Hardenize Report: ovh.com

Web Security Overview

HTTPS

Web sites need to use encryption to help their visitors know they're in the right place, as well as provide confidentiality and content integrity. Sites that don't support HTTPS may expose sensitive data and have their pages modified and subverted.

For all sites VERY IMPORTANT medium EFFORT

HTTPS Redirection

To deploy HTTPS properly, web sites must redirect all unsafe (plaintext) traffic to the encrypted variant. This approach ensures that no sensitive data is exposed and that further security technologies can be activated.

For all sites VERY IMPORTANT low EFFORT

HTTP Strict Transport Security

HTTP Strict Transport Security (HSTS) is an HTTPS extension that instructs browsers to remember sites that use encryption and enforce strict security requirements. Without HSTS, active network attacks are easy to carry out.

For important sites VERY IMPORTANT medium EFFORT

HSTS Preloaded

HSTS Preloading is informing browsers in advance about a site's use of HSTS, which means that strict security can be enforced even on the first visit. This approach provides best HTTPS security available today.

For important sites VERY IMPORTANT medium EFFORT

Content Security Policy

Content Security Policy (CSP) is an additional security layer that enables web sites to control browser behavior, creating a safety net that can counter attacks such as cross-site scripting.

For important sites IMPORTANT high EFFORT

Email Security Overview

STARTTLS

All hosts that receive email need encryption to ensure confidentiality of email messages. Email servers thus need to support STARTTLS, as well as provide decent TLS configuration and correct certificates.

For all sites VERY IMPORTANT low EFFORT

SPF

Sender Policy Framework (SPF) enables organizations to designate servers that are allowed to send email messages on their behalf. With SPF in place, spam is easier to identify.

For important sites IMPORTANT low EFFORT

DMARC

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a mechanism that allows organizations to specify how unauthenticated email (identified using SPF and DKIM) should be handled.

For important sites IMPORTANT low EFFORT

Domain Registration

Your security begins with the security of your domain name. If someone takes control of your domain name then they can update the name server configuration to send users elsewhere, or they can transfer the domain name to another party. For best results, fully lock your domain names at registry and registrar levels.

Test passed

Everything seems to be well configured. Well done.

Registration Data Access Protocol (RDAP)

The RDAP protocol enables users to access current registration data and was created as an eventual replacement for the WHOIS protocol. RDAP has several advantages over the WHOIS protocol, including support for internationalization, secure access to data, and the ability to provide differentiated access to registration data.

Parsed Raw Data Model

Registrant	-
Lookup Time	22 Apr 2024 17:22 UTC
Source	https://rdap.verisign.com/com/v1/domain/ovh.com
Registrar
Registrar	OVH sas
Registrar IANA ID	433
Events
Registration	07 Feb 1997 05:00 UTC
Update	27 Mar 2024 10:55 UTC
Expiration	08 Feb 2033 05:00 UTC
Configuration
Statuses	clientDeleteProhibited clientTransferProhibited
Registrar Lock
Registry Lock
Nameservers	dns.ovh.net dns10.ovh.net dns200.anycast.me ns.ovh.net ns10.ovh.net ns200.anycast.me
Contacts
Registrar	OVH sas
Abuse	Email: abuse@ovh.net Phone: +33.972101007

{
  "meta": {
    "timestamp": "2024-04-22T17:22:47Z",
    "id": "31c86412-ff2c-42c3-996c-4068171dc68b",
    "type": "HZ_REGISTRABLE_DOMAIN",
    "schemaVersion": "2022-02-02",
    "producer": "whois-rdap-clients/2022-03-23",
    "source": "NET",
    "status": "OK",
    "duration": "0.332s"
  },
  "name": "ovh.com",
  "punyName": "ovh.com",
  "source": "SOURCE_RDAP",
  "sourceLocation": "https://rdap.verisign.com/com/v1/domain/ovh.com",
  "sourceRaw": "{\"objectClassName\":\"domain\",\"handle\":\"1938925_DOMAIN_COM-VRSN\",\"ldhName\":\"OVH.COM\",\"links\":[{\"value\":\"https:\\/\\/rdap.verisign.com\\/com\\/v1\\/domain\\/OVH.COM\",\"rel\":\"self\",\"href\":\"https:\\/\\/rdap.verisign.com\\/com\\/v1\\/domain\\/OVH.COM\",\"type\":\"application\\/rdap+json\"},{\"value\":\"https:\\/\\/rdap.ovh.com\\/domain\\/OVH.COM\",\"rel\":\"related\",\"href\":\"https:\\/\\/rdap.ovh.com\\/domain\\/OVH.COM\",\"type\":\"application\\/rdap+json\"}],\"status\":[\"client delete prohibited\",\"client transfer prohibited\"],\"entities\":[{\"objectClassName\":\"entity\",\"handle\":\"433\",\"roles\":[\"registrar\"],\"publicIds\":[{\"type\":\"IANA Registrar ID\",\"identifier\":\"433\"}],\"vcardArray\":[\"vcard\",[[\"version\",{},\"text\",\"4.0\"],[\"fn\",{},\"text\",\"OVH sas\"]]],\"entities\":[{\"objectClassName\":\"entity\",\"roles\":[\"abuse\"],\"vcardArray\":[\"vcard\",[[\"version\",{},\"text\",\"4.0\"],[\"fn\",{},\"text\",\"\"],[\"tel\",{\"type\":\"voice\"},\"uri\",\"tel:+33.972101007\"],[\"email\",{},\"text\",\"abuse@ovh.net\"]]]}]}],\"events\":[{\"eventAction\":\"registration\",\"eventDate\":\"1997-02-07T05:00:00Z\"},{\"eventAction\":\"expiration\",\"eventDate\":\"2033-02-08T05:00:00Z\"},{\"eventAction\":\"last changed\",\"eventDate\":\"2024-03-27T10:55:49Z\"},{\"eventAction\":\"last update of RDAP database\",\"eventDate\":\"2024-04-22T17:22:33Z\"}],\"secureDNS\":{\"delegationSigned\":false},\"nameservers\":[{\"objectClassName\":\"nameserver\",\"ldhName\":\"DNS.OVH.NET\"},{\"objectClassName\":\"nameserver\",\"ldhName\":\"DNS10.OVH.NET\"},{\"objectClassName\":\"nameserver\",\"ldhName\":\"DNS200.ANYCAST.ME\"},{\"objectClassName\":\"nameserver\",\"ldhName\":\"NS.OVH.NET\"},{\"objectClassName\":\"nameserver\",\"ldhName\":\"NS10.OVH.NET\"},{\"objectClassName\":\"nameserver\",\"ldhName\":\"NS200.ANYCAST.ME\"}],\"rdapConformance\":[\"rdap_level_0\",\"icann_rdap_technical_implementation_guide_0\",\"icann_rdap_response_profile_0\"],\"notices\":[{\"title\":\"Terms of Use\",\"description\":[\"Service subject to Terms of Use.\"],\"links\":[{\"href\":\"https:\\/\\/www.verisign.com\\/domain-names\\/registration-data-access-protocol\\/terms-service\\/index.xhtml\",\"type\":\"text\\/html\"}]},{\"title\":\"Status Codes\",\"description\":[\"For more information on domain status codes, please visit https:\\/\\/icann.org\\/epp\"],\"links\":[{\"href\":\"https:\\/\\/icann.org\\/epp\",\"type\":\"text\\/html\"}]},{\"title\":\"RDDS Inaccuracy Complaint Form\",\"description\":[\"URL of the ICANN RDDS Inaccuracy Complaint Form: https:\\/\\/icann.org\\/wicf\"],\"links\":[{\"href\":\"https:\\/\\/icann.org\\/wicf\",\"type\":\"text\\/html\"}]}]}",
  "tld": "com",
  "suffix": "com",
  "createTime": "1997-02-07T05:00:00Z",
  "expireTime": "2033-02-08T05:00:00Z",
  "updateTime": "2024-03-27T10:55:49Z",
  "registrarLock": true,
  "registryLock": false,
  "registrarName": "OVH sas",
  "registrarIanaId": "433",
  "nameservers": [{
    "name": "dns.ovh.net",
    "punyName": "",
    "addresses": []
  }, {
    "name": "dns10.ovh.net",
    "punyName": "",
    "addresses": []
  }, {
    "name": "dns200.anycast.me",
    "punyName": "",
    "addresses": []
  }, {
    "name": "ns.ovh.net",
    "punyName": "",
    "addresses": []
  }, {
    "name": "ns10.ovh.net",
    "punyName": "",
    "addresses": []
  }, {
    "name": "ns200.anycast.me",
    "punyName": "",
    "addresses": []
  }],
  "statuses": ["clientDeleteProhibited", "clientTransferProhibited"],
  "sourceStatuses": ["client delete prohibited", "client transfer prohibited"],
  "contacts": [{
    "type": "CONTACT_REGISTRAR",
    "organization": "OVH sas"
  }, {
    "type": "CONTACT_ABUSE",
    "email": "abuse@ovh.net",
    "phone": "+33.972101007"
  }]
}

