.com.ph, *.adsense.lazada.sg, *.adsense.lazada.vn, *.alimebot.lazada.com.my, *.alimebot.lazada.com.ph, *.alpha.redmart.com, *.api.lazada.com, *.aut.lazada.com, *.beta-workstation.lazada.com, *.beta.lazada.com.my, *.datascience.lazada.com, *.dev-arise-es.lazada.com, *.dev-arise-fr.lazada.com, *.dev-arise.lazada.com, *.dev.lazada.com, *.education.lazada.co.id, *.education.lazada.co.th, *.education.lazada.com, *.education.lazada.com.my, *.education.lazada.com.ph, *.education.lazada.sg, *.education.lazada.vn, *.fc.lazada.cn, *.fc.lazada.com, *.fc.lazada.sg, *.feedback-pre.lazada.com, *.fund-finnet.lazada.com, *.fxm.so, *.geoserver.lazada.com, *.h5accs.taobao.global, *.h5accs.taobao.tw, *.hec.lazada.com, *.id.lazada.com, *.kh.lazada.com, *.lazada-seller.cn, *.lazada.cn, *.lazada.co.id, *.lazada.co.th, *.lazada.com.my, *.lazada.com.ph, *.lazada.sg, *.lazada.vn, *.lazadapay.co.id, *.lazadapay.co.th, *.lazadapay.com.my, *.lazadapay.com.ph, *.lazadapay.sg, *.lazadapay.vn, *.lazcdn.com, *.lazlogistics.co.id, *.lazlogistics.in.th, *.lazlogistics.my, *.lazlogistics.ph, *.lazlogistics.sg, *.lazlogistics.vn, *.lazmall.lazada.com, *.lazpay.lazada.sg, *.lel.asia, *.lel.lazada.com, *.live.lazada.com, *.llportal.co.id, *.llportal.com.my, *.llportal.com.ph, *.llportal.in.th, *.llportal.sg, *.llportal.vn, *.logistics.lazada.com, *.lzd.co, *.m.lazada.com, *.metrocourier-inc.com.ph, *.my.lazada.com, *.order.lazada.sg, *.orion.lazada.com, *.payment.lazada.com, *.pre-edith.lazada.sg, *.pre-workstation.lazada.com, *.pre.lazada.sg, *.protocol-adapter.miravia.es, *.redmart.com, *.rest.lazada.sg, *.scm.lazada.com, *.sellercenter-id-staging.lazada-seller.cn, *.sellercenter-id.lazada-seller.cn, *.sellercenter-my-staging.lazada-seller.cn, *.sellercenter-my.lazada-seller.cn, *.sellercenter-ph-staging.lazada-seller.cn, *.sellercenter-ph.lazada-seller.cn, *.sellercenter-sg-staging.lazada-seller.cn, *.sellercenter-sg.lazada-seller.cn, *.sellercenter-staging-redmart.lazada.sg, *.sellercenter-staging.lazada.co.id, *.sellercenter-staging.lazada.co.th, *.sellercenter-staging.lazada.com.my, *.sellercenter-staging.lazada.com.ph, *.sellercenter-staging.lazada.sg, *.sellercenter-staging.lazada.vn, *.sellercenter-th-staging.lazada-seller.cn, *.sellercenter-th.lazada-seller.cn, *.sellercenter-vn-staging.lazada-seller.cn, *.sellercenter-vn.lazada-seller.cn, *.sellercenter.lazada.co.id, *.sellercenter.lazada.co.th, *.sellercenter.lazada.com.my, *.sellercenter.lazada.com.ph, *.sellercenter.lazada.sg, *.sellercenter.lazada.vn, *.sg.lazada.com, *.store.lazada.sg, *.ut.lazada.com, *.v.lazada.com, *.video.lazada.com, *.wallet-member-prod.lazada.com, *.wallet-payment.lazada.com, *.workstation.lazada.com, *.x-space.lazada.com, *.zal.lazada.co.th, asterism-studio.com, fxm.so, lazada.cn, lazada.co.id, lazada.co.th, lazada.com.hk, lazada.com.my, lazada.com.ph, lazada.jp, lazada.kr, lazada.sg, lazada.vn, lazcdn.com, lazlogistics.my, lazlogistics.ph, lazlogistics.sg, lazlogistics.vn, llportal.com.ph, llportal.sg, llportal.vn, miravia.es, msgacs-m.taobao.tw, msgacs-wapa.taobao.tw, redmart.com, lazada.com
Info::
Certificate is issued by a trusted CA
Got: CN=GlobalSign GCC R3 OV TLS CA 2024,O=GlobalSign nv-sa,C=BE
TLS 1.3 offers improved performance and security. Consider enabling it.
