Skip to content
https://cia.gov

Infrastructure

· 17 checks — DNS, redirects, IPv6, crawlability, URL variants, and domain intelligence rolled into one auditable list.
SCORE
93
GRADE
A
FIX
1
REVIEW
5
PASS
11
INFO
0
Probed from Madrid, Spain
301 Moved Permanently
Checks
17
11 PASS 5 REVIEW 1 FIX
D
CDN & Delivery
Action
No CDN detected
FIX
No CDN detected
Warning::
No CDN detected
A CDN can significantly improve load times for users around the world by caching content at edge nodes closer to them.
No CDN detected

Consider using a CDN to improve global delivery speed and reduce origin load.

B
Reverse DNS
0/4 IPs match cert SAN
REVIEW
0/4 IPs match cert SAN
Info::
PTR for 23.47.144.141 does not match any cert SAN: a23-47-144-141.deploy.static.akamaitechnologies.com
Common when behind a CDN or shared hosting (PTR points at the provider's hostname). Mismatch can also affect mail deliverability if this IP sends email -- many MTAs reject mail when forward+reverse DNS disagree.
Info::
PTR for 23.47.144.140 does not match any cert SAN: a23-47-144-140.deploy.static.akamaitechnologies.com
Common when behind a CDN or shared hosting (PTR points at the provider's hostname). Mismatch can also affect mail deliverability if this IP sends email -- many MTAs reject mail when forward+reverse DNS disagree.
Info::
PTR for 2600:141b:e800:66::17d3:f10b does not match any cert SAN: g2600-141b-e800-0066-0000-0000-17d3-f10b.deploy.static.akamaitechnologies.com
Common when behind a CDN or shared hosting (PTR points at the provider's hostname). Mismatch can also affect mail deliverability if this IP sends email -- many MTAs reject mail when forward+reverse DNS disagree.
Info::
PTR for 2600:141b:e800:66::17d3:f111 does not match any cert SAN: g2600-141b-e800-0066-0000-0000-17d3-f111.deploy.static.akamaitechnologies.com
Common when behind a CDN or shared hosting (PTR points at the provider's hostname). Mismatch can also affect mail deliverability if this IP sends email -- many MTAs reject mail when forward+reverse DNS disagree.
B
URL Variants
www/non-www, trailing slash, HTTP→HTTPS
REVIEW
www/non-www, trailing slash, HTTP→HTTPS
Critical::
HTTP version does not redirect to HTTPS
Got: HTTP 403 Expected: 301 redirect to HTTPS

www / non-www

403https://www.cia.gov/
200https://cia.gov/

HTTP → HTTPS

403http://cia.gov/

HTTP version does not redirect to HTTPS

B
CDN Cache Observability
No CDN cache-status headers in the response
REVIEW
No CDN cache-status headers in the response
Info::
No CDN cache-status headers in the response
Without an X-Cache / CF-Cache-Status / X-Vercel-Cache / Age header, you can't tell from outside whether a request hit the cache or went to origin. Operationally important: enables debugging stale-content reports and verifying cache rules. Most managed CDN platforms emit at least one of these by default; absence often means the platform's diagnostic headers are stripped at an upstream proxy.
B
Operational Status Page
No status page link detected
REVIEW
No status page link detected
Info::
No operational status page link detected
Status pages communicate planned maintenance and incidents to users -- a hallmark of operationally-mature services. Most SaaS teams publish one via Atlassian Statuspage, Instatus, BetterUptime, or a self-hosted Cachet. Smaller sites legitimately don't need one; flagged as Info, not a failure.
B
Health Check Endpoint
No conventional health endpoint found
REVIEW
No conventional health endpoint found
Info::
No conventional health endpoint found
Health endpoints (/health, /healthz, /status, /ping, /api/health) let uptime monitors, load balancers, and orchestration systems (Kubernetes, ECS, Fly.io) verify the service is alive. Marketing sites and small services often skip them legitimately; flagged as Info, not a failure. Probe results: /api/health: 404, /health: 404, /healthz: 404, /ping: 404, /status: 404.
A+
DNS Records
2 A records, 30 ms lookup
PASS
2 A records, 30 ms lookup
Info::
Resolves to 2 IPv4 address(es)
Got: 23.47.144.141, 23.47.144.140
Info::
Has 2 IPv6 (AAAA) record(s)
Got: 2600:141b:e800:66::17d3:f10b, 2600:141b:e800:66::17d3:f111
Info::
6 nameserver(s) configured
Got: a22-66.akam.net, a3-64.akam.net, a12-65.akam.net, a13-65.akam.net, a1-22.akam.net, a16-67.akam.net
Info::
2 mail exchanger(s) configured
Info::
SPF record present in TXT
Info::
DNS resolution time: 30 ms
Got: 30 ms
A23.47.144.141, 23.47.144.140
AAAA2600:141b:e800:66::17d3:f10b, 2600:141b:e800:66::17d3:f111
CNAME
NSa22-66.akam.net, a3-64.akam.net, a12-65.akam.net, a13-65.akam.net, a1-22.akam.net, a16-67.akam.net
MX
10 mail4.cia.gov
10 mail3.cia.gov
TXT
SPF v=spf1 mx -all
CAALookup not available with standard resolver
Resolved in 30 ms
A+
Subdomain Takeover
No subdomain takeover risk detected
PASS
No subdomain takeover risk detected
Info::
No CNAME record present
A+
DNSSEC
Signed and validating
PASS
Signed and validating
Info::
DNSSEC fully signed and chain validates (RSASHA256)
A+
CAA Records
issue: digicert.com | iodef configured
PASS
issue: digicert.com | iodef configured
Info::
CAA issue tag present — authorized CA(s): digicert.com
Info::
CAA iodef tag present (failed-issuance notifications enabled)
A+
Multi-Resolver DNS Speed
Mean 17ms across 3 resolvers (spread 21ms)
PASS
Mean 17ms across 3 resolvers (spread 21ms)
Info::
Quad9: 6ms
Got: 6ms via 9.9.9.9:53
Info::
Cloudflare: 18ms
Got: 18ms via 1.1.1.1:53
Info::
Google: 27ms
Got: 27ms via 8.8.8.8:53
A
Redirect Chain
1 redirect(s), 594 ms total
PASS
1 redirect(s), 594 ms total
Info::
Single redirect
Got: https://cia.gov → https://www.cia.gov/ (301)
Info::
WWW normalization redirect
Info::
Redirect overhead: 594 ms total
Got: 594 ms