{
  "objectClassName": "domain",
  "handle": "1938925_DOMAIN_COM-VRSN",
  "ldhName": "OVH.COM",
  "links": [
    {
      "value": "https://rdap.verisign.com/com/v1/domain/OVH.COM",
      "rel": "self",
      "href": "https://rdap.verisign.com/com/v1/domain/OVH.COM",
      "type": "application/rdap+json"
    },
    {
      "value": "https://rdap.ovh.com/domain/OVH.COM",
      "rel": "related",
      "href": "https://rdap.ovh.com/domain/OVH.COM",
      "type": "application/rdap+json"
    }
  ],
  "status": [
    "client delete prohibited",
    "client transfer prohibited"
  ],
  "entities": [
    {
      "objectClassName": "entity",
      "handle": "433",
      "roles": [
        "registrar"
      ],
      "publicIds": [
        {
          "type": "IANA Registrar ID",
          "identifier": "433"
        }
      ],
      "vcardArray": [
        "vcard",
        [
          [
            "version",
            {},
            "text",
            "4.0"
          ],
          [
            "fn",
            {},
            "text",
            "OVH sas"
          ]
        ]
      ],
      "entities": [
        {
          "objectClassName": "entity",
          "roles": [
            "abuse"
          ],
          "vcardArray": [
            "vcard",
            [
              [
                "version",
                {},
                "text",
                "4.0"
              ],
              [
                "fn",
                {},
                "text",
                ""
              ],
              [
                "tel",
                {
                  "type": "voice"
                },
                "uri",
                "tel:+33.972101007"
              ],
              [
                "email",
                {},
                "text",
                "abuse@ovh.net"
              ]
            ]
          ]
        }
      ]
    }
  ],
  "events": [
    {
      "eventAction": "registration",
      "eventDate": "1997-02-07T05:00:00Z"
    },
    {
      "eventAction": "expiration",
      "eventDate": "2033-02-08T05:00:00Z"
    },
    {
      "eventAction": "last changed",
      "eventDate": "2024-03-27T10:55:49Z"
    },
    {
      "eventAction": "last update of RDAP database",
      "eventDate": "2024-04-22T17:22:33Z"
    }
  ],
  "secureDNS": {
    "delegationSigned": false
  },
  "nameservers": [
    {
      "objectClassName": "nameserver",
      "ldhName": "DNS.OVH.NET"
    },
    {
      "objectClassName": "nameserver",
      "ldhName": "DNS10.OVH.NET"
    },
    {
      "objectClassName": "nameserver",
      "ldhName": "DNS200.ANYCAST.ME"
    },
    {
      "objectClassName": "nameserver",
      "ldhName": "NS.OVH.NET"
    },
    {
      "objectClassName": "nameserver",
      "ldhName": "NS10.OVH.NET"
    },
    {
      "objectClassName": "nameserver",
      "ldhName": "NS200.ANYCAST.ME"
    }
  ],
  "rdapConformance": [
    "rdap_level_0",
    "icann_rdap_technical_implementation_guide_0",
    "icann_rdap_response_profile_0"
  ],
  "notices": [
    {
      "title": "Terms of Use",
      "description": [
        "Service subject to Terms of Use."
      ],
      "links": [
        {
          "href": "https://www.verisign.com/domain-names/registration-data-access-protocol/terms-service/index.xhtml",
          "type": "text/html"
        }
      ]
    },
    {
      "title": "Status Codes",
      "description": [
        "For more information on domain status codes, please visit https://icann.org/epp"
      ],
      "links": [
        {
          "href": "https://icann.org/epp",
          "type": "text/html"
        }
      ]
    },
    {
      "title": "RDDS Inaccuracy Complaint Form",
      "description": [
        "URL of the ICANN RDDS Inaccuracy Complaint Form: https://icann.org/wicf"
      ],
      "links": [
        {
          "href": "https://icann.org/wicf",
          "type": "text/html"
        }
      ]
    }
  ]
}

Analysis

Consider locking this domain name at registry level

Some domain name locks are better than others. Most registrars can configure a lock that they control, which we call a registrar lock. This lock is useful, but at the next level there is the registry lock, which requires a further interaction with the registry for any changes. Registry locks should be used wherever possible for business-critical domain names.

WHOIS

WHOIS is a TCP-based transaction-oriented query/response protocol that is widely used to provide information services to Internet users. While originally used to provide "white pages" services and information about registered domain names, current deployments cover a much broader range of information services.

Parsed Raw Data Model

Registrant	OVH SAS
Lookup Time	22 Apr 2024 17:22 UTC
Source	whois.ovh.com:43
Registrar
Registrar	OVH, SAS
Registrar IANA ID	433
Events
Registration	07 Feb 1997 05:00 UTC
Update	27 Mar 2024 10:55 UTC
Expiration	08 Feb 2033 05:00 UTC
Configuration
Statuses	clientTransferProhibited clientDeleteProhibited
Registrar Lock
Registry Lock
Nameservers	ns.ovh.net ns10.ovh.net dns.ovh.net dns10.ovh.net dns200.anycast.me ns200.anycast.me
Contacts
Registrar	OVH, SAS OVH, SAS
Abuse	Email: abuse@ovh.net Phone: +33.972101007
Registrant	OVH SAS FR

{
  "meta": {
    "timestamp": "2024-04-22T17:22:48Z",
    "id": "f0d40eea-b01f-4cf4-9065-b37c2d59c59b",
    "type": "HZ_REGISTRABLE_DOMAIN",
    "schemaVersion": "2022-02-02",
    "producer": "whois-rdap-clients/2022-03-23",
    "source": "NET",
    "status": "OK",
    "duration": "0.215s"
  },
  "name": "ovh.com",
  "punyName": "ovh.com",
  "source": "SOURCE_WHOIS",
  "sourceLocation": "whois.ovh.com:43",
  "sourceRaw": "Domain Name: ovh.com\nRegistry Domain ID: 1938925_DOMAIN_COM-VRSN\nRegistrar WHOIS Server: whois.ovh.com\nRegistrar URL: https://www.ovh.com\nUpdated Date: 2024-03-27T10:55:49Z\nCreation Date: 1997-02-07T05:00:00Z\nRegistrar Registration Expiration Date: 2033-02-08T05:00:00Z\nRegistrar: OVH, SAS\nRegistrar IANA ID: 433\nRegistrar Abuse Contact Email: abuse@ovh.net\nRegistrar Abuse Contact Phone: +33.972101007\nDomain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited\nDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\nRegistry Registrant ID: \nRegistrant Name: REDACTED FOR PRIVACY\nRegistrant Organization: OVH SAS\nRegistrant Street: REDACTED FOR PRIVACY\nRegistrant City: REDACTED FOR PRIVACY\nRegistrant State/Province: \nRegistrant Postal Code: REDACTED FOR PRIVACY\nRegistrant Country: FR\nRegistrant Phone: REDACTED FOR PRIVACY\nRegistrant Phone Ext: REDACTED FOR PRIVACY\nRegistrant Fax: REDACTED FOR PRIVACY\nRegistrant Fax Ext: REDACTED FOR PRIVACY\nRegistrant Email: REDACTED FOR PRIVACY - Send message to contact by visiting https://www.ovhcloud.com/en/lp/request-ovhcloud-registered-domain/\nRegistry Admin ID: \nAdmin Name: REDACTED FOR PRIVACY\nAdmin Organization: REDACTED FOR PRIVACY\nAdmin Street: REDACTED FOR PRIVACY\nAdmin City: REDACTED FOR PRIVACY\nAdmin State/Province: REDACTED FOR PRIVACY\nAdmin Postal Code: REDACTED FOR PRIVACY\nAdmin Country: REDACTED FOR PRIVACY\nAdmin Phone: REDACTED FOR PRIVACY\nAdmin Phone Ext: REDACTED FOR PRIVACY\nAdmin Fax: REDACTED FOR PRIVACY\nAdmin Fax Ext: REDACTED FOR PRIVACY\nAdmin Email: REDACTED FOR PRIVACY - Send message to contact by visiting https://www.ovhcloud.com/en/lp/request-ovhcloud-registered-domain/\nRegistry Tech ID: \nTech Name: REDACTED FOR PRIVACY\nTech Organization: REDACTED FOR PRIVACY\nTech Street: REDACTED FOR PRIVACY\nTech City: REDACTED FOR PRIVACY\nTech State/Province: REDACTED FOR PRIVACY\nTech Postal Code: REDACTED FOR PRIVACY\nTech Country: REDACTED FOR PRIVACY\nTech Phone: REDACTED FOR PRIVACY\nTech Phone Ext: REDACTED FOR PRIVACY\nTech Fax: REDACTED FOR PRIVACY\nTech Fax Ext: REDACTED FOR PRIVACY\nTech Email: REDACTED FOR PRIVACY - Send message to contact by visiting https://www.ovhcloud.com/en/lp/request-ovhcloud-registered-domain/\nName Server: ns.ovh.net\nName Server: ns10.ovh.net\nName Server: dns.ovh.net\nName Server: dns10.ovh.net\nName Server: dns200.anycast.me\nName Server: ns200.anycast.me\nDNSSEC: unsigned\nURL of the ICANN WHOIS Data Problem Reporting System:\nhttp://wdprs.internic.net/\n\u003e\u003e\u003e Last update of WHOIS database: 2024-03-27T10:55:49Z \u003c\u003c\u003c\n\nFor more information on Whois status codes, please visit https://icann.org/epp \n\n###############################################################################\n#\n# Welcome to the OVH WHOIS Server.\n#\n# whois server  : whois.ovh.com       check server  : check.ovh.com\n#\n# The data in this Whois is at your disposal  with the aim of supplying you the\n# information only,  that is helping you  in the obtaining  of  the information\n# about  or  related to a domain name registration record.   OVH Sas  make this\n# information available \"as is\", and  do not  guarantee its accuracy.  By using\n# Whois,  you agree that you will use these data  only for  legal  purposes and\n# that,  under no circumstances will you use this data to:  (1) Allow,  enable,\n# or  otherwise  support  the  transmission  of  mass  unsolicited,  commercial\n# advertisement  or  roughly  or  requests  via the  individual mail (courier),\n# the E-mail (SPAM), by telephone or by fax. (2) Enable high volume, automated,\n# electronic  processes  that  apply  to  OVH  Sas   (or its computer systems).\n# The copy,   the compilation,   the re-packaging,   the dissemination   or the\n# other  use  of  the Whois base  is  expressly  forbidden  without  the  prior\n# written consent of  OVH.  Domain  ownership  disputes should be settled using\n# ICANN\u0027s Uniform Dispute Resolution Policy: http://www.icann.org/udrp/udrp.htm\n# We reserve the right  to  modify  these  terms  at  any  time.  By submitting\n# this query,  you agree to  abide by these terms.  OVH Sas  reserves the right\n# to  terminate  your  access  to  the  OVH Sas  Whois  database  in  its  sole\n# discretion,   including   without   limitation,   for  excessive  querying of\n# the Whois database  or  for  failure  to  otherwise  abide  by  this  policy.\n#\n# L\u0027outil du Whois  est  à  votre  disposition  dans  le  but  de  vous fournir\n# l\u0027information  seulement,  c\u0027est-à-dire  vous   aider   dans  l\u0027obtention  de\n# l\u0027information  sur ou lié à un  rapport  d\u0027enregistrement  de nom de domaine.\n# OVH Sas rend  cette information disponible  \"comme est,\"  et  ne garanti pas\n# son exactitude. En utilisant  notre outil  Whois, vous  reconnaissez que vous\n# emploierez ces données seulement pour  des buts légaux et ne pas utiliser cet\n# outil dans les buts suivant: (1) la transmission de publicité non sollicitée,\n# commerciale massive ou en gros ou des sollicitations via courrier individuel,\n# le courrier électronique (c\u0027est-à-dire SPAM),  par  téléphone ou par fax. (2)\n# l\u0027utilisation d\u0027un grand volume,  automatisé  des processus électroniques qui\n# soulignent ou chargent ce système de base de données  Whois  vous fournissant\n# cette  information.   La  copie   de  tout  ou  partie,   la compilation,  le\n# re-emballage,  la dissémination ou d\u0027autre utilisation de la base Whois  sont\n# expressément interdits sans consentement écrit antérieur de OVH. Un désaccord\n# sur la possession d\u0027un nom de domaine peut être résolu en suivant la  Uniform\n# Dispute  Resolution  Policy  de  l\u0027ICANN:  http://www.icann.org/udrp/udrp.htm\n# Nous nous  réservons  le  droit  de  modifier  ces  termes  à tout moment. En\n# soumettant une requête au Whois vous consentez à vous soumettre à ces termes.\n\n# local time : 2024-04-22T17:22:48Z\n# gmt time : 2024-04-22T17:22:48Z\n# last modify : 2024-03-27T10:55:49Z\n\n",
  "tld": "com",
  "suffix": "com",
  "createTime": "1997-02-07T05:00:00Z",
  "expireTime": "2033-02-08T05:00:00Z",
  "updateTime": "2024-03-27T10:55:49Z",
  "privacy": true,
  "registrarLock": true,
  "registryLock": false,
  "registrarName": "OVH, SAS",
  "registrarIanaId": "433",
  "registrarUrl": "https://www.ovh.com",
  "registrant": "OVH SAS",
  "nameservers": [{
    "name": "ns.ovh.net",
    "punyName": "",
    "addresses": []
  }, {
    "name": "ns10.ovh.net",
    "punyName": "",
    "addresses": []
  }, {
    "name": "dns.ovh.net",
    "punyName": "",
    "addresses": []
  }, {
    "name": "dns10.ovh.net",
    "punyName": "",
    "addresses": []
  }, {
    "name": "dns200.anycast.me",
    "punyName": "",
    "addresses": []
  }, {
    "name": "ns200.anycast.me",
    "punyName": "",
    "addresses": []
  }],
  "statuses": ["clientTransferProhibited", "clientDeleteProhibited"],
  "sourceStatuses": ["clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited", "clientTransferProhibited https://icann.org/epp#clientTransferProhibited"],
  "contacts": [{
    "type": "CONTACT_REGISTRAR",
    "firstName": "OVH, SAS",
    "organization": "OVH, SAS"
  }, {
    "type": "CONTACT_ABUSE",
    "email": "abuse@ovh.net",
    "phone": "+33.972101007"
  }, {
    "type": "CONTACT_REGISTRANT",
    "organization": "OVH SAS",
    "country": "FR"
  }]
}

