Deep SSL Test Report: api.maestra.io

Testing all IP addresses (port 443): 18.157.154.242 52.28.87.86 18.192.192.224
-----------------------------------------------------
 Start 2026-01-09 04:51:16        -->> 18.157.154.242:443 (api.maestra.io) <<--

 Further IP addresses:   18.192.192.224 52.28.87.86 
 rDNS (18.157.154.242):  ec2-18-157-154-242.eu-central-1.compute.amazonaws.com.
 Service detected:       HTTP

 Testing for server implementation bugs 

 No bugs found.

 Testing HTTP header response @ "/" 

 HTTP Status Code             200 OK
 HTTP clock skew              -1 sec from localtime
 Strict Transport Security    3650 days=315360000 s, includeSubDomains, preload
 Public Key Pinning           --
 Server banner                Kestrel
 Application banner           --
 Cookie(s)                    (none issued at "/")
 Security headers             X-Frame-Options: DENY
                              X-Content-Type-Options: nosniff
                              Content-Security-Policy: default-src 'self'
                                'unsafe-inline'
                              X-XSS-Protection: 1; mode=block
                              Referrer-Policy: same-origin
 Reverse Proxy banner         --


 Testing vulnerabilities 

 Secure Renegotiation (RFC 5746)           supported (OK)
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
 BREACH (CVE-2013-3587)                    no gzip/deflate/compress/br HTTP compression (OK)  - only supplied "/" tested
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
 TLS_FALLBACK_SCSV (RFC 7507)              No fallback possible (OK), no protocol below TLS 1.2 offered
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services, see
                                           https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=FE1AB6ABEC4833D6906AF654413AF48C3D368514BD53A65ABC3FF174C2B641B3
 LOGJAM (CVE-2015-4000), experimental      common prime with 2048 bits detected: RFC7919/ffdhe2048 (2048 bits),
                                           but no DH EXPORT ciphers
 BEAST (CVE-2011-3389)                     not vulnerable (OK), no SSL3 or TLS1
 LUCKY13 (CVE-2013-0169), experimental     not vulnerable (OK)
 Winshock (CVE-2014-6321), experimental    not vulnerable (OK)
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)


 Done 2026-01-09 04:52:14 [  69s] -->> 18.157.154.242:443 (api.maestra.io) <<--

-----------------------------------------------------
 Start 2026-01-09 04:52:15        -->> 52.28.87.86:443 (api.maestra.io) <<--

 Further IP addresses:   18.192.192.224 18.157.154.242 
 rDNS (52.28.87.86):     ec2-52-28-87-86.eu-central-1.compute.amazonaws.com.
 Service detected:       HTTP

 Testing for server implementation bugs 

 No bugs found.

 Testing HTTP header response @ "/" 

 HTTP Status Code             429 Too Many Requests. Oh, didn't expect "429 Too Many Requests"
 HTTP clock skew              Got no HTTP time, maybe try different URL?
 Strict Transport Security    not offered
 Public Key Pinning           --
 Server banner                (no "Server" line in header, interesting!)
 Application banner           --
 Cookie(s)                    (none issued at "/") -- HTTP status 429 signals you maybe missed the web application
 Security headers             Cache-Control: no-cache
 Reverse Proxy banner         --


 Testing vulnerabilities 

 Secure Renegotiation (RFC 5746)           supported (OK)
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
 BREACH (CVE-2013-3587)                    no gzip/deflate/compress/br HTTP compression (OK)  - only supplied "/" tested
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
 TLS_FALLBACK_SCSV (RFC 7507)              No fallback possible (OK), no protocol below TLS 1.2 offered
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services, see
                                           https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=FE1AB6ABEC4833D6906AF654413AF48C3D368514BD53A65ABC3FF174C2B641B3
 LOGJAM (CVE-2015-4000), experimental      common prime with 2048 bits detected: RFC7919/ffdhe2048 (2048 bits),
                                           but no DH EXPORT ciphers
 BEAST (CVE-2011-3389)                     not vulnerable (OK), no SSL3 or TLS1
 LUCKY13 (CVE-2013-0169), experimental     not vulnerable (OK)
 Winshock (CVE-2014-6321), experimental    not vulnerable (OK)
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)


 Done 2026-01-09 04:53:09 [ 124s] -->> 52.28.87.86:443 (api.maestra.io) <<--

-----------------------------------------------------
 Start 2026-01-09 04:53:09        -->> 18.192.192.224:443 (api.maestra.io) <<--

 Further IP addresses:   18.157.154.242 52.28.87.86 
 rDNS (18.192.192.224):  ec2-18-192-192-224.eu-central-1.compute.amazonaws.com.
 Service detected:       HTTP

 Testing for server implementation bugs 

 No bugs found.

 Testing HTTP header response @ "/" 

 HTTP Status Code             200 OK
 HTTP clock skew              -1 sec from localtime
 Strict Transport Security    3650 days=315360000 s, includeSubDomains, preload
 Public Key Pinning           --
 Server banner                Kestrel
 Application banner           --
 Cookie(s)                    (none issued at "/")
 Security headers             X-Frame-Options: DENY
                              X-Content-Type-Options: nosniff
                              Content-Security-Policy: default-src 'self'
                                'unsafe-inline'
                              X-XSS-Protection: 1; mode=block
                              Referrer-Policy: same-origin
 Reverse Proxy banner         --


 Testing vulnerabilities 

 Secure Renegotiation (RFC 5746)           supported (OK)
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
 BREACH (CVE-2013-3587)                    no gzip/deflate/compress/br HTTP compression (OK)  - only supplied "/" tested
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
 TLS_FALLBACK_SCSV (RFC