https://cia.gov

291 ms · HTTP/1.1

301

https://www.cia.gov/

303 ms · HTTP/1.1 FINAL

#URLStatusTimeProtocolServer
1https://cia.gov301291 msHTTP/1.1
2https://www.cia.gov/200303 msHTTP/1.1

See the visual redirect chain in the HTTP Probe tab →

A+
IPv6 Readiness
IPv6 reachable (94 ms)
PASS
IPv6 reachable (94 ms)
Info::
IPv6 is configured and reachable at 2600:141b:e800:66::17d3:f10b, 2600:141b:e800:66::17d3:f111
Got: 94 ms connect
IPv6 Ready
AAAA Records 2600:141b:e800:66::17d3:f10b, 2600:141b:e800:66::17d3:f111 Connection Reachable (94 ms)
A+
Crawlability
robots.txt present, sitemap with 966 URLs
PASS
robots.txt present, sitemap with 966 URLs
Info::
robots.txt is present
Got: 1594 bytes
Info::
sitemap.xml is present
Info::
sitemap.xml is valid XML
Info::
sitemap.xml contains 966 entries
Info::
robots.txt references sitemap
robots.txt 200 OK
Size 1594 B Sitemaps referenced 3 User-agents Download Ninja, Orthogaffe, Zealbot, NPBot, sitecheck.internetseer.com, SiteSnagger, TeleportPro, HTTrack, Microsoft.URL.Control, larbin, MSIECrawler, Xenu, usasearch, msnbot, Fetch, linko, libwww, ZyBORG, *, bingbot, IsraBot, DOC, Zao, WebCopier, Offline Explorer, grub-client, k2spider, Mediapartners-Google*, WebStripper, UbiCrawler, Teleport, WebZIP, WebReaper, wget Blocking No — crawling allowed
User-agent: usasearch
Crawl-delay: 2