Domain Name: ovh.com
Registry Domain ID: 1938925_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.ovh.com
Registrar URL: https://www.ovh.com
Updated Date: 2024-03-27T10:55:49Z
Creation Date: 1997-02-07T05:00:00Z
Registrar Registration Expiration Date: 2033-02-08T05:00:00Z
Registrar: OVH, SAS
Registrar IANA ID: 433
Registrar Abuse Contact Email: abuse@ovh.net
Registrar Abuse Contact Phone: +33.972101007
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: 
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: OVH SAS
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: 
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: FR
Registrant Phone: REDACTED FOR PRIVACY
Registrant Phone Ext: REDACTED FOR PRIVACY
Registrant Fax: REDACTED FOR PRIVACY
Registrant Fax Ext: REDACTED FOR PRIVACY
Registrant Email: REDACTED FOR PRIVACY - Send message to contact by visiting https://www.ovhcloud.com/en/lp/request-ovhcloud-registered-domain/
Registry Admin ID: 
Admin Name: REDACTED FOR PRIVACY
Admin Organization: REDACTED FOR PRIVACY
Admin Street: REDACTED FOR PRIVACY
Admin City: REDACTED FOR PRIVACY
Admin State/Province: REDACTED FOR PRIVACY
Admin Postal Code: REDACTED FOR PRIVACY
Admin Country: REDACTED FOR PRIVACY
Admin Phone: REDACTED FOR PRIVACY
Admin Phone Ext: REDACTED FOR PRIVACY
Admin Fax: REDACTED FOR PRIVACY
Admin Fax Ext: REDACTED FOR PRIVACY
Admin Email: REDACTED FOR PRIVACY - Send message to contact by visiting https://www.ovhcloud.com/en/lp/request-ovhcloud-registered-domain/
Registry Tech ID: 
Tech Name: REDACTED FOR PRIVACY
Tech Organization: REDACTED FOR PRIVACY
Tech Street: REDACTED FOR PRIVACY
Tech City: REDACTED FOR PRIVACY
Tech State/Province: REDACTED FOR PRIVACY
Tech Postal Code: REDACTED FOR PRIVACY
Tech Country: REDACTED FOR PRIVACY
Tech Phone: REDACTED FOR PRIVACY
Tech Phone Ext: REDACTED FOR PRIVACY
Tech Fax: REDACTED FOR PRIVACY
Tech Fax Ext: REDACTED FOR PRIVACY
Tech Email: REDACTED FOR PRIVACY - Send message to contact by visiting https://www.ovhcloud.com/en/lp/request-ovhcloud-registered-domain/
Name Server: ns.ovh.net
Name Server: ns10.ovh.net
Name Server: dns.ovh.net
Name Server: dns10.ovh.net
Name Server: dns200.anycast.me
Name Server: ns200.anycast.me
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System:
http://wdprs.internic.net/
>>> Last update of WHOIS database: 2024-03-27T10:55:49Z <<<

For more information on Whois status codes, please visit https://icann.org/epp 

###############################################################################
#
# Welcome to the OVH WHOIS Server.
#
# whois server  : whois.ovh.com       check server  : check.ovh.com
#
# The data in this Whois is at your disposal  with the aim of supplying you the
# information only,  that is helping you  in the obtaining  of  the information
# about  or  related to a domain name registration record.   OVH Sas  make this
# information available "as is", and  do not  guarantee its accuracy.  By using
# Whois,  you agree that you will use these data  only for  legal  purposes and
# that,  under no circumstances will you use this data to:  (1) Allow,  enable,
# or  otherwise  support  the  transmission  of  mass  unsolicited,  commercial
# advertisement  or  roughly  or  requests  via the  individual mail (courier),
# the E-mail (SPAM), by telephone or by fax. (2) Enable high volume, automated,
# electronic  processes  that  apply  to  OVH  Sas   (or its computer systems).
# The copy,   the compilation,   the re-packaging,   the dissemination   or the
# other  use  of  the Whois base  is  expressly  forbidden  without  the  prior
# written consent of  OVH.  Domain  ownership  disputes should be settled using
# ICANN's Uniform Dispute Resolution Policy: http://www.icann.org/udrp/udrp.htm
# We reserve the right  to  modify  these  terms  at  any  time.  By submitting
# this query,  you agree to  abide by these terms.  OVH Sas  reserves the right
# to  terminate  your  access  to  the  OVH Sas  Whois  database  in  its  sole
# discretion,   including   without   limitation,   for  excessive  querying of
# the Whois database  or  for  failure  to  otherwise  abide  by  this  policy.
#
# L'outil du Whois  est  à  votre  disposition  dans  le  but  de  vous fournir
# l'information  seulement,  c'est-à-dire  vous   aider   dans  l'obtention  de
# l'information  sur ou lié à un  rapport  d'enregistrement  de nom de domaine.
# OVH Sas rend  cette information disponible  "comme est,"  et  ne garanti pas
# son exactitude. En utilisant  notre outil  Whois, vous  reconnaissez que vous
# emploierez ces données seulement pour  des buts légaux et ne pas utiliser cet
# outil dans les buts suivant: (1) la transmission de publicité non sollicitée,
# commerciale massive ou en gros ou des sollicitations via courrier individuel,
# le courrier électronique (c'est-à-dire SPAM),  par  téléphone ou par fax. (2)
# l'utilisation d'un grand volume,  automatisé  des processus électroniques qui
# soulignent ou chargent ce système de base de données  Whois  vous fournissant
# cette  information.   La  copie   de  tout  ou  partie,   la compilation,  le
# re-emballage,  la dissémination ou d'autre utilisation de la base Whois  sont
# expressément interdits sans consentement écrit antérieur de OVH. Un désaccord
# sur la possession d'un nom de domaine peut être résolu en suivant la  Uniform
# Dispute  Resolution  Policy  de  l'ICANN:  http://www.icann.org/udrp/udrp.htm
# Nous nous  réservons  le  droit  de  modifier  ces  termes  à tout moment. En
# soumettant une requête au Whois vous consentez à vous soumettre à ces termes.

# local time : 2024-04-22T17:22:48Z
# gmt time : 2024-04-22T17:22:48Z
# last modify : 2024-03-27T10:55:49Z

Analysis

Consider locking this domain name at registry level

Some domain name locks are better than others. Most registrars can configure a lock that they control, which we call a registrar lock. This lock is useful, but at the next level there is the registry lock, which requires a further interaction with the registry for any changes. Registry locks should be used wherever possible for business-critical domain names.

DNS Zone

The global DNS infrastructure is organized as a series of hierarchical DNS zones. The root zone hosts a number of global and country TLDs, which in turn host further zones that are delegated to their customers. Each organization that controls a zone can delegate parts of its namespace to other zones. In this test we perform detailed inspection of a DNS zone, but only if the host being tested matches the zone.

Test passed

Everything seems to be well configured. Well done.

Nameserver Names

Nameservers can be referred to by name and by address. In this section we show the names, which can appear in the NS records, the referrals from the parent zone, and the SOA record. In some situations, servers from the parent zone respond authoritatively, in which case we will include them in the list as well.

Nameserver	Operational	IPv4	IPv6	Sources
dns.ovh.net. PRIMARY 213.186.33.102 2001:41d0:3:166::1				REFERRAL NS SOA
dns10.ovh.net. 213.251.188.129 2001:41d0:1:4a81::1				REFERRAL NS
dns200.anycast.me. 46.105.206.200				REFERRAL NS
ns.ovh.net. 213.251.128.136 2001:41d0:209::1				REFERRAL NS
ns10.ovh.net. 213.251.128.129 2001:41d0:1:1981::1				REFERRAL NS
ns200.anycast.me. 46.105.207.200				REFERRAL NS

Nameserver Addresses

This section shows the configuration of all discovered nameservers by their IP address. To find all applicable nameservers, we inspect the parent zone nameservers for names and glue and then the tested zone nameservers for NS records. We then resolve all discovered names to IP addresses. Finally, we test each address individually.

Nameserver	Sources	Payload Size
213.186.33.102 PRIMARY dns.ovh.net. PTR: dns.ovh.net.	NAME	1232
213.251.128.129 ns10.ovh.net. PTR: ns10.ovh.net.	NAME	1232
213.251.128.136 ns.ovh.net. PTR: ns.ovh.net.	NAME	1232
213.251.188.129 dns10.ovh.net. PTR: dns10.ovh.net.	NAME	1232
46.105.206.200 dns200.anycast.me. PTR: dns200.anycast.me.	NAME	1232
46.105.207.200 ns200.anycast.me. PTR: ns200.anycast.me.	NAME	1232
2001:41d0:1:1981::1 ns10.ovh.net. PTR: ns10.ovh.net.	NAME	1232
2001:41d0:1:4a81::1 dns10.ovh.net. PTR: dns10.ovh.net.	NAME	1232
2001:41d0:209::1 ns.ovh.net. PTR: ns.ovh.net.	NAME	1232
2001:41d0:3:166::1 PRIMARY dns.ovh.net. PTR: dns.ovh.net.	NAME	1232

Start of Authority (SOA) Record

Start of Authority (SOA) records contain administrative information pertaining to one DNS zone, especially the configuration that's used for zone transfers between the primary nameserver and the secondaries. Only one SOA record should exist, with all nameservers providing the same information.

