Infrastructure
· 9 checks — DNS, redirects, IPv6, crawlability, URL variants, and domain intelligence rolled into one auditable list.BURL Variantswww/non-www, trailing slash, HTTP→HTTPSREVIEW
www / non-www
Inconsistent — duplicate content risk
HTTP → HTTPS
Consistent
BTLS Certificate Expiry & Recommendations48 days until leaf cert expires — 3 issues to addressREVIEW
Certificate validity
Recommended actions
- Enable HSTS: Strict-Transport-Security: max-age=31536000; includeSubDomains
- Enable DNSSEC on your domain for DNS spoofing protection
- Enable OCSP stapling on your TLS server to remove a CA roundtrip and protect user privacy
BCDN & DeliveryCloudflareREVIEW
A+DNS Records2 A records, 18 ms lookupPASS
| A | 104.18.35.71, 172.64.152.185 |
| AAAA | 2a06:98c1:3100::ac40:98b9, 2606:4700:4407::6812:2347 |
| CNAME | — |
| NS | carla.ns.cloudflare.com, miguel.ns.cloudflare.com |
| MX | 0 hardrock-com.mail.protection.outlook.com 10 mxa-005e3801.gslb.pphosted.com 10 mxb-005e3801.gslb.pphosted.com |
| TXT | 5bYmi5sVqYnBQOBjWBlxGQ8ntry+NbvWlsEeaDl+/W24Wb4f8KPsupcXi26czLqzpGyUnK3QHsdU6/5M... Foxit-domain-verification=01fb6cd79f2881074b4136a1420bc192 H0A4R33741 KML5BM/by/mjlcBXpUr8kdVfLk6DuQRIrCGPIhzzQbkSnob4jYwjfuHwufTZ6t7/BliEHX2jaGPDOz+F... MS=ms25349929 MS=ms78467234 MS=ms90050841 _b2vhn97xzjz02v9b57h10q38zo8yhgq.dcv.digicert.com _y70m0o1hvv8nb6fi9fsolvdwic20po0 apple-domain-verification=tIkfiH97rpggtEd6 atlassian-domain-verification=JWnFwAEWefcIG0wWGXkLLavdYWc1dJ0h5CsWrGS7oIjwSfmDSn... cisco-ci-domain-verification=4733ef1a224cf3a5636fa840a555cd4e1efb7c61c638d16253d... ciscocidomainverification=3414d2b8ea77b2c52dd526368f2ff8bbbd8c689f66ba8fbcf76e41... dropbox-domain-verification=g61rye8f2jxt dropbox-domain-verification=rjzcf3j3riqm facebook-domain-verification=q07dxoqmzqo0srq9bljb26mxi76vhv formstack-domain-verification=5cd773a4e5e7aa11f0fe447a1c44887a google-site-verification=D0lJzQG6ZTmM7K-DUxYgRMQLN8OJgV-j2XDvSKes520 google-site-verification=Nqb_YtFe8eurI4_dex6uOPn1XHRpWqQJy9MDj4eOijI google-site-verification=ejEoM4q1KSsmlUS-qyh0FasNzCxXnxbbRmevBAg7vYg google-site-verification=wF6NGcFyra8VM_enn6IejvfDQmJxrhYhaNx11Ql4mbs google-site-verification=xXOnerbltvovQkd1V7SVOWZAgZfIv2E2bOG5gwld28s h1-domain-verification=GMP3DqQRMowzCs29t1QGuFAwC7q6QraHvMj2F5GKp4Bi4nQa ms-domain-verification=5378e87e-34e8-4467-b593-557a6d79d9bd onetrust-domain-verification=44f24f7c850647158ee1db528d96e862 smartsheet-site-validation=lVXRomuFjkVlSlfR6gptYQOWAqt8Jswx SPF v=spf1 include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all |
| CAA | Lookup not available with standard resolver |
CAA record lookup requires a specialized DNS resolver. This check will be available in a future update.
Informational: CAA (Certification Authority Authorization) records weren't checked in this scan.
ARedirect Chain1 redirect(s), 67 ms totalPASS
https://hardrock.com
22 ms · HTTP/1.1
https://www.hardrock.com/
46 ms · HTTP/1.1 FINAL
| # | URL | Status | Time | Protocol | Server |
|---|---|---|---|---|---|
| 1 | https://hardrock.com | 301 | 22 ms | HTTP/1.1 | cloudflare |
| 2 | https://www.hardrock.com/ | 200 | 46 ms | HTTP/1.1 | cloudflare |
See the visual redirect chain in the HTTP Probe tab →
A+IPv6 ReadinessIPv6 reachable (2 ms)PASS
A+Crawlabilityrobots.txt present, sitemap with 34 URLsPASS
sitemap: https://www.hardrock.com/sitemap.xml
Disallow: /files/5880/contest-rules.pdf
Noindex: /files/5880/contest-rules.pdf
User-agent: * [already exists, I’m just indicating that this should be set up for all bots.]
Allow: /*.js$
Allow: /*.JS$
Allow: /*.css$
Allow: /*.CSS$
A+Domain Intelligencehardrock.com — via Nom-iq Ltd. dba COM LAUDE, 28 years, 1 months oldPASS
5 days
July 23, 2026
48 days
Issued by Google Trust Services
28 years, 1 months
Registered July 24, 1998
Not enabled
Protects against DNS spoofing
Unknown
2a06:98c1:3100::ac40:98b9
Nom-iq Ltd. dba COM LAUDE
Expiry timeline
Recommended actions
- Renew the domain or enable auto-renewal to prevent accidental expiry
- Enable DNSSEC to protect visitors from DNS spoofing
- Enable registrar lock (clientTransferProhibited) to block unauthorized domain transfers
DNSSEC protects against DNS spoofing attacks. While not required, enabling DNSSEC adds an additional layer of security. Contact your DNS provider to enable it.
Without DNSSEC, an attacker who can poison your DNS can hijack your domain — and SSL certs alone don't stop them.
Learn more ▾ ▴
DNSSEC adds cryptographic signatures to DNS records, preventing forged responses from poisoning resolver caches. Without it, an attacker who controls the network path can redirect your domain to a malicious server before any HTTPS handshake happens. Most modern registrars (Cloudflare, Google Domains, Route 53) enable it with one toggle.
Source: ICANN / RFC 4033
The domain can be transferred without an unlock step. Enable registrar lock (clientTransferProhibited) in your registrar's control panel to protect against unauthorized or accidental transfers.
Without registrar lock, an attacker who phishes your registrar credentials can transfer the domain in minutes — total brand hijack.
Learn more ▾ ▴
Registrar lock (clientTransferProhibited, clientUpdateProhibited, clientDeleteProhibited) requires extra verification before any transfer/update/delete. Every major registrar offers it free. Combined with 2FA on your registrar account, it's the strongest defense against domain hijacking.
Source: ICANN / domain-security best practice