Infrastructure
· 9 checks — DNS, redirects, IPv6, crawlability, URL variants, and domain intelligence rolled into one auditable list.DCDN & DeliveryActionNo CDN detectedFIX
Consider using a CDN to improve global delivery speed and reduce origin load.
CIPv6 ReadinessActionNo IPv6 supportREVIEW
IPv6 support is increasingly important for global accessibility. About 40% of internet users have IPv6 connectivity.
No AAAA records — same impact as 'no IPv6 (AAAA) records'; IPv6-preferring clients pay extra latency falling back to IPv4.
Source: Google IPv6 stats
BURL Variantswww/non-www, trailing slash, HTTP→HTTPSREVIEW
www / non-www
Inconsistent — duplicate content risk
HTTP → HTTPS
Consistent
BTLS Certificate Expiry & Recommendations38 days until leaf cert expires — 4 issues to addressREVIEW
Certificate validity
Recommended actions
- Add includeSubDomains to the HSTS directive
- Add the preload directive and submit to hstspreload.org once max-age + includeSubDomains are in place
- Enable DNSSEC on your domain for DNS spoofing protection
- Enable OCSP stapling on your TLS server to remove a CA roundtrip and protect user privacy
A+DNS Records2 A records, 29 ms lookupPASS
| A | 45.60.131.229, 45.60.121.229 |
| AAAA | — |
| CNAME | — |
| NS | ns20.digicertdns.com, ns22.digicertdns.com, pdns196.ultradns.net, ns25.digicertdns.net, ns21.digicertdns.com, ns23.digicertdns.net, ns24.digicertdns.net, pdns196.ultradns.biz, pdns196.ultradns.com, pdns196.ultradns.org |
| MX | 0 digicert-com.mail.protection.outlook.com |
| TXT | adobe-idp-site-verification=0575680fbf675a4b870e0423b2b288e8f93b19b571ff480a0b23... google-site-verification=biaoTy6jC7ljI6uEbBxS7wtBbZAyukDzJTUhJM_hYEg apple-domain-verification=LysAWG6wOID76rWM _mkwt024uea9zg5c8ywxx98km4xs59oa SPF v=spf1 include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email include:mktomail.com ~al... openai-domain-verification=dv-YNK3xcL8AItjkv1ZubDo6TsE onetrust-domain-verification=f8a2f79b8dab41a492aaaa52e613a679 hbxl3xs6mnfgcvdwpjltfztfqbm0q6j7 tm25jk2w7b1lqkvzg72ns2tnlwkfx4bp pjzx2ldzjbycl42tc85lm8zm05kxc5b9 pax8validate QuoVadis=8689a090-cbf6-4aff-8fb7-3416494f1f6f asv=1f1b135281f5d1ef6d125b846798c281 atlassian-domain-verification=/d+HEyZ/KMJ86EO42QuM+xsCy/NYRORirQapa7A521Lw2DAfpu... PDDL96o0kJXfsY1UKWkj8_-WiQ docusign=999fd605-b079-4d81-b0d8-a95208ae4450 _gitlab-pages-verification-code.digicert.com TXT gitlab-pages-verification-code=... cloudhealth=eb379e22-a90f-4097-b814-ca7d330ad0d8 _iu8a5g8unla4ur5rvw7ulwbcfq11mmn anthropic-domain-verification-3jqen9=N0Wsir4IqKxnVjDr9Fro3i7B9 miro-verification=31e307c1dc4ae6591a1edd5c7dcf58c678b54d32 google-gws-recovery-domain-verification=48029321 fastly-domain-delegation-3t4rfpsjms3gfs7ifvcc-716488-2023-11-22 kUy+EQPWJE5P7A19foqNx806Ir1KXvwbqbedXmbobf/C+X25pgY1YJ1GVX8rj6VdvXnUvqabmtdTO9VF... l685v6cy93xkw8pgppy4ms518l61ql0t c3cfbc958c404c659f758cdd4dc2ae0e docker-verification=1608c704-787a-464a-8f5f-4d19c1c3e0aa |
| CAA | Lookup not available with standard resolver |
CAA record lookup requires a specialized DNS resolver. This check will be available in a future update.
Informational: CAA (Certification Authority Authorization) records weren't checked in this scan.
ARedirect Chain1 redirect(s), 204 ms totalPASS
https://digicert.com
133 ms · HTTP/1.1
https://www.digicert.com/
71 ms · HTTP/1.1 FINAL
| # | URL | Status | Time | Protocol | Server |
|---|---|---|---|---|---|
| 1 | https://digicert.com | 301 | 133 ms | HTTP/1.1 | |
| 2 | https://www.digicert.com/ | 200 | 71 ms | HTTP/1.1 |
See the visual redirect chain in the HTTP Probe tab →
A+Crawlabilityrobots.txt present, sitemap with 3033 URLsPASS
# Welcome to DigiCert
# Think you have what it takes to join the best team in the world?
# Check out our careers while you're here
# https://www.digicert.com/careers
# Or check out our YouTube channel for our latest
# https://www.youtube.com/user/DigiCertSSL
User-agent: *
Disallow: /account/sso/idp
Disallow: */test/
Disallow: */ni/
Disallow: /content/dam/digicert/pdfs/ni/
Disallow: /account/saml-guest-request/idp
Disallow: /webinars/*
Disallow: /seals/
Disallow: /link/
Disallow: /secure/*
Disallow: /services/*
Disallow: /in-console-ssm
Disallow: /jp/sid-partner*
Disallow: /ppc/
Disallow: /ru/
Disallow: /ar/
Disallow: /dc/blog/*
Disallow: /dc/news/*
Disallow: /author/*
Disallow: /tag/*
Disallow: /clients/*
Disallow: /voucher/*
Disallow: /bios*
Disallow: /direct/*
Disallow: /*thank
Disallow: /*.xls$
Disallow: /*.docx$
Disallow: /language-masters/*
Disallow: /link*
Disallow: /*feed
Allow: /*.js
Allow: /*.css
User-agent: AdsBot-Google
Disallow:
User-agent: Googlebot-Image
Disallow:
Sitemap: https://www.digicert.com/sitemap.xml
Sitemap: https://www.digicert.com/cn/sitemap.xml
Sitemap: https://www.digicert.com/de/sitemap.xml
Sitemap: https://www.digicert.com/es/sitemap.xml
Sitemap: https://www.digicert.com/fr/sitemap.xml
Sitemap: https://www.digicert.com/it/sitemap.xml
Sitemap: https://www.digicert.com/jp/sitemap.xml
Sitemap: https://www.digicert.com/kr/sitemap.xml
Sitemap: https://www.digicert.com/nl/sitemap.xml
Sitemap: https://www.digicert.com/tw/sitemap.xml
Sitemap: https://www.digicert.com/pt/sitemap.xml
Sitemap: https://www.digicert.com/kb/sitemap.xml
Sitemap: https://www.digicert.com/faq/sitemap.xml
Sitemap: https://www.digicert.com/news/sitemap.xml
Sitemap: https://www.digicert.com/blog/sitemap.xml
# Bot Requests
User-agent: AhrefsBot
Disallow: /
User-agent: ahrefsbot
Disallow: /
User-agent: XoviBot
Disallow: /
User-agent: BLEXBot
Disallow: /
User-agent: DotBot
Disallow: /
User-agent: MJ12bot
Disallow: /
User-agent: Xenu's
Disallow: /
User-agent: Xenu's Link Sleuth 1.1c
Disallow: /
User-agent: Zeus
Disallow: /
User-agent: Zeus 32297 Webster Pro V2.9 Win32
Disallow: /
User-agent: YandexBot
Disallow: /
User-agent: YandexDirect
Disallow: /
User-agent: YandexBlogs
Disallow: /
User-agent: YaDirectFetcher
Disallow: /
User-agent: YandexNews
Disallow: /
User-agent: YandexPagechecker
Disallow: /
User-agent: YandexMetrika
Disallow: /
User-agent: YandexMedia
Disallow: /
User-agent: Updownerbot
Disallow: /
User-agent: Blekkobot
Disallow: /
User-agent: 008
Disallow: /
User-agent: WebInspector
Disallow: */test/
Disallow: */ni/
Disallow: /account/sso/idp
Disallow: /account/saml-guest-request/idp
Disallow: /webinars/*
Disallow: /seals/
Disallow: /link/
Disallow: /secure/*
Disallow: /services/*
Disallow: /in-console-ssm
Disallow: /jp/sid-partner*
Disallow: /ppc/
Disallow: /ru/
Disallow: /ar/
Disallow: /dc/blog/*
Disallow: /dc/news/*
Disallow: /author/*
Disallow: /tag/*
Disallow: /clients/*
Disallow: /voucher/*
Disallow: /bios*
Disallow: /direct/*
Disallow: /*thank
Disallow: /*.xls$
Disallow: /*.docx$
Disallow: /language-masters/*
Disallow: /link*
Disallow: /*feed
A+Domain Intelligencedigicert.com — via MarkMonitor Inc., 29 years, 9 months old, hosted on INCAPSULA - Incapsula Inc, USPASS
506 days
December 1, 2027
38 days
Issued by DigiCert Inc
29 years, 9 months
Registered December 2, 1996
Not enabled
Protects against DNS spoofing
INCAPSULA - Incapsula Inc, US
ASN AS19551
45.60.131.229
MarkMonitor Inc.
Expiry timeline
Recommended actions
- Enable DNSSEC to protect visitors from DNS spoofing
- Enable registrar lock (clientTransferProhibited) to block unauthorized domain transfers
DNSSEC protects against DNS spoofing attacks. While not required, enabling DNSSEC adds an additional layer of security. Contact your DNS provider to enable it.
Without DNSSEC, an attacker who can poison your DNS can hijack your domain — and SSL certs alone don't stop them.
Learn more ▾ ▴
DNSSEC adds cryptographic signatures to DNS records, preventing forged responses from poisoning resolver caches. Without it, an attacker who controls the network path can redirect your domain to a malicious server before any HTTPS handshake happens. Most modern registrars (Cloudflare, Google Domains, Route 53) enable it with one toggle.
Source: ICANN / RFC 4033
The domain can be transferred without an unlock step. Enable registrar lock (clientTransferProhibited) in your registrar's control panel to protect against unauthorized or accidental transfers.
Without registrar lock, an attacker who phishes your registrar credentials can transfer the domain in minutes — total brand hijack.
Learn more ▾ ▴
Registrar lock (clientTransferProhibited, clientUpdateProhibited, clientDeleteProhibited) requires extra verification before any transfer/update/delete. Every major registrar offers it free. Combined with 2FA on your registrar account, it's the strongest defense against domain hijacking.
Source: ICANN / domain-security best practice