Skip to content
https://bamboohr.com

Infrastructure

· 9 checks — DNS, redirects, IPv6, crawlability, URL variants, and domain intelligence rolled into one auditable list.
SCORE
82
GRADE
B
FIX
1
REVIEW
2
PASS
6
INFO
0
Probed from Madrid, Spain
301 Moved Permanently
Checks
9
6 PASS 2 REVIEW 1 FIX
F
IPv6 Readiness
Action
IPv6 records exist but unreachable
FIX
IPv6 records exist but unreachable
Warning::
IPv6 DNS records exist but server is not reachable
Having AAAA records but an unreachable server is worse than no AAAA — clients may experience delays before falling back to IPv4.
Got: 2001:4801:7903:100:c9ef:b020:0:b
Info::
IPv6 connection error
Got: dial tcp6 [2001:4801:7903:100:c9ef:b020:0:b]:443: i/o timeout
IPv6 Misconfigured
AAAA Records 2001:4801:7903:100:c9ef:b020:0:b Connection UNREACHABLE

Having AAAA records but an unreachable server is worse than no AAAA — clients may experience delays before falling back to IPv4.

Why this matters

Advertising IPv6 (AAAA records) without a reachable server means IPv6-preferring clients silently fail every connection.

Learn more

Modern browsers prefer IPv6 if AAAA exists (Happy Eyeballs algorithm). If the IPv6 server isn't reachable, browsers fall back to IPv4 — but with seconds of added latency per request. Either fix IPv6 reachability or remove the AAAA records.

Source: RFC 8305 (Happy Eyeballs)

B
URL Variants
www/non-www, trailing slash, HTTP→HTTPS
REVIEW
www/non-www, trailing slash, HTTP→HTTPS
Critical::
Both www and non-www versions serve content
Got: Both variants return 200 Expected: One variant 301-redirects to the other
Info::
HTTP correctly 301-redirects to HTTPS

www / non-www

200https://www.bamboohr.com/
200https://bamboohr.com/

Inconsistent — duplicate content risk

HTTP → HTTPS

301http://bamboohr.com/ https://bamboohr.com/

Consistent

B
TLS Certificate Expiry & Recommendations
89 days until leaf cert expires — 3 issues to address
REVIEW