The domain name of the primary nameserver for the zone. Also known as MNAME.Primary nameserver	dns.ovh.net.
Email address of the persons responsible for this zone. Also known as RNAME.Admin email	tech.ovh.net.
Zone serial or version number.Serial number	2024042225
The length of time secondary nameservers should wait before querying the primary for changes.Refresh interval	86,400 seconds (about 1 day)
The length of time secondary nameservers should wait before querying an unresponsive primary again.Retry interval	3,600 seconds (about 1 hour)
The length of time after which secondary nameservers should stop responding to queries for a zone, assuming no updates were obtained from the primary.Expire interval	3,600,000 seconds (about 1 month 10 days)
TTL for purposes of negative response caching. Negative cache TTL	600 seconds (about 10 minutes)
Time To Live (TTL) indicates for how long a record remains valid. SOA record TTL	86,400 seconds (about 1 day)

Analysis

Improve IPv6 support

The Internet is in a slow transition to supporting IPv6 widely. Although at this time it is expected that most recursive DNS servers will use IPv4, adding support for IPv6 will enable transition to networks that use IPv6 exclusively.

No problems detected with the zone configuration

Excellent. This DNS zone is in a good working order. No problems detected.

Backing DNS Queries

Below are all DNS queries we submitted during the zone inspection.

	ID	Server	Transport	Question Name	Type	Status

DNS Records

Correctly functioning name servers are necessary to hold and distribute information that's necessary for your domain name to operate correctly. Examples include converting names to IP addresses, determining where email should go, and so on. More recently, the DNS is being used to communicate email and other security policies.

Test passed

Everything seems to be well configured. Well done.

DNS Records

These are the results of individual DNS queries against your nameserver for common resource record types.

Name	TTL	Type	Data
ovh.com.	3600	A	198.27.92.1
www.ovh.com.	3600	A	198.27.92.1
ovh.com.	86400	MX	1 mx1.ovh.net.
ovh.com.	86400	MX	5 mx2.ovh.net.
ovh.com.	86400	NS	dns.ovh.net.
ovh.com.	86400	NS	ns10.ovh.net.
ovh.com.	86400	NS	ns200.anycast.me.
ovh.com.	86400	NS	dns200.anycast.me.
ovh.com.	86400	NS	ns.ovh.net.
ovh.com.	86400	NS	dns10.ovh.net.
ovh.com.	86400	SOA	dns.ovh.net. tech.ovh.net. 2024042225 86400 3600 3600000 600
ovh.com.	60	TXT	"facebook-domain-verification=omh9d3iqxyx295l8wdk0y6asn1ne3y"
ovh.com.	60	TXT	"v=spf1 include:spf.mailjet.com include:mx.ovh.com ~all"
ovh.com.	60	TXT	"google-site-verification=J3fSHAVfI5uZPzM4rlKtSiBnE5iC0lxi0k2-pn0aM1U"
ovh.com.	60	TXT	"google-site-verification=Il9nne-nVT0DAIF9l7jwlycs1fMuu_pWggen5IYZVlA"
_dmarc.ovh.com.	60	TXT	"v=DMARC1; p=none; rua=mailto:dmarc+ovh.com@abuse.ovh.net; rf=afrf; pct=100;"

Backing DNS Queries

Below are all DNS queries we submitted while inspecting the resource records.

	ID	Server	Question Name	Type	Status

DNSSEC

DNSSEC is an extension of the DNS protocol that provides cryptographic assurance of the authenticity and integrity of responses; it's intended as a defense against network attackers who are able to manipulate DNS to redirect their victims to servers of their choice. DNSSEC is controversial, with the industry split largely between those who think it's essential and those who believe that it's problematic and unnecessary.

Feature not applicable, not implemented, or disabled

Your server doesn't support this feature.

Useful DNSSEC Tools

Certification Authority Authorization

CAA (RFC 8659) is a new standard that allows domain name owners to restrict which CAs are allowed to issue certificates for their domains. This can help to reduce the chance of misissuance, either accidentally or maliciously. In September 2017, CAA became mandatory for CAs to implement.

Feature not applicable, not implemented, or disabled

Your server doesn't support this feature.

Analysis

There is no CAA policy on this hostname

CAA policies can be used to restrict which CAs are allowed to issue certificates for a hostname. As such, CAA can be used to enforce an organization-wide policy and to prevent issuance of unauthorized certificates. The CA/Browser forum requires CAs to consult CAA configuration during certificate issuance from September 2017.

Email (SMTP)

An internet hostname can be served by zero or more mail servers, as specified by MX (mail exchange) DNS resource records. Each server can further resolve to multiple IP addresses, for example to handle IPv4 and IPv6 clients. Thus, in practice, hosts that wish to receive email reliably are supported by many endpoint.

Test passed

Everything seems to be well configured. Well done.

Some TLS and PKI information shown may have been retrieved from cache. The notes provide more information.

Server

Preference

Operational

STARTTLS

TLS

PKI

DNSSEC

DANE

mx1.ovh.net
188.165.47.122
PTR: mx1.ovh.net

1

mx2.ovh.net
87.98.132.45
PTR: mx2.ovh.net

5

Analysis

Some SMTP server assessments have been retrieved from cache

Some SMTP server assessment results have been retrieved from our cache. Because many hosts point to the same SMTP servers, we use a short-term cache to avoid testing the same SMTP servers over and over again.

Latest cache timestamp: 19 Apr 2024 08:05 UTC

Earliest cache timestamp: 19 Apr 2024 06:04 UTC

Some SMTP server assessments contain partial information

Comprehensive TLS assessments require many connections, which is exactly what many SMTP servers don't like. We implement a two-tier assessment approach. To give you some results as fast as possible, we perform shallow assessments that use only one connection per SMTP server. We then have a background process that performs complete assessments slowly, trying to accommodate each server individually. The results presented here contain partial information. If you come back later we may be able to provide complete assessment resuls.

Email TLS (SMTP)

Transport Layer Security (TLS) is the most widely used encryption protocol on the Internet. In combination with valid certificates, servers can establish trusted communication channels even with users who have never visited them before. Network attackers can't uncover what is being communicated, even when they can see all the traffic.

Test passed

Everything seems to be well configured. Well done.

Some TLS and PKI information shown may have been retrieved from cache. The notes provide more information.

TLS Configuration: mx1.ovh.net (188.165.47.122) Cached

Encryption protocol version determines what features are available for negotiation between client and server.Supported protocols	TLS v1.2
Shows cipher suite configuration for this protocol version.TLS v1.2	Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc030 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC secp256r1 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits)
These results have been retrieved from our cache. This row indicates when was that the original test ran.Retrieved from cache	19 Apr 2024 06:04 UTC

Analysis

TLS 1.2 supported

Good. This server supports TLS 1.2, which can provide strong security when configured correctly. This version of the TLS protocol is necessary to provide good security with a wide range of clients that don't yet support TLS 1.3.

Strong key exchange detected

Excellent. All cipher suites on this server rely on strong key exchange. The sweet spot is 2048 bits for DHE and 256 bits for ECDHE. Putting ECDHE suites first guarantees best security and best performance.

Partial results shown

SMTP assessments usually take a long time. To get you some results faster, we initially perform shallow checks. If you come back later we may be able to show you complete results.

Relaxed TLS assessment criteria applied to SMTP on port 25

We apply relaxed assessment criteria when evaluating TLS configuration of SMTP servers on port 25. This is because most delivery agents fall back to delivering via plaintext on failure to negotiate encryption. Some configuration elements that can be abused to attack other ports and protocols (e.g., SSLv2 and export cipher suites) are penalized in the same way as for other protocols. We will review this policy in the future.

TLS Configuration: mx2.ovh.net (87.98.132.45) Cached

Encryption protocol version determines what features are available for negotiation between client and server.Supported protocols	TLS v1.2
Shows cipher suite configuration for this protocol version.TLS v1.2	Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc030 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC secp256r1 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits)
These results have been retrieved from our cache. This row indicates when was that the original test ran.Retrieved from cache	19 Apr 2024 08:05 UTC

Analysis

TLS 1.2 supported

Good. This server supports TLS 1.2, which can provide strong security when configured correctly. This version of the TLS protocol is necessary to provide good security with a wide range of clients that don't yet support TLS 1.3.

Strong key exchange detected

Excellent. All cipher suites on this server rely on strong key exchange. The sweet spot is 2048 bits for DHE and 256 bits for ECDHE. Putting ECDHE suites first guarantees best security and best performance.

Partial results shown

SMTP assessments usually take a long time. To get you some results faster, we initially perform shallow checks. If you come back later we may be able to show you complete results.

Relaxed TLS assessment criteria applied to SMTP on port 25

We apply relaxed assessment criteria when evaluating TLS configuration of SMTP servers on port 25. This is because most delivery agents fall back to delivering via plaintext on failure to negotiate encryption. Some configuration elements that can be abused to attack other ports and protocols (e.g., SSLv2 and export cipher suites) are penalized in the same way as for other protocols. We will review this policy in the future.

Email Certificates (SMTP)

A certificate is a digital document that contains a public key, some information about the entity associated with it, and a digital signature from the certificate issuer. It’s a mechanism that enables us to exchange, store, and use public keys. Being able to reliably verify the identity of a remote server is crucial in order to achieve secure encrypted communication.

Test passed

Everything seems to be well configured. Well done.

Some TLS and PKI information shown may have been retrieved from cache. The notes provide more information.

Certificate #1 Cached

Leaf certificate

mx.mail.ovh.net
Issuer: Sectigo
Not Before: 13 Nov 2023 00:00:00 UTC
Not After: 12 Nov 2024 23:59:59 UTC (expires in 6 months 21 days)
Key: RSA 4096 bits
Signature: SHA256withRSA
View details

Names	mx.mail.ovh.net mx0.mail.ovh.net mx0.ovh.net mx1.mail.ovh.net mx1.ovh.net mx2.mail.ovh.net mx2.ovh.net mx3.mail.ovh.net mx3.ovh.net mx4.mail.ovh.net mx4.ovh.net mxb.ovh.net
Subject DN	CN=mx.mail.ovh.net
Subject Key Identifier	a0d029694c680425e93ee7e158e13110d04272a4
Serial	861c5f7aa8e4ed026b8b89cf5a45ec35
Not Before	13 Nov 2023 00:00:00 UTC
Not After	12 Nov 2024 23:59:59 UTC
Validity period	366 days
Key Usage	digitalSignature, keyEncipherment
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB
Certification Authority	Sectigo
Validation Type	Domain Validation (DV)
Authority Key Identifier	keyid:8d8c5ec454ad8ae177e99bf99b05e1b8018d61e1
Parent Certificate	http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
OCSP	http://ocsp.sectigo.com
Certificate Transparency
Signed Certificate Timestamps	13 Nov 2023 16:07:40 UTC \| Google 'Xenon2024' log \| Qualified 13 Nov 2023 16:07:40 UTC \| Let's Encrypt 'Oak2024H2' log \| Qualified 13 Nov 2023 16:07:40 UTC \| Google 'Argon2024' log \| Qualified
Fingerprints
SHA1	430a07e26010792cb3b0c7d749ba28ac70ce005a
SHA256	9db4a71d1159e8ada4731e3ddd8223991524e21874b67379a2fca5b09c2b429a
SPKI SHA256	7071b06146666733f1596613bc40c525f10c9fd39c8326b2c0b0f2888e2f7ec6

Analysis

Strong private key

Good. The private key associated with this certificate is secure.

