Infrastructure
· 9 checks — DNS, redirects, IPv6, crawlability, URL variants, and domain intelligence rolled into one auditable list.FRedirect ChainAction4 redirect(s), 1753 ms totalFIX
https://aaa.com
286 ms · HTTP/1.1
https://www.aaa.com/
504 ms · HTTP/1.1
https://zipgate.aaa.com/
390 ms · HTTP/1.1
https://www.aaa.com/stop
442 ms · HTTP/1.1
https://www.aaa.com/stop/
132 ms · HTTP/1.1 FINAL
| # | URL | Status | Time | Protocol | Server |
|---|---|---|---|---|---|
| 1 | https://aaa.com | 301 | 286 ms | HTTP/1.1 | |
| 2 | https://www.aaa.com/ | 302 | 504 ms | HTTP/1.1 | WebServer |
| 3 | https://zipgate.aaa.com/ | 302 | 390 ms | HTTP/1.1 | |
| 4 | https://www.aaa.com/stop | 301 | 442 ms | HTTP/1.1 | WebServer |
| 5 | https://www.aaa.com/stop/ | 200 | 132 ms | HTTP/1.1 | WebServer |
See the visual redirect chain in the HTTP Probe tab →
Each redirect adds latency. Try to minimize the chain to 1 hop.
Redirect chain — each hop adds latency; combine into one redirect where possible.
Source: Google Search Central / web.dev
If permanent, use 301 instead.
302 (Found) is for genuinely temporary redirects — if this redirect is permanent, switch to 301 to preserve SEO equity.
Learn more ▾ ▴
Search engines treat 302 as temporary, keeping the original URL indexed and not transferring full link equity to the destination. Use 301 (Moved Permanently) for permanent redirects (HTTP→HTTPS, www-vs-non-www, URL restructures).
Source: Google Search Central
DCDN & DeliveryActionNo CDN detectedFIX
Consider using a CDN to improve global delivery speed and reduce origin load.
CIPv6 ReadinessActionNo IPv6 supportREVIEW
IPv6 support is increasingly important for global accessibility. About 40% of internet users have IPv6 connectivity.
No AAAA records — same impact as 'no IPv6 (AAAA) records'; IPv6-preferring clients pay extra latency falling back to IPv4.
Source: Google IPv6 stats
BTLS Certificate Expiry & Recommendations50 days until leaf cert expires — 3 issues to addressREVIEW
Certificate validity
Recommended actions
- Enable HSTS: Strict-Transport-Security: max-age=31536000; includeSubDomains
- Enable DNSSEC on your domain for DNS spoofing protection
- Enable OCSP stapling on your TLS server to remove a CA roundtrip and protect user privacy
A+DNS Records2 A records, 96 ms lookupPASS
| A | 45.60.62.121, 45.60.107.121 |
| AAAA | — |
| CNAME | — |
| NS | ns-101.awsdns-12.com, ns-1804.awsdns-33.co.uk, ns-1419.awsdns-49.org, ns-869.awsdns-44.net |
| MX | — |
| TXT | _lw7kb3cizh27m29ycon3f9bvfu136ia v8hr8l054k3cqzqck40cr0ljm37zkst3 _7991b7sklpb1xxhbmceqcigvpbgmhtj khj670qif50j8omlecjbbgdv1d _vj4mrlppcbgu25uopwy8la6smnwctae _7s6txocg34ar7mn77crguq3z1yi9tzm _2anvbln3dm65rhswca0u9j2sjablzvl eqf9c3ovro1sldh3cm6urvfbqt _vsbg4qprw1qy50breoqbs6b9g7mp07m globalsign-domain-verification=f1074ed7a09f78f15fcca26f83c3f9fc nibameu803d8nvsfi0e8rt1kb2 FA38-6E17-227C-1BC1-5A14-B8D7-B0EB-3AE5 vc-domain-verify=test.southjersey.aaa.com,8c6c51f0b9aecff2091e vnsvEx6eHqPU8yeJYitByKHKwGHxjifIHBZEDTWp1DY