Certificate validity

89
days left
0d 30d 60d 90d+

Recommended actions

  • Submit your domain to hstspreload.org to be added to the Chrome preload list
  • Enable DNSSEC on your domain for DNS spoofing protection
  • Enable OCSP stapling on your TLS server to remove a CA roundtrip and protect user privacy
A+
DNS Records
2 A records, 100 ms lookup
PASS
2 A records, 100 ms lookup
Info::
Resolves to 2 IPv4 address(es)
Got: 104.17.246.112, 104.17.245.112
Info::
Has 1 IPv6 (AAAA) record(s)
Got: 2001:4801:7903:100:c9ef:b020:0:b
Info::
4 nameserver(s) configured
Got: ns-682.awsdns-21.net, ns-1490.awsdns-58.org, ns-72.awsdns-09.com, ns-1689.awsdns-19.co.uk
Info::
5 mail exchanger(s) configured
Info::
CAA records not checked
CAA record lookup requires a specialized DNS resolver. This check will be available in a future update.
Info::
SPF record present in TXT
Info::
DNS resolution time: 100 ms
Got: 100 ms
A104.17.246.112, 104.17.245.112
AAAA2001:4801:7903:100:c9ef:b020:0:b
CNAME
NSns-682.awsdns-21.net, ns-1490.awsdns-58.org, ns-72.awsdns-09.com, ns-1689.awsdns-19.co.uk
MX
1 aspmx.l.google.com
5 alt2.aspmx.l.google.com
5 alt1.aspmx.l.google.com
10 aspmx3.googlemail.com
10 aspmx2.googlemail.com
TXT
globalsign-domain-verification=wbdypNBPRxDA7pbVKik0tD-_SeH22sESkMRd2bCTOm
cloudhealth=cb6fea93-e8ca-40ad-bb9b-0e9e19a6ae08
atlassian-domain-verification=p29RpO0cXFeEzjyh4auHxdmpZRHRIh+2xqMC7zv10YLaNKrM/P...
wrike-verification=MTYyMjkzNDoyZjVkZDliZWNkNTdiN2QzOTYzOTc0ODgzZjg4Mzc1MWVmOWI3Y...
pendo-domain-verification=fab0c2d2-fc1f-4386-b128-13731899feb5
teamviewer-sso-verification=69d6093666d6455599beca85735e34a0
adobe-idp-site-verification=026d95f693f5eb3b62b2f3848235ee7a09f974ce0798599638ed...
twilio-domain-verification=8428096b1d984e83cabb0e2888c6527c
anthropic-domain-verification-47b3sb=GCpxRAcBHaaPfO3I5YtXoFAJK
cursor-domain-verification-9z7vh5=W0FrzbIUYHiNpfcNVsi0ntMyX
jetbrains-domain-verification=11p3bt4xkw537kcg5293y7p70
bw=EFmOdqc/xwwLBB1adI6GDTXdkXYe6tMhN3TIixNxe4dx
formstack-domain-verification=3f0b3fd7b1761d9300c4674d80f80b42
openai-domain-verification=dv-Ebv0UjsvWBqRscGadTC6iea4
drift-domain-verification=68491ec57a8436a7610a10853d4965ba52c810a3e32ff166ddf582...
canva-site-verification=dH8cr2j5WimNqbH9cijVkA
mongodb-site-verification=lNCaOrORBlZLiE0V7wWbJ6hLjEs1G8jk
uber-domain-verification=8848c9f4-7e41-42ac-b908-69b7c80bdbd3
6tnaade4qtspqc8uhol5d1icgc
MS=ms53190690
mgverify=c965505ae441fa330c97ae9d0ed3f5c7299c3aa8df2810eb79976e9fa963c50e
9e08a85aed8e4b28a9c25a3459512395
jamf-site-verification=RYCgDoSet7G46RiG9RJ4_Q
parallels-domain-verification=541e040475f8460c94f4d07d19246d45961201c9d00d4b2bab...
docker-verification=9e5a3ac4-5fdc-46bc-bd9f-30a8c0c1b64d
google-site-verification=5VflYVwFoJ5VgXAVL41Row7Q34mnuG3wxT2RHDKtMFU
logmein-verification-code=668e156b-f5d3-430e-9944-f1d4385d043e
docusign=9b4bf6dc-e614-477c-9b7a-85458c91ce6b
SPF v=spf1 a:zgateway.zuora.com include:_spf.google.com include:_spf.salesforce.com ...
slack-domain-verification=OSLDehmn9hII1nUCrRhTst6P5N2ttXdLcwXj0K4z
ca3-10cacc2247df44cb8f950d39a7a8237e
CAALookup not available with standard resolver
Resolved in 100 ms

CAA record lookup requires a specialized DNS resolver. This check will be available in a future update.

Why this matters

Informational: CAA (Certification Authority Authorization) records weren't checked in this scan.

A
Redirect Chain
1 redirect(s), 628 ms total
PASS
1 redirect(s), 628 ms total
Info::
Single redirect
Got: https://bamboohr.com → https://www.bamboohr.com/ (301)
Info::
WWW normalization redirect
Info::
Redirect overhead: 628 ms total
Got: 628 ms

https://bamboohr.com

477 ms · HTTP/1.1

301

https://www.bamboohr.com/

150 ms · HTTP/1.1 FINAL

#URLStatusTimeProtocolServer
1https://bamboohr.com301477 msHTTP/1.1cloudflare
2https://www.bamboohr.com/200150 msHTTP/1.1cloudflare

See the visual redirect chain in the HTTP Probe tab →

A+
Crawlability
robots.txt present, sitemap with 19 URLs
PASS
robots.txt present, sitemap with 19 URLs
Info::
robots.txt is present
Got: 74 bytes
Info::
sitemap.xml is present
Info::
sitemap.xml is valid XML
Info::
sitemap.xml contains 19 entries
Info::
Sitemap index with 19 child sitemaps
Info::
robots.txt references sitemap
A+
Domain Intelligence
bamboohr.com — via Amazon Registrar, Inc., 16 years, 11 months old
PASS
bamboohr.com — via Amazon Registrar, Inc., 16 years, 11 months old
Info::
Domain registered until Jul 23, 2026 (3 months remaining)
Info::
DNSSEC is not enabled
DNSSEC protects against DNS spoofing attacks. While not required, enabling DNSSEC adds an additional layer of security. Contact your DNS provider to enable it.
Info::
Registrar: Amazon Registrar, Inc.
Warning::
Registrar lock is NOT enabled
The domain can be transferred without an unlock step. Enable registrar lock (clientTransferProhibited) in your registrar's control panel to protect against unauthorized or accidental transfers.
Domain expiry