Strong signature algorithm

Good. This certificate uses a strong signature algorithm.

Certificate matches hostname

Good. The provided certificate matches the expected hostnames.

Certificate dates match

Good. The certificate is valid for use at this point of time.

Certificate has not been revoked

Good. This certificate has not been revoked.

Certificate satisfies Apple's CT compliance requirements

Good. This certificate satisfies Apple's CT requirements at present.

Certificate Chain

Leaf certificate

mx.mail.ovh.net | 9db4a71
Not After: 12 Nov 2024 23:59:59 UTC (expires in 6 months 21 days)
Authentication: RSA 4096 bits (SHA256withRSA)
View details

Names	mx.mail.ovh.net mx0.mail.ovh.net mx0.ovh.net mx1.mail.ovh.net mx1.ovh.net mx2.mail.ovh.net mx2.ovh.net mx3.mail.ovh.net mx3.ovh.net mx4.mail.ovh.net mx4.ovh.net mxb.ovh.net
Subject DN	CN=mx.mail.ovh.net
Subject Key Identifier	a0d029694c680425e93ee7e158e13110d04272a4
Serial	861c5f7aa8e4ed026b8b89cf5a45ec35
Not Before	13 Nov 2023 00:00:00 UTC
Not After	12 Nov 2024 23:59:59 UTC
Validity period	366 days
Key Usage	digitalSignature, keyEncipherment
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB
Certification Authority	Sectigo
Validation Type	Domain Validation (DV)
Authority Key Identifier	keyid:8d8c5ec454ad8ae177e99bf99b05e1b8018d61e1
Parent Certificate	http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
OCSP	http://ocsp.sectigo.com
Certificate Transparency
Signed Certificate Timestamps	13 Nov 2023 16:07:40 UTC \| Google 'Xenon2024' log \| Qualified 13 Nov 2023 16:07:40 UTC \| Let's Encrypt 'Oak2024H2' log \| Qualified 13 Nov 2023 16:07:40 UTC \| Google 'Argon2024' log \| Qualified
Fingerprints
SHA1	430a07e26010792cb3b0c7d749ba28ac70ce005a
SHA256	9db4a71d1159e8ada4731e3ddd8223991524e21874b67379a2fca5b09c2b429a
SPKI SHA256	7071b06146666733f1596613bc40c525f10c9fd39c8326b2c0b0f2888e2f7ec6

Intermediate certificate

Sectigo RSA Domain Validation Secure Server CA | 7fa4ff6
Not After: 31 Dec 2030 23:59:59 UTC (expires in 6 years 8 months)
Authentication: RSA 2048 bits (SHA384withRSA)
View details

Subject DN	CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB
Subject Key Identifier	8d8c5ec454ad8ae177e99bf99b05e1b8018d61e1
Serial	7d5b5126b476ba11db74160bbc530da7
Not Before	02 Nov 2018 00:00:00 UTC
Not After	31 Dec 2030 23:59:59 UTC
Key Usage	digitalSignature, keyCertSign, cRLSign
Extended Key Usage	serverAuth, clientAuth
Issuer
Issuer DN	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Certification Authority	Sectigo
Validation Type	Not Applicable
Authority Key Identifier	keyid:5379bf5aaa2b4acf5480e1d89bc09df2b20366cb
Parent Certificate	http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
CRL	http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl
OCSP	http://ocsp.usertrust.com
CA certificate	Yes (pathlen 0)
Fingerprints
SHA1	33e4e80807204c2b6182a3a14b591acd25b5f0db
SHA256	7fa4ff68ec04a99d7528d5085f94907f4d1dd1c5381bacdc832ed5c960214676
SPKI SHA256	e1ae9c3de848ece1ba72e0d991ae4d0d9ec547c6bad1dddab9d6beb0a7e0e0d8

Root certificate

USERTrust RSA Certification Authority | e793c9b
Not After: 18 Jan 2038 23:59:59 UTC (expires in 13 years 8 months)
Authentication: RSA 4096 bits (SHA384withRSA)
View details

Subject DN	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Subject Key Identifier	5379bf5aaa2b4acf5480e1d89bc09df2b20366cb
Serial	1fd6d30fca3ca51a81bbc640e35032d
Not Before	01 Feb 2010 00:00:00 UTC
Not After	18 Jan 2038 23:59:59 UTC
Key Usage	keyCertSign, cRLSign
Issuer
Issuer DN	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Certification Authority	Sectigo
Validation Type	Self-signed
CA certificate	Yes (pathlen unlimited)
Fingerprints
SHA1	2b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e
SHA256	e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd2
SPKI SHA256	c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde

Analysis

Certificate chain is correct

Good. This chain contains all the right certificates and in the right order.

Email DANE (SMTP)

DNS-based Authentication of Named Entities (DANE) is a bridge between DNSSEC and TLS. In one possible scenario, DANE can be used for public key pinning, building on an existing publicly-trusted certificate. In another approach, it can be used to completely bypass the CA ecosystem and establish trust using DNSSEC alone.

Feature not applicable, not implemented, or disabled

Your server doesn't support this feature.

SPF

Sender Policy Framework (SPF) is a protocol that allows domain name owners to control which internet hosts are allowed to send email on their behalf. This simple mechanism can be used to reduce the effect of email spoofing and cut down on spam.

Test passed

Everything seems to be well configured. Well done.

SPF Policy Information Main policy

Host where this policy is located.Location	ovh.com
SPF version used by this policy.v	spf1
Evaluates SPF policy specified in another DNS location. This directive is typically used to allow hosts controlled by another organization. include	spf.mailjet.com
Evaluates SPF policy specified in another DNS location. This directive is typically used to allow hosts controlled by another organization. include	mx.ovh.com
This policy element always matches. It's normally used at the end of a policy to specify the handling of hosts that don't match earlier mechanisms. ~all

Analysis

SPF policy found

Policy text: v=spf1 include:spf.mailjet.com include:mx.ovh.com ~all

Location: ovh.com

SPF policy is valid

Good. Your SPF policy is syntactically valid.

Policy DNS lookups under limit

Good. Your policy stays under the limit of up to 10 DNS queries. The SPF specification Section 4.6.4. requires implementations to limit the total number of DNS queries. Policies that exceed the limit should not be used and may not work in practice.

Lookups: 4

SPF Policy Information Included policy

Host where this policy is located.Location	spf.mailjet.com
SPF version used by this policy.v	spf1
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	87.253.232.0/21
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	185.189.236.0/22
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	185.211.120.0/22
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	185.250.236.0/22
This policy element always matches. It's normally used at the end of a policy to specify the handling of hosts that don't match earlier mechanisms. ~all

SPF Policy Information Included policy

Host where this policy is located.Location	mx.ovh.com
SPF version used by this policy.v	spf1
This mechanism tests whether the DNS reverse-mapping for the tested IP address exists and correctly points to a domain name within a particular domain. ptr	mail-out.ovh.net
This mechanism tests whether the DNS reverse-mapping for the tested IP address exists and correctly points to a domain name within a particular domain. ptr	mail.ovh.net
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	8.33.137.105/32
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	192.99.77.81/32
This policy element always matches. It's normally used at the end of a policy to specify the handling of hosts that don't match earlier mechanisms. ?all

DMARC

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a scalable mechanism by which a mail-originating organization can express domain-level policies and preferences for message validation, disposition, and reporting, that a mail-receiving organization can use to improve mail handling.

Feature not applicable, not implemented, or disabled

Your server doesn't support this feature.

DMARC Policy Information

The location from which we obtained this policy.Policy location	_dmarc.ovh.com
DMARC version used by this policy.v	DMARC1
Indicates the policy to be enacted by the receiver at the request of the domain owner. Possible values are: none, quarantine, and reject.p	none
Addresses to which aggregate feedback is to be sent.rua	mailto:dmarc+ovh.com@abuse.ovh.net
Specifies the format to be used when reporting failures.rf	afrf
Percentage of messages from mail stream to which the DMARC policy is to be applied.pct	100

Analysis

DMARC policy found

Policy: v=DMARC1; p=none; rua=mailto:dmarc+ovh.com@abuse.ovh.net; rf=afrf; pct=100;

Host: _dmarc.ovh.com

Valid external destination

Permission record location: ovh.com._report._dmarc.abuse.ovh.net

External destination: mailto:dmarc+ovh.com@abuse.ovh.net

Permission record contents: v=DMARC1;

Policy is valid

Good. You have a valid DMARC policy.

Activate DMARC policy

Although syntactically valid, your DMARC policy is effectively disabled. An effective policy must set the value of the 'p' directive to either 'quarantine' or 'reject'. In addition, if the 'pct' directive is present, it must be set to a value other than zero. (The default is 100, which means to apply policy to all emails.)

MTA Strict Transport Security

SMTP Mail Transfer Agent Strict Transport Security (MTA-STS) is a mechanism enabling mail service providers to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections, and to specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate.

Feature not applicable, not implemented, or disabled

Your server doesn't support this feature.

SMTP TLS Reporting

SMTP TLS Reporting (RFC 8460), or TLS-RPT for short, describes a reporting mechanism and format by which systems sending email can share statistics and specific information about potential failures with recipient domains. Recipient domains can then use this information to both detect potential attacks and diagnose unintentional misconfigurations. TLS-RPT can be used with DANE or MTA-STS.

Feature not applicable, not implemented, or disabled

Your server doesn't support this feature.

HTTP (80)

To observe your HTTP implementation, we submit a request to the homepage of your site on port 80, follow all redirections (even when they take us to other domain names), and record the returned HTTP headers.

Test passed

Everything seems to be well configured. Well done.