User-agent: Mediapartners-Google*
Disallow: /

User-agent: bingbot
Disallow: /

User-agent: msnbot
Disallow: /

User-agent: IsraBot
Disallow: /

User-agent: Orthogaffe
Disallow: /

User-agent: UbiCrawler
Disallow: /

User-agent: DOC
Disallow: /

User-agent: Zao
Disallow: /

User-agent: sitecheck.internetseer.com
Disallow: /

User-agent: Zealbot
Disallow: /

User-agent: MSIECrawler
Disallow: /

User-agent: SiteSnagger
Disallow: /

User-agent: WebStripper
Disallow: /

User-agent: WebCopier
Disallow: /

User-agent: Fetch
Disallow: /

User-agent: Offline Explorer
Disallow: /

User-agent: Teleport
Disallow: /

User-agent: TeleportPro
Disallow: /

User-agent: WebZIP
Disallow: /

User-agent: linko
Disallow: /

User-agent: HTTrack
Disallow: /

User-agent: Microsoft.URL.Control
Disallow: /

User-agent: Xenu
Disallow: /

User-agent: larbin
Disallow: /

User-agent: libwww
Disallow: /

User-agent: ZyBORG
Disallow: /

User-agent: Download Ninja
Disallow: /

User-agent: wget
Disallow: /

User-agent: grub-client
Disallow: /

User-agent: k2spider
Disallow: /

User-agent: NPBot
Disallow: /

User-agent: WebReaper
Disallow: /

User-agent: *
Disallow: /js/
Disallow: /preview/
Disallow: /*.js$
Disallow: /*.js.map$
Disallow: /*.json$
Disallow: /readingroom/search/
Disallow: /readingroom/advanced-search-view/
Disallow: /readingroom/request/
Crawl-delay: 10
Sitemap: https://www.cia.gov/sitemap/sitemap-0.xml
Sitemap: https://www.cia.gov/readingroom/sitemap.xml
Sitemap: https://www.cia.gov/the-world-factbook/sitemap/sitemap-0.xml
Host: https://www.cia.gov

A
Domain Intelligence
cia.gov — via get.gov, 28 years, 5 months old
PASS
cia.gov — via get.gov, 28 years, 5 months old
Warning::
Domain expires in 60 days
Consider enabling auto-renewal to prevent accidental expiration.
Got: Expires Sep 9, 2026
Info::
DNSSEC is enabled
Info::
Registrar: get.gov
Warning::
Registrar lock is NOT enabled
The domain can be transferred without an unlock step. Enable registrar lock (clientTransferProhibited) in your registrar's control panel to protect against unauthorized or accidental transfers.
Domain expiry

59 days

September 9, 2026

SSL certificate

33 days

Issued by DigiCert Inc

Domain age

28 years, 5 months

Registered June 26, 1998

DNSSEC

Enabled

Protects against DNS spoofing

Hosting

Unknown

2600:141b:e800:66::17d3:f111

Registrar

get.gov

Unlocked 6 NS records
Expiry timeline
Today
+1 year
Domain expiry SSL expiry Danger zone (≤30 days)
Recommended actions
  • Renew the domain or enable auto-renewal to prevent accidental expiry
  • Enable registrar lock (clientTransferProhibited) to block unauthorized domain transfers
Registrar get.gov
Created June 26, 1998 (28 years, 5 months ago)
Expires September 9, 2026 (2 months)
Last Updated January 29, 2026
Name Servers a1-22.akam.net, a12-65.akam.net, a13-65.akam.net, a16-67.akam.net, a22-66.akam.net, a3-64.akam.net
DNSSEC Enabled
Registrant REDACTED FOR PRIVACY
Hosting
IP Address 2600:141b:e800:66::17d3:f111
Data source: rdap (0.5s)

Consider enabling auto-renewal to prevent accidental expiration.

Why this matters

Domain expiry approaching — renew immediately and ensure auto-renew + alerting are configured.

Source: ICANN renewal policy

The domain can be transferred without an unlock step. Enable registrar lock (clientTransferProhibited) in your registrar's control panel to protect against unauthorized or accidental transfers.

Why this matters

Without registrar lock, an attacker who phishes your registrar credentials can transfer the domain in minutes — total brand hijack.

Learn more

Registrar lock (clientTransferProhibited, clientUpdateProhibited, clientDeleteProhibited) requires extra verification before any transfer/update/delete. Every major registrar offers it free. Combined with 2FA on your registrar account, it's the strongest defense against domain hijacking.

Source: ICANN / domain-security best practice

A+
HTTP Probe Timing
Total 351 ms — DNS, TCP, TLS, TTFB, content transfer breakdown
PASS
DNS Lookup DNS Lookup — time to resolve the domain name to an IP address.
50 ms
TCP Connect TCP Connect — time to establish a TCP connection to the server.
92 ms
TLS Handshake TLS Handshake — time to complete the HTTPS encryption handshake.
96 ms
Time to First Byte Time to First Byte — how long the server takes to respond with the first byte of data.
351 ms
Total Time Total request time from DNS lookup through full response.
351 ms

Connection waterfall

DNS Lookup 50 ms TCP Connect 92 ms TLS Handshake 96 ms Server Processing 113 ms Content Transfer 0 ms
A+
TLS Certificate Expiry & Recommendations
33 days until leaf cert expires
PASS

Certificate validity

33
days left
0d 30d 60d 90d+

Recommended actions

No action required — TLS configuration looks healthy.

All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.

Send Feedback