D39B-6EDE-D147-F843-551C-3F44-3579-8D1F gh2mosm9fi3b9f96eltjuvf622 ekcv6rc9d44ttqocfehvr3m8vr 8p7amcv4i9ksacqnmpn89desv4 4me2mkom8pdsuu32ln7qk1uld google-site-verification=bkLaSD15dzk-m2Mu3hbs76P1s9_LkLG_Hf9hPUJi1kQ _cvtc4y65c07l0ocw0m3k1fb451a6wox vc-domain-verify=dev.southjersey.aaa.com,500e7e9dee3c778d3d33 6p8sc7wr41wbbw73d3ljqry0x5pph1hs wz1rkpvpvvfzh1f9f4z8rg4sztwdywfj google-site-verification=nxm7rcXKT1VfSxCnCFVQ9j-CrM-huAQCJJhJf5-Jc7g p5scwcz5tw0ctsr01n2yt22yxc2jb2fh 2AD6-6EAE-E938-0DDC-09B5-1B13-7270-65FE apple-domain-verification=eTs6_6qi7-ojZijObIhbxo8ISMz4ELuwAEELFO_ynF4 4q666jpvpvqzzzcc6nzd4fsx67hlyqlj zscaler-verification-134272523-11062025-K#7B310NR globalsign-domain-verification=C28CC827BEED534A45F396CCB8D89FF7 150728 _fd2w4ldtj9qp9sf7yx0po5ehvcwctsd google-site-verification=nid6eJqErYGyq5YSiKuVUSWGaDXUdVmAaaDLKLxrzTc _6uxkxuo7y5pg5tkdekey69cwarjllhs globalsign-domain-verification=48973C890E7BD907458E4E0592AC20C9 xpzkvf98mkw4mtsbjm188cs76fdlvwrq _9iigm039ajwgnm8nufkvsgcw833njoy _5p9bawuh1canl3wilv6jq2ws0diadmx _rt90shaltf93icykr0tl0bbif7lk634.dcv.digicert.com gn2s6dcc7n4nm3089p8s3hbjlq401nnf google-site-verification=vnsvEx6eHqPU8yeJYitByKHKwGHxjifIHBZEDTWp1DY google-site-verification=dY3jMjQv0p6B_62uSI8kwXUHZ4YOGlqVB4kwzeCpHZw fdveja64jlfcs0hv13i9pd34kq _1zzk2uuiyxhlehwepmqjv1aded69msa google-site-verification=4Xoi8EfC8puTbWE5GnOLIvt4wux4vSXv5sNYtm13i8k l01ra88of48f21tbbq65s1ubvc _4zi1d16h05wgvuj1iy6zfwcwhnbj0ir iqju6lv9evd473jgftem71anvb apq4t1i0612g9pc69b4pkj2s2r _694xgi88d7hjll4nfhcssko7oj21kqk lmvin4nlenn01arknb6brnajun _uhflfmq9p24lh4g8ny4s3nrh95eiq4g 44D1-08A4-B4FB-B689-D5DC-E966-CBC2-30FE mag53fiu406847ffp1cev373bq _2j871yc4531neszv94e0vibgou94xui 66lv5gxvd8xmk6rw81lwgb9kfxf9j7nl globalsign-domain-verification=AB9215594777E3E32FCA222DDBDD081E _refx100r9e8dfv2jwhqni8pwyulel72 btqoob4ppn4g5rqapic2hlkhfv _yzin11c5ohiq57qfp3f80sc1lcupgl6 9o54qj4fm74ig2jdntiqabqbg6 l8g4g54j6m65d8ffnn6jvacnk7 247j5tj5v903f1x20v89rggfdhwpgv75 _dy8qlhkk1x8k9eike8jj0hapef3m2ps 1hnl1iu1l42qeatttltda7ss9p _ijy4yoqjzzbxkiwitbcbsizx8rm29jm _bm1xp2bkquetsbl6t32iamqo4s3rsan google-site-verification=OXZwE8L4XGZTwueJC7sz2D23npDVx3QhlUxS0DY7QRs vovhb3qkr9kmbjq4o82ulpghkh d9b6pe36c6lnudlcaijo6s7nqk _vtesmahxs5x1ho5ba1uf80nchnmp2ud _y2xw1wbr4ed0uw9wpp03w5jwzrvdtka globalsign-domain-verification=0E35B95A68BF8FCC953DF6B8F1A059DC 3i37j35k04dlke4189evt2nird google-gws-recovery-domain-verification=62088695 rbf8wq0dhvpb2mchwdqcgs6x9g4626z1 t1ypxdg8bg3r7r71mqfn2g5p968sy1fm vc-domain-verify=membership.southjersey.aaa.com,e2d1f31eea92601ec57c glc9ujvhvs94hr6oj2id094qu3 i6tfto0br3dphasqcb0p2hpqau Probely=d29279f1-ac8b-415f-a6e1-f10422f3f104 9xj7k916bqtwy74zjs2q4bz2dnt94wrl _wxbqm8bxlci7wldoynia4pl3u6r0dsp mlnt15nn383ntijc460iqim97a cfeq5hfk1por6ljt48705ei6lm 6urjouvfrdi6ph2fjftr8ek67e |
| CAA | Lookup not available with standard resolver |
CAA record lookup requires a specialized DNS resolver. This check will be available in a future update.
Informational: CAA (Certification Authority Authorization) records weren't checked in this scan.
SPF helps prevent email spoofing. Add a TXT record starting with 'v=spf1'.
Without SPF, receiving servers can't validate sending IPs — your domain is easier to spoof in phishing.
Learn more ▾ ▴
SPF complements DMARC. Both should be published. SPF records list authorized sending IPs (e.g., `v=spf1 include:_spf.google.com ~all` for Google Workspace). After publishing, verify in Google Postmaster Tools or mxtoolbox.
Source: RFC 7208 (SPF)
A+Crawlabilityrobots.txt present, sitemap with 19 URLsPASS
# For domain: http://www.aaa.com
User-agent: *
Allow: /aaa/common/travel/car/*
Disallow: /aaa/*
Disallow: /travel2/tourbook/*
Disallow: /travel2/destination/*
Disallow: /travel2/sycs/*
Disallow: /scripts/WebObjects.dll/*
Disallow: /tripcanvas/search
Sitemap: http://www.aaa.com/sitemapindex.xml
- https://aaa.com/tripcanvas/featured/sit...
- https://travel.aaa.com/sitemap.xml
- https://aaa.com/tripcanvas/sitemapindex...
- http://www.aaa.com/travelinfo/seovacati...
- https://tourbook.aaa.com/sitemap.xml
- https://discounts.aaa.com/sitemap.xml
- https://roadside.aaa.com/sitemap.xml
- https://membership.aaa.com/sitemap.xml
- http://www.aaa.com/travelinfo/seorepair...
- http://www.aaa.com/travelinfo/seorepair...
- http://www.aaa.com/travelinfo/seorepair...
- http://www.aaa.com/travelinfo/seorepair...
- http://www.aaa.com/travelinfo/seorepair...
- http://www.aaa.com/travelinfo/seorepair...
- http://www.aaa.com/travelinfo/seodiamon...
- http://www.aaa.com/travelinfo/seoevents...
- http://www.aaa.com/travelinfo/seoaar_sit...
- http://locator.aaa.com/locator.aaa.com_s...
- https://triptik.aaa.com/home
A+URL Variantswww/non-www, trailing slash, HTTP→HTTPSPASS
www / non-www
Preferred variant: non-www
HTTP → HTTPS
Consistent
A+Domain Intelligenceaaa.com — via MarkMonitor Inc., 36 years, 2 months old, hosted on INCAPSULA - Incapsula Inc, USPASS
1477 days
August 2, 2030
50 days
Issued by GlobalSign nv-sa
36 years, 2 months
Registered August 3, 1990
Not enabled
Protects against DNS spoofing
INCAPSULA - Incapsula Inc, US
ASN AS19551
45.60.107.121
MarkMonitor Inc.
Expiry timeline
Recommended actions
- Enable DNSSEC to protect visitors from DNS spoofing
- Enable registrar lock (clientTransferProhibited) to block unauthorized domain transfers
DNSSEC protects against DNS spoofing attacks. While not required, enabling DNSSEC adds an additional layer of security. Contact your DNS provider to enable it.
Without DNSSEC, an attacker who can poison your DNS can hijack your domain — and SSL certs alone don't stop them.
Learn more ▾ ▴
DNSSEC adds cryptographic signatures to DNS records, preventing forged responses from poisoning resolver caches. Without it, an attacker who controls the network path can redirect your domain to a malicious server before any HTTPS handshake happens. Most modern registrars (Cloudflare, Google Domains, Route 53) enable it with one toggle.
Source: ICANN / RFC 4033
The domain can be transferred without an unlock step. Enable registrar lock (clientTransferProhibited) in your registrar's control panel to protect against unauthorized or accidental transfers.
Without registrar lock, an attacker who phishes your registrar credentials can transfer the domain in minutes — total brand hijack.
Learn more ▾ ▴
Registrar lock (clientTransferProhibited, clientUpdateProhibited, clientDeleteProhibited) requires extra verification before any transfer/update/delete. Every major registrar offers it free. Combined with 2FA on your registrar account, it's the strongest defense against domain hijacking.
Source: ICANN / domain-security best practice