Why this matters
TLS 1.3 not in use — connection falls back to 1.2 and pays the extra round-trip.
Learn more ▾ ▴
Most clients prefer TLS 1.3 if both sides support it. If your server has TLS 1.3 enabled but it's not being negotiated, check for a downgrade-attack mitigation issue or a misconfigured cipher list. nginx ≥ 1.13.0 and OpenSSL ≥ 1.1.1 support TLS 1.3.
Source: RFC 8446 / Mozilla SSL Config
HTTP/2 provides multiplexing and header compression for better performance.
Why this matters
HTTP/1.1 forces the browser to make sequential requests, multiplying latency on every page.
Learn more ▾ ▴
HTTP/2 (and HTTP/3) multiplex many requests over a single connection, eliminating head-of-line blocking. HTTP/1.1 forces the browser to either queue requests or open many parallel connections — both worse. Most modern web servers support HTTP/2 with one config line.
Source: MDN Web Docs
Connection
Protocol
TLS 1.2
Cipher Suite
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
HTTP Version
HTTP/1.1
Certificate Chain
Leaf Certificate
Subject CN=*.lazada.com,O=Alibaba (China) Technology Co.\, Ltd.,L=HangZhou,ST=ZheJiang,C=CNIssuer CN=GlobalSign GCC R3 OV TLS CA 2024,O=GlobalSign nv-sa,C=BEValid 2025-06-06T06:02:01Z → 2026-07-08T05:56:01ZExpires in 76 days SANs *.lazada.com, *.3plportal.lazada.com, *.admin2.lazada.com, *.adsense.lazada.co.id, *.adsense.lazada.co.th, *.adsense.lazada.com.my, *.adsense.lazada.com.ph, *.adsense.lazada.sg, *.adsense.lazada.vn, *.alimebot.lazada.com.my, *.alimebot.lazada.com.ph, *.alpha.redmart.com, *.api.lazada.com, *.aut.lazada.com, *.beta-workstation.lazada.com, *.beta.lazada.com.my, *.datascience.lazada.com, *.dev-arise-es.lazada.com, *.dev-arise-fr.lazada.com, *.dev-arise.lazada.com, *.dev.lazada.com, *.education.lazada.co.id, *.education.lazada.co.th, *.education.lazada.com, *.education.lazada.com.my, *.education.lazada.com.ph, *.education.lazada.sg, *.education.lazada.vn, *.fc.lazada.cn, *.fc.lazada.com, *.fc.lazada.sg, *.feedback-pre.lazada.com, *.fund-finnet.lazada.com, *.fxm.so, *.geoserver.lazada.com, *.h5accs.taobao.global, *.h5accs.taobao.tw, *.hec.lazada.com, *.id.lazada.com, *.kh.lazada.com, *.lazada-seller.cn, *.lazada.cn, *.lazada.co.id, *.lazada.co.th, *.lazada.com.my, *.lazada.com.ph, *.lazada.sg, *.lazada.vn, *.lazadapay.co.id, *.lazadapay.co.th, *.lazadapay.com.my, *.lazadapay.com.ph, *.lazadapay.sg, *.lazadapay.vn, *.lazcdn.com, *.lazlogistics.co.id, *.lazlogistics.in.th, *.lazlogistics.my, *.lazlogistics.ph, *.lazlogistics.sg, *.lazlogistics.vn, *.lazmall.lazada.com, *.lazpay.lazada.sg, *.lel.asia, *.lel.lazada.com, *.live.lazada.com, *.llportal.co.id, *.llportal.com.my, *.llportal.com.ph, *.llportal.in.th, *.llportal.sg, *.llportal.vn, *.logistics.lazada.com, *.lzd.co, *.m.lazada.com, *.metrocourier-inc.com.ph, *.my.lazada.com, *.order.lazada.sg, *.orion.lazada.com, *.payment.lazada.com, *.pre-edith.lazada.sg, *.pre-workstation.lazada.com, *.pre.lazada.sg, *.protocol-adapter.miravia.es, *.redmart.com, *.rest.lazada.sg, *.scm.lazada.com, *.sellercenter-id-staging.lazada-seller.cn, *.sellercenter-id.lazada-seller.cn, *.sellercenter-my-staging.lazada-seller.cn, *.sellercenter-my.lazada-seller.cn, *.sellercenter-ph-staging.lazada-seller.cn, *.sellercenter-ph.lazada-seller.cn, *.sellercenter-sg-staging.lazada-seller.cn, *.sellercenter-sg.lazada-seller.cn, *.sellercenter-staging-redmart.lazada.sg, *.sellercenter-staging.lazada.co.id, *.sellercenter-staging.lazada.co.th, *.sellercenter-staging.lazada.com.my, *.sellercenter-staging.lazada.com.ph, *.sellercenter-staging.lazada.sg, *.sellercenter-staging.lazada.vn, *.sellercenter-th-staging.lazada-seller.cn, *.sellercenter-th.lazada-seller.cn, *.sellercenter-vn-staging.lazada-seller.cn, *.sellercenter-vn.lazada-seller.cn, *.sellercenter.lazada.co.id, *.sellercenter.lazada.co.th, *.sellercenter.lazada.com.my, *.sellercenter.lazada.com.ph, *.sellercenter.lazada.sg, *.sellercenter.lazada.vn, *.sg.lazada.com, *.store.lazada.sg, *.ut.lazada.com, *.v.lazada.com, *.video.lazada.com, *.wallet-member-prod.lazada.com, *.wallet-payment.lazada.com, *.workstation.lazada.com, *.x-space.lazada.com, *.zal.lazada.co.th, asterism-studio.com, fxm.so, lazada.cn, lazada.co.id, lazada.co.th, lazada.com.hk, lazada.com.my, lazada.com.ph, lazada.jp, lazada.kr, lazada.sg, lazada.vn, lazcdn.com, lazlogistics.my, lazlogistics.ph, lazlogistics.sg, lazlogistics.vn, llportal.com.ph, llportal.sg, llportal.vn, miravia.es, msgacs-m.taobao.tw, msgacs-wapa.taobao.tw, redmart.com, lazada.comSignature SHA256-RSASerial 6e4476b8633a0d242eab3e82
Intermediate (CA Certificate)
Subject CN=GlobalSign GCC R3 OV TLS CA 2024,O=GlobalSign nv-sa,C=BEIssuer CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSignValid 2024-09-18T03:14:38Z → 2029-03-18T00:00:00ZExpires in 1060 days Signature SHA256-RSASerial 81e5ab98e46f35b91c2ffa178718c85a
Intermediate (CA Certificate)
Subject CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSignIssuer CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BEValid 2018-09-19T00:00:00Z → 2028-01-28T12:00:00ZExpires in 645 days Signature SHA256-RSASerial 1ee5f169dff97352b6465d66a
A+JS Library VulnerabilitiesNo known vulnerabilitiesPASS
JS Library Vulnerabilities
No known vulnerabilities
No known vulnerabilities
Info::
No known JavaScript library vulnerabilities detected
No known JavaScript library vulnerabilities detected.
AEmail SecurityDMARC: quarantinePASS
Email Security
DMARC: quarantine
DMARC: quarantine
Info::
DMARC policy is quarantine — good protection
DMARC
Policy quarantine — good protection Record v=DMARC1; p=quarantine; rua=mailto:dmarc_alibaba@service.alibaba.com; ruf=mailto:dmarc_alibaba@service.alibaba.com
ATransport SecurityHTTP/3, HSTS, and TLS version analysisPASS
Transport Security
HTTP/3, HSTS, and TLS version analysis
HTTP/3, HSTS, and TLS version analysis
Info::
HTTP/3 (QUIC) not advertised
HTTP/3 eliminates head-of-line blocking. If your CDN supports it, consider enabling it.
Info::
HSTS enabled (base policy)
Info::
HSTS missing includeSubDomains
Without includeSubDomains, HSTS only protects the exact domain.
All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.