6 days

July 23, 2026

SSL certificate

89 days

Issued by Google Trust Services

Domain age

16 years, 11 months

Registered July 23, 2009

DNSSEC

Not enabled

Protects against DNS spoofing

Hosting

Unknown

2001:4801:7903:100:c9ef:b020:0:b

Registrar

Amazon Registrar, Inc.

Unlocked 4 NS records
Expiry timeline
Today
+1 year
Domain expiry SSL expiry Danger zone (≤30 days)
Recommended actions
  • Renew the domain or enable auto-renewal to prevent accidental expiry
  • Enable DNSSEC to protect visitors from DNS spoofing
  • Enable registrar lock (clientTransferProhibited) to block unauthorized domain transfers
Registrar Amazon Registrar, Inc.
Created July 23, 2009 (16 years, 11 months ago)
Expires July 23, 2026 (3 months)
Last Updated June 18, 2025
Name Servers ns-1490.awsdns-58.org, ns-1689.awsdns-19.co.uk, ns-682.awsdns-21.net, ns-72.awsdns-09.com
DNSSEC Not enabled
Hosting
IP Address 2001:4801:7903:100:c9ef:b020:0:b
Data source: rdap (0.2s)

DNSSEC protects against DNS spoofing attacks. While not required, enabling DNSSEC adds an additional layer of security. Contact your DNS provider to enable it.

Why this matters

Without DNSSEC, an attacker who can poison your DNS can hijack your domain — and SSL certs alone don't stop them.

Learn more

DNSSEC adds cryptographic signatures to DNS records, preventing forged responses from poisoning resolver caches. Without it, an attacker who controls the network path can redirect your domain to a malicious server before any HTTPS handshake happens. Most modern registrars (Cloudflare, Google Domains, Route 53) enable it with one toggle.

Source: ICANN / RFC 4033

The domain can be transferred without an unlock step. Enable registrar lock (clientTransferProhibited) in your registrar's control panel to protect against unauthorized or accidental transfers.

Why this matters

Without registrar lock, an attacker who phishes your registrar credentials can transfer the domain in minutes — total brand hijack.

Learn more

Registrar lock (clientTransferProhibited, clientUpdateProhibited, clientDeleteProhibited) requires extra verification before any transfer/update/delete. Every major registrar offers it free. Combined with 2FA on your registrar account, it's the strongest defense against domain hijacking.

Source: ICANN / domain-security best practice

A
HTTP Probe Timing
Total 496 ms — DNS, TCP, TLS, TTFB, content transfer breakdown
PASS
DNS Lookup DNS Lookup — time to resolve the domain name to an IP address.
27 ms
TCP Connect TCP Connect — time to establish a TCP connection to the server.
17 ms
TLS Handshake TLS Handshake — time to complete the HTTPS encryption handshake.
21 ms
Time to First Byte Time to First Byte — how long the server takes to respond with the first byte of data.
496 ms
Total Time Total request time from DNS lookup through full response.
496 ms

Connection waterfall

DNS Lookup 27 ms TCP Connect 17 ms TLS Handshake 21 ms Server Processing 431 ms Content Transfer 0 ms
A
CDN & Delivery
Cloudflare (DYNAMIC)
PASS
Cloudflare (DYNAMIC)
Info::
Site is served via Cloudflare CDN (edge: CDG)
Got: cf-ray: 9f00ae1eff1d5858-CDG
Info::
CDN cache status: DYNAMIC
CDN Detected: Cloudflare
Provider Cloudflare Cache Status DYNAMIC Evidence cf-ray: 9f00ae1eff1d5858-CDG
All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.

Send Feedback