URL: http://ovh.com/

1

http://ovh.com/

HTTP/1.1 301 Moved Permanently

content-length	0
location	https://ovh.com/
date	Mon, 22 Apr 2024 17:22:48 GMT
x-cdn-pop	bhs
x-cdn-pop-ip	137.74.122.0/26
x-request-id	590348640
x-cacheable	Cacheable
x-iplb-request-id	AC634337:5941_C61B5C01:0050_66269CE8_22640C:1B21
x-iplb-instance	53576

2

https://ovh.com/

HTTP/1.1 301 Moved Permanently

Date	Mon, 22 Apr 2024 17:22:48 GMT
Content-Length	0
location	https://www.ovh.com/
x-iplb-request-id	90D9024A:DE32_C063418B:01BB_66269CE8_3220A:3663
x-iplb-instance	54395
X-CDN-Pop	bhs
X-CDN-Pop-IP	137.74.122.0/26
X-Request-ID	197562638
X-Cacheable	Cacheable
Connection	keep-alive

3

https://www.ovh.com/

HTTP/1.1 301 Moved Permanently

Date	Mon, 22 Apr 2024 17:22:49 GMT
X-Cacheable	Not cacheable: not http 200
X-CDN-Pop	bhs
X-CDN-Pop-IP	137.74.122.0/26
Content-Type	text/html; charset=utf-8
X-Request-ID	158341158
Location	https://www.ovhcloud.com/en/
Content-Length	0
Connection	keep-alive

4

https://www.ovhcloud.com/en/

HTTP/1.1 200 OK

Date	Mon, 22 Apr 2024 17:22:33 GMT
Content-Type	text/html
vary	Accept-Encoding
x-frame-options	SAMEORIGIN
x-xss-protection	1; mode=block
x-content-type-options	nosniff
x-toujours-debout-location	BHS
x-toujours-debout-branch	B
cache-control	public, must-revalidate, max-age=90
x-iplb-request-id	90D90249:4EB2_C063418B:01BB_66269CD9_336BF:65EB
x-iplb-instance	55966
X-CDN-Pop	bhs
X-CDN-Pop-IP	137.74.122.0/26
X-Request-ID	101353342
X-Cacheable	Matched cache
Accept-Ranges	bytes
Connection	keep-alive

Analysis

HTTP redirects to HTTPS

Good. This plaintext HTTP server redirects to HTTPS.

URL: http://www.ovh.com/

1

http://www.ovh.com/

HTTP/1.1 301 Moved Permanently

date	Mon, 22 Apr 2024 17:22:49 GMT
x-cacheable	Not cacheable: not http 200
x-cdn-pop	bhs
x-cdn-pop-ip	137.74.122.0/26
content-type	text/html; charset=utf-8
x-request-id	326009296
location	https://www.ovhcloud.com/en/
content-length	0
x-iplb-request-id	AC634337:426B_C61B5C01:0050_66269CE9_226410:1B21
x-iplb-instance	53576

2

https://www.ovhcloud.com/en/

HTTP/1.1 200 OK

Date	Mon, 22 Apr 2024 17:21:20 GMT
Content-Type	text/html
vary	Accept-Encoding
x-frame-options	SAMEORIGIN
x-xss-protection	1; mode=block
x-content-type-options	nosniff
x-toujours-debout-location	BHS
x-toujours-debout-branch	B
cache-control	public, must-revalidate, max-age=90
x-iplb-request-id	90D9022E:6D0C_C063418B:01BB_66269C90_31ADB:6671
x-iplb-instance	56499
X-CDN-Pop	bhs
X-CDN-Pop-IP	137.74.122.0/26
X-Request-ID	381034846
X-Cacheable	Matched cache
Accept-Ranges	bytes
Connection	keep-alive

Analysis

HTTP redirects to HTTPS

Good. This plaintext HTTP server redirects to HTTPS.

HTTP (443)

To observe your HTTPS implementation, we submit a request to the homepage of your site on port 443, follow all redirections (even when they take us to other domain names), and record the returned HTTP headers. We use the most recent set of headers returned from the tested hostname for further tests such as HSTS and HPKP.

Test passed

Everything seems to be well configured. Well done.

URL: https://ovh.com/

1

https://ovh.com/

HTTP/1.1 301 Moved Permanently

Date	Mon, 22 Apr 2024 17:22:49 GMT
Content-Length	0
location	https://www.ovh.com/
x-iplb-request-id	90D90234:2C92_C063418B:01BB_66269CE9_339E0:71BD
x-iplb-instance	56497
X-CDN-Pop	bhs
X-CDN-Pop-IP	137.74.122.0/26
X-Request-ID	213975915
X-Cacheable	Cacheable
Connection	keep-alive

2

https://www.ovh.com/

HTTP/1.1 301 Moved Permanently

Date	Mon, 22 Apr 2024 17:22:49 GMT
X-Cacheable	Not cacheable: not http 200
X-CDN-Pop	bhs
X-CDN-Pop-IP	137.74.122.0/26
Content-Type	text/html; charset=utf-8
X-Request-ID	171673949
Location	https://www.ovhcloud.com/en/
Content-Length	0
Connection	keep-alive

3

https://www.ovhcloud.com/en/

HTTP/1.1 200 OK

Date	Mon, 22 Apr 2024 17:21:27 GMT
Content-Type	text/html
vary	Accept-Encoding
x-frame-options	SAMEORIGIN
x-xss-protection	1; mode=block
x-content-type-options	nosniff
x-toujours-debout-location	BHS
x-toujours-debout-branch	B
cache-control	public, must-revalidate, max-age=90
x-iplb-request-id	90D90228:DB1C_C063418B:01BB_66269C97_3289A:76BF
x-iplb-instance	55965
X-CDN-Pop	bhs
X-CDN-Pop-IP	137.74.122.0/26
X-Request-ID	265651922
X-Cacheable	Matched cache
Accept-Ranges	bytes
Connection	keep-alive

URL: https://www.ovh.com/

1

https://www.ovh.com/

HTTP/1.1 301 Moved Permanently

Date	Mon, 22 Apr 2024 17:22:49 GMT
X-Cacheable	Not cacheable: not http 200
X-CDN-Pop	bhs
X-CDN-Pop-IP	137.74.122.0/26
Content-Type	text/html; charset=utf-8
X-Request-ID	394626116
Location	https://www.ovhcloud.com/en/
Content-Length	0
Connection	keep-alive

2

https://www.ovhcloud.com/en/

HTTP/1.1 200 OK

Date	Mon, 22 Apr 2024 17:22:03 GMT
Content-Type	text/html
vary	Accept-Encoding
x-frame-options	SAMEORIGIN
x-xss-protection	1; mode=block
x-content-type-options	nosniff
x-toujours-debout-location	BHS
x-toujours-debout-branch	B
cache-control	public, must-revalidate, max-age=90
x-iplb-request-id	90D90230:FD9C_C063418B:01BB_66269CBB_33787:71BD
x-iplb-instance	56497
X-CDN-Pop	bhs
X-CDN-Pop-IP	137.74.122.0/26
X-Request-ID	60396909
X-Cacheable	Matched cache
Accept-Ranges	bytes
Connection	keep-alive

WWW TLS

Transport Layer Security (TLS) is the most widely used encryption protocol on the Internet. In combination with valid certificates, servers can establish trusted communication channels even with users who have never visited them before. Network attackers can't uncover what is being communicated, even when they can see all the traffic.

Test passed

Everything seems to be well configured. Well done.

TLS Configuration: ovh.com (198.27.92.1)

Encryption protocol version determines what features are available for negotiation between client and server.Supported protocols	TLS v1.3 TLS v1.2
Servers should always enforce their own cipher suite preference, as that is the only approach that guarantees that the best possible suite is selected.Server suite preference
Shows cipher suite configuration for this protocol version.TLS v1.3 Server preference	Suite: TLS_CHACHA20_POLY1305_SHA256 Suite ID: 0x1303 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_AES_256_GCM_SHA384 Suite ID: 0x1302 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_AES_128_GCM_SHA256 Suite ID: 0x1301 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits)
Shows cipher suite configuration for this protocol version.TLS v1.2 Server preference	Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcca8 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc030 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0xc02f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Suite ID: 0xc028 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Suite ID: 0xc027 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 128 bits (ECDHE 256 bits)

Analysis

TLS 1.3 supported

Excellent. This server supports TLS 1.3, which is the latest revision of the TLS protocol and a significant improvement over earlier versions. Developed over a period of several years and extensively analyzed prior to the release, TLS 1.3 removed insecure features, and improved both security and performance.

TLS 1.2 supported

Good. This server supports TLS 1.2, which can provide strong security when configured correctly. This version of the TLS protocol is necessary to provide good security with a wide range of clients that don't yet support TLS 1.3.

Deprecated protocols not supported

Excellent. This server doesn't support any of the deprecated protocol (TLS 1.1 and earlier).

Strong key exchange detected

Excellent. All cipher suites on this server rely on strong key exchange. The sweet spot is 2048 bits for DHE and 256 bits for ECDHE. Putting ECDHE suites first guarantees best security and best performance.

Server prefers forward secrecy and authenticated encryption suites

Excellent. Not only does this server enforce its server preference, but it also has at the top of the list suites that support both forward secrecy and authenticated encryption. This is the best TLS 1.2 can offer.

Server enforces cipher suite preferences

Excellent. This server enforces server cipher suite preference, which means that it is able to select the best suite from the options submitted by clients. Combined with a well designed list of supported cipher suites, this settings enables negotiation of best security.

All TLS connections with this server satisfy Apple's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT

All TLS connections with this server satisfy Chrome's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT

DHE suites not supported

This server doesn't support the Diffie-Hellman (DH) key exchange.

TLS Configuration: www.ovh.com (198.27.92.1)

Encryption protocol version determines what features are available for negotiation between client and server.Supported protocols	TLS v1.3 TLS v1.2
Servers should always enforce their own cipher suite preference, as that is the only approach that guarantees that the best possible suite is selected.Server suite preference
Shows cipher suite configuration for this protocol version.TLS v1.3 Server preference	Suite: TLS_CHACHA20_POLY1305_SHA256 Suite ID: 0x1303 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_AES_256_GCM_SHA384 Suite ID: 0x1302 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_AES_128_GCM_SHA256 Suite ID: 0x1301 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits)
Shows cipher suite configuration for this protocol version.TLS v1.2 Server preference	Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcca8 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc030 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0xc02f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Suite ID: 0xc028 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Suite ID: 0xc027 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 128 bits (ECDHE 256 bits)

Analysis

TLS 1.3 supported

Excellent. This server supports TLS 1.3, which is the latest revision of the TLS protocol and a significant improvement over earlier versions. Developed over a period of several years and extensively analyzed prior to the release, TLS 1.3 removed insecure features, and improved both security and performance.

TLS 1.2 supported

Good. This server supports TLS 1.2, which can provide strong security when configured correctly. This version of the TLS protocol is necessary to provide good security with a wide range of clients that don't yet support TLS 1.3.

Deprecated protocols not supported

Excellent. This server doesn't support any of the deprecated protocol (TLS 1.1 and earlier).

Strong key exchange detected

Excellent. All cipher suites on this server rely on strong key exchange. The sweet spot is 2048 bits for DHE and 256 bits for ECDHE. Putting ECDHE suites first guarantees best security and best performance.

Server prefers forward secrecy and authenticated encryption suites

Excellent. Not only does this server enforce its server preference, but it also has at the top of the list suites that support both forward secrecy and authenticated encryption. This is the best TLS 1.2 can offer.

Server enforces cipher suite preferences

Excellent. This server enforces server cipher suite preference, which means that it is able to select the best suite from the options submitted by clients. Combined with a well designed list of supported cipher suites, this settings enables negotiation of best security.

All TLS connections with this server satisfy Apple's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT

All TLS connections with this server satisfy Chrome's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT

DHE suites not supported

This server doesn't support the Diffie-Hellman (DH) key exchange.

WWW Certificates

A certificate is a digital document that contains a public key, some information about the entity associated with it, and a digital signature from the certificate issuer. It’s a mechanism that enables us to exchange, store, and use public keys. Being able to reliably verify the identity of a remote server is crucial in order to achieve secure encrypted communication.

Test passed

Everything seems to be well configured. Well done.

Certificate: www.ovh.com

Leaf certificate

ovh.com
Issuer: Sectigo
Not Before: 06 Feb 2024 00:00:00 UTC
Not After: 05 Feb 2025 23:59:59 UTC (expires in 9 months 14 days)
Key: RSA 4096 bits
Signature: SHA256withRSA
View details

Names	ovh.com www.ovh.com
Subject DN	CN=ovh.com
Subject Key Identifier	3dedc38b299bf2c4cb495cc01093c875b25a6e86
Serial	ed10d75418564157967c6b8d5a10a163
Not Before	06 Feb 2024 00:00:00 UTC
Not After	05 Feb 2025 23:59:59 UTC
Validity period	366 days
Key Usage	digitalSignature, keyEncipherment
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB
Certification Authority	Sectigo
Validation Type	Domain Validation (DV)
Authority Key Identifier	keyid:8d8c5ec454ad8ae177e99bf99b05e1b8018d61e1
Parent Certificate	http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
OCSP	http://ocsp.sectigo.com
Certificate Transparency
Signed Certificate Timestamps	06 Feb 2024 10:21:28 UTC \| Google 'Xenon2025h1' log \| Qualified 06 Feb 2024 10:21:28 UTC \| Let's Encrypt 'Oak2025h1' \| Qualified 06 Feb 2024 10:21:28 UTC \| Google 'Argon2025h1' log \| Qualified
Fingerprints
SHA1	499c586aeacdd5c400ba84dd37cd864fb0e426e0
SHA256	749f0ffb9d67369878115010f3c4f41d654c56fbd15629c0aa1306dd633813e8
SPKI SHA256	ce874fba9d5e07d6ce7a1efa038946e93b2fcd83145d6940a61f27434a37be3f

Analysis

Strong private key

Good. The private key associated with this certificate is secure.

Strong signature algorithm

Good. This certificate uses a strong signature algorithm.

Certificate matches hostname

Good. The provided certificate matches the expected hostnames.

Certificate dates match

Good. The certificate is valid for use at this point of time.

Certificate has not been revoked

Good. This certificate has not been revoked.

Certificate satisfies Apple's CT compliance requirements

Good. This certificate satisfies Apple's CT requirements at present.

Certificate Trust

Determining whether a certificate is considered valid is a complicated process that depends on the exact configuration of the validating party. For trust to be established, the certificate must form a chain that ends with a trusted root. In this section we evaluate the server's certificate against major root stores.

Platform	Trusted
Apple
Google AOSP
Microsoft
Mozilla

Certificate Chain

For a server certificate to be valid, it must be presented as part of a complete and valid certificate chain. The last certificate in the chain should be the root and is usually not included in the configuration.

Leaf certificate

ovh.com | 749f0ff
Not After: 05 Feb 2025 23:59:59 UTC (expires in 9 months 14 days)
Authentication: RSA 4096 bits (SHA256withRSA)
View details

Names	ovh.com www.ovh.com
Subject DN	CN=ovh.com
Subject Key Identifier	3dedc38b299bf2c4cb495cc01093c875b25a6e86
Serial	ed10d75418564157967c6b8d5a10a163
Not Before	06 Feb 2024 00:00:00 UTC
Not After	05 Feb 2025 23:59:59 UTC
Validity period	366 days
Key Usage	digitalSignature, keyEncipherment
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB
Certification Authority	Sectigo
Validation Type	Domain Validation (DV)
Authority Key Identifier	keyid:8d8c5ec454ad8ae177e99bf99b05e1b8018d61e1
Parent Certificate	http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
OCSP	http://ocsp.sectigo.com
Certificate Transparency
Signed Certificate Timestamps	06 Feb 2024 10:21:28 UTC \| Google 'Xenon2025h1' log \| Qualified 06 Feb 2024 10:21:28 UTC \| Let's Encrypt 'Oak2025h1' \| Qualified 06 Feb 2024 10:21:28 UTC \| Google 'Argon2025h1' log \| Qualified
Fingerprints
SHA1	499c586aeacdd5c400ba84dd37cd864fb0e426e0
SHA256	749f0ffb9d67369878115010f3c4f41d654c56fbd15629c0aa1306dd633813e8
SPKI SHA256	ce874fba9d5e07d6ce7a1efa038946e93b2fcd83145d6940a61f27434a37be3f

Intermediate certificate

Sectigo RSA Domain Validation Secure Server CA | 7fa4ff6
Not After: 31 Dec 2030 23:59:59 UTC (expires in 6 years 8 months)
Authentication: RSA 2048 bits (SHA384withRSA)
View details

Subject DN	CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB
Subject Key Identifier	8d8c5ec454ad8ae177e99bf99b05e1b8018d61e1
Serial	7d5b5126b476ba11db74160bbc530da7
Not Before	02 Nov 2018 00:00:00 UTC
Not After	31 Dec 2030 23:59:59 UTC
Key Usage	digitalSignature, keyCertSign, cRLSign
Extended Key Usage	serverAuth, clientAuth
Issuer
Issuer DN	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Certification Authority	Sectigo
Validation Type	Not Applicable
Authority Key Identifier	keyid:5379bf5aaa2b4acf5480e1d89bc09df2b20366cb
Parent Certificate	http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
CRL	http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl
OCSP	http://ocsp.usertrust.com
CA certificate	Yes (pathlen 0)
Fingerprints
SHA1	33e4e80807204c2b6182a3a14b591acd25b5f0db
SHA256	7fa4ff68ec04a99d7528d5085f94907f4d1dd1c5381bacdc832ed5c960214676
SPKI SHA256	e1ae9c3de848ece1ba72e0d991ae4d0d9ec547c6bad1dddab9d6beb0a7e0e0d8

Root certificate

USERTrust RSA Certification Authority | e793c9b
Not After: 18 Jan 2038 23:59:59 UTC (expires in 13 years 8 months)
Authentication: RSA 4096 bits (SHA384withRSA)
View details

Subject DN	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Subject Key Identifier	5379bf5aaa2b4acf5480e1d89bc09df2b20366cb
Serial	1fd6d30fca3ca51a81bbc640e35032d
Not Before	01 Feb 2010 00:00:00 UTC
Not After	18 Jan 2038 23:59:59 UTC
Key Usage	keyCertSign, cRLSign
Issuer
Issuer DN	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Certification Authority	Sectigo
Validation Type	Self-signed
CA certificate	Yes (pathlen unlimited)
Fingerprints
SHA1	2b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e
SHA256	e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd2
SPKI SHA256	c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde

Analysis

Certificate chain is correct

Good. This chain contains all the right certificates and in the right order.

Certificate: ovh.com

Leaf certificate

ovh.com
Issuer: Sectigo
Not Before: 06 Feb 2024 00:00:00 UTC
Not After: 05 Feb 2025 23:59:59 UTC (expires in 9 months 14 days)
Key: RSA 4096 bits
Signature: SHA256withRSA
View details

Names	ovh.com www.ovh.com
Subject DN	CN=ovh.com
Subject Key Identifier	3dedc38b299bf2c4cb495cc01093c875b25a6e86
Serial	ed10d75418564157967c6b8d5a10a163
Not Before	06 Feb 2024 00:00:00 UTC
Not After	05 Feb 2025 23:59:59 UTC
Validity period	366 days
Key Usage	digitalSignature, keyEncipherment
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB
Certification Authority	Sectigo
Validation Type	Domain Validation (DV)
Authority Key Identifier	keyid:8d8c5ec454ad8ae177e99bf99b05e1b8018d61e1
Parent Certificate	http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
OCSP	http://ocsp.sectigo.com
Certificate Transparency
Signed Certificate Timestamps	06 Feb 2024 10:21:28 UTC \| Google 'Xenon2025h1' log \| Qualified 06 Feb 2024 10:21:28 UTC \| Let's Encrypt 'Oak2025h1' \| Qualified 06 Feb 2024 10:21:28 UTC \| Google 'Argon2025h1' log \| Qualified
Fingerprints
SHA1	499c586aeacdd5c400ba84dd37cd864fb0e426e0
SHA256	749f0ffb9d67369878115010f3c4f41d654c56fbd15629c0aa1306dd633813e8
SPKI SHA256	ce874fba9d5e07d6ce7a1efa038946e93b2fcd83145d6940a61f27434a37be3f

Analysis

Strong private key

Good. The private key associated with this certificate is secure.

Strong signature algorithm

Good. This certificate uses a strong signature algorithm.

Certificate matches hostname

Good. The provided certificate matches the expected hostnames.

Certificate dates match

Good. The certificate is valid for use at this point of time.

Certificate has not been revoked

Good. This certificate has not been revoked.

Certificate satisfies Apple's CT compliance requirements

Good. This certificate satisfies Apple's CT requirements at present.

Certificate Trust

Determining whether a certificate is considered valid is a complicated process that depends on the exact configuration of the validating party. For trust to be established, the certificate must form a chain that ends with a trusted root. In this section we evaluate the server's certificate against major root stores.

Platform	Trusted
Apple
Google AOSP
Microsoft
Mozilla

Certificate Chain

For a server certificate to be valid, it must be presented as part of a complete and valid certificate chain. The last certificate in the chain should be the root and is usually not included in the configuration.

Leaf certificate

ovh.com | 749f0ff
Not After: 05 Feb 2025 23:59:59 UTC (expires in 9 months 14 days)
Authentication: RSA 4096 bits (SHA256withRSA)
View details

Names	ovh.com www.ovh.com
Subject DN	CN=ovh.com
Subject Key Identifier	3dedc38b299bf2c4cb495cc01093c875b25a6e86
Serial	ed10d75418564157967c6b8d5a10a163
Not Before	06 Feb 2024 00:00:00 UTC
Not After	05 Feb 2025 23:59:59 UTC
Validity period	366 days
Key Usage	digitalSignature, keyEncipherment
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB
Certification Authority	Sectigo
Validation Type	Domain Validation (DV)
Authority Key Identifier	keyid:8d8c5ec454ad8ae177e99bf99b05e1b8018d61e1
Parent Certificate	http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
OCSP	http://ocsp.sectigo.com
Certificate Transparency
Signed Certificate Timestamps	06 Feb 2024 10:21:28 UTC \| Google 'Xenon2025h1' log \| Qualified 06 Feb 2024 10:21:28 UTC \| Let's Encrypt 'Oak2025h1' \| Qualified 06 Feb 2024 10:21:28 UTC \| Google 'Argon2025h1' log \| Qualified
Fingerprints
SHA1	499c586aeacdd5c400ba84dd37cd864fb0e426e0
SHA256	749f0ffb9d67369878115010f3c4f41d654c56fbd15629c0aa1306dd633813e8
SPKI SHA256	ce874fba9d5e07d6ce7a1efa038946e93b2fcd83145d6940a61f27434a37be3f

Intermediate certificate

Sectigo RSA Domain Validation Secure Server CA | 7fa4ff6
Not After: 31 Dec 2030 23:59:59 UTC (expires in 6 years 8 months)
Authentication: RSA 2048 bits (SHA384withRSA)
View details

Subject DN	CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB
Subject Key Identifier	8d8c5ec454ad8ae177e99bf99b05e1b8018d61e1
Serial	7d5b5126b476ba11db74160bbc530da7
Not Before	02 Nov 2018 00:00:00 UTC
Not After	31 Dec 2030 23:59:59 UTC
Key Usage	digitalSignature, keyCertSign, cRLSign
Extended Key Usage	serverAuth, clientAuth
Issuer
Issuer DN	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Certification Authority	Sectigo
Validation Type	Not Applicable
Authority Key Identifier	keyid:5379bf5aaa2b4acf5480e1d89bc09df2b20366cb
Parent Certificate	http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
CRL	http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl
OCSP	http://ocsp.usertrust.com
CA certificate	Yes (pathlen 0)
Fingerprints
SHA1	33e4e80807204c2b6182a3a14b591acd25b5f0db
SHA256	7fa4ff68ec04a99d7528d5085f94907f4d1dd1c5381bacdc832ed5c960214676
SPKI SHA256	e1ae9c3de848ece1ba72e0d991ae4d0d9ec547c6bad1dddab9d6beb0a7e0e0d8

Root certificate

USERTrust RSA Certification Authority | e793c9b
Not After: 18 Jan 2038 23:59:59 UTC (expires in 13 years 8 months)
Authentication: RSA 4096 bits (SHA384withRSA)
View details

Subject DN	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Subject Key Identifier	5379bf5aaa2b4acf5480e1d89bc09df2b20366cb
Serial	1fd6d30fca3ca51a81bbc640e35032d
Not Before	01 Feb 2010 00:00:00 UTC
Not After	18 Jan 2038 23:59:59 UTC
Key Usage	keyCertSign, cRLSign
Issuer
Issuer DN	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Certification Authority	Sectigo
Validation Type	Self-signed
CA certificate	Yes (pathlen unlimited)
Fingerprints
SHA1	2b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e
SHA256	e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd2
SPKI SHA256	c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde

Analysis

Certificate chain is correct

Good. This chain contains all the right certificates and in the right order.

DANE (443)

DNS-based Authentication of Named Entities (DANE) is a bridge between DNSSEC and TLS. In one possible scenario, DANE can be used for public key pinning, building on an existing publicly-trusted certificate. In another approach, it can be used to completely bypass the CA ecosystem and establish trust using DNSSEC alone.

Feature not applicable, not implemented, or disabled

Your server doesn't support this feature.

Cookies

Cookies are small chunks of text that are sent between your browser and a website. They are often essential to the operation of the site and sometimes contain sensitive information. Session cookies sent from secure sites must be explicitly marked as secure to prevent being obtained by active network attackers.

Test passed

Everything seems to be well configured. Well done.

Mixed Content

On virtually all web sites, HTML markup, images, style sheets, JavaScript, and other page resources arrive not only over multiple connections but possibly from multiple servers and sites spread across the entire Internet. For a page to be properly encrypted, it’s necessary that all the content is retrieved over HTTPS. In practice, that’s very often not the case, leading to mixed content security problems.

Test passed

Everything seems to be well configured. Well done.

Embedded Resources

In this section we look at the security of all embedded resources. Mixed active content occurs when there are unprotected scripts or styles embedded in a page. This is typically not allowed by modern browsers. Mixed passive content (images, videos and such) are typically allowed, but shouldn't be present.

0 script(s)
0 out of 0 are secure

0 CSS file(s)
0 out of 0 are secure

0 media file(s)
0 out of 0 are secure

Outbound Links

Ideally, an encrypted page should only have links that lead to other encrypted pages. If plaintext links are used, passive network attackers can see where people go after they visit your web site. It's also possible that some sensitive information is leaked in the Referer header.

0 link(s)
0 out of 0 are encrypted

HTTP Strict Transport Security

HTTP Strict Transport Security (HSTS) vastly improves security of the network encryption layer. With HSTS enabled, browsers no longer allow clicking through certificate warnings errors, which are typically trivial to exploit. Additionally, they will no longer submit insecure (plaintext) requests to the site in question, even if asked.

Feature not applicable, not implemented, or disabled

Your server doesn't support this feature.

HSTS Policy

URL from which this policy was obtained.Location

https://www.ovh.com/

Analysis

No parent protection

This host could benefit from further protection if the apex hostname would be configured with a HSTS policy that uses 'includeSubDomains'. Enabling HSTS on an entire domain name is the only approach that provides robust security.

Analysis

Deploy HSTS on this host

This host doesn't use HSTS, which means that its users can be easily attacked via MITM attacks. Consider deploying HSTS to disable certificate warnings and increase content and cookie security.

No HSTS on apex hostname

Even though the main host uses HSTS, the protection is not as good as it could be because the apex hostname doesn't have HSTS deployed. Without robust HSTS, attackers can sometimes abuse cookies and make up plaintext subdomains to use for phishing.

Location: https://ovh.com

HTTP Public Key Pinning

HTTP Public Key Pinning (HPKP) enables site operators to restrict which certificates are considered valid for their domain names. With a valid HPKP configuration, sites can defeat man in the middle (MITM) attacks using fraudulent or misissued certificates. HPKP is an advanced feature, suitable for use by only high-profile web sites.

Feature not applicable, not implemented, or disabled

Your server doesn't support this feature.

Content Security Policy

Content Security Policy (CSP) is a security mechanism that allows web sites control how browsers process their pages. In essence, sites can restrict what types of resources are loaded and from where. CSP policies can be used to defend against cross-site scripting, prevent mixed content issues, as well as report violations for investigation.

Feature not applicable, not implemented, or disabled

Your server doesn't support this feature.

Subresource Integrity

Subresource Integrity (SRI) is a new standard that enables browsers to verify the integrity of embedded page resources (e.g., scripts and stylesheets) when they are loaded from third-party web sites. With SRI deployed, remote resources can be used safely, without fear of them being modified by malicious parties.

Test passed

Everything seems to be well configured. Well done.

No external scripts
SRI not needed

No external stylesheets
SRI not needed

Analysis

No remote resources

The homepage of this site doesn't contain any remote resources so SRI is not needed.

Expect CT

Expect-CT is a deprecated response HTTP header designed to enable web sites to monitor problems related to their Certificate Transparency (CT) compliance. Should any CT issues arise, browsers that supported this header will submit reports to the specified reporting endpoint. Chrome was the browser that introduced support for this response header, but later deprecated it and removed it in version 107.

Feature not applicable, not implemented, or disabled

Your server doesn't support this feature.

Analysis

Deploy Expect-CT to enable reporting

An Expect-CT policy enables web sites to monitor for any problems related to their Expect-CT compliance, detecting potentially serious issues quickly. When issues arise, compliant browsers will submit reports to the specified reporting endpoints. Before CT became required for all public certificates the Expect-CT was also used to require CT, but that use case no longer applies.

Frame Options

The X-Frame-Options header controls page framing, which occurs when a page is incorporated into some other page, possibly on a different site. If framing is allowed, attackers can employ clever tricks to make victims perform arbitrary actions on your site; they do this by showing their web site while forwarding the victim's clicks to yours.

Feature not applicable, not implemented, or disabled

Your server doesn't support this feature.

XSS Protection

Some browsers ship with so-called XSS Auditors, built-in defenses against XSS. Although these defenses work against simple reflective XSS attacks, they can be abused by skillful attackers to add weaknesses to otherwise secure web sites. These dangers are present in both filtering and blocking modes. At this time, the Safari browser ships with its XSS defenses enabled by default. For this reason, the best approach is to explicitly disable this functionality.

Feature not applicable, not implemented, or disabled

Your server doesn't support this feature.

Analysis

Explicitly disable browser XSS protection

For best security, every web site should explicitly disable browser-based XSS protection. This is because this type of functionality can be used to introduce vulnerabilities into otherwise error-free web sites.

Content Type Options

Some browsers use a technique called content sniffing to override response MIME types provided by HTTP servers and interpret responses as something else (usually HTML). This behavior, which could potentially lead to security issues, should be disabled by attaching an X-Content-Type-Options header to all responses.

Feature not applicable, not implemented, or disabled

Your server doesn't support this feature.

Public Report | ovh.com

ovh.com

Domain Name System

Email

WWW

Domain Registration

Registration Data Access Protocol (RDAP)

Analysis

WHOIS

Analysis

DNS Zone

Nameserver Names

Nameserver Addresses

Start of Authority (SOA) Record

Analysis

Backing DNS Queries

DNS Records

DNS Records

Backing DNS Queries

DNSSEC

Useful DNSSEC Tools

Certification Authority Authorization

Analysis

Email (SMTP)

Analysis

Email TLS (SMTP)

TLS Configuration: mx1.ovh.net (188.165.47.122) Cached

Analysis

TLS Configuration: mx2.ovh.net (87.98.132.45) Cached

Analysis

Email Certificates (SMTP)

Certificate #1 Cached

Analysis

Certificate Chain

Analysis

Email DANE (SMTP)

SPF

SPF Policy Information Main policy

Analysis

SPF Policy Information Included policy

SPF Policy Information Included policy

DMARC

DMARC Policy Information

Analysis

MTA Strict Transport Security

SMTP TLS Reporting

HTTP (80)

URL: http://ovh.com/

Analysis

URL: http://www.ovh.com/

Analysis

HTTP (443)

URL: https://ovh.com/

URL: https://www.ovh.com/

WWW TLS

TLS Configuration: ovh.com (198.27.92.1)

Analysis

TLS Configuration: www.ovh.com (198.27.92.1)

Analysis

WWW Certificates

Certificate: www.ovh.com

Analysis

Certificate Trust

Certificate Chain

Analysis

Certificate: ovh.com

Analysis

Certificate Trust

Certificate Chain

Analysis

DANE (443)

Cookies

Mixed Content

Embedded Resources

Outbound Links

HTTP Strict Transport Security

HSTS Policy

Analysis

Analysis

HTTP Public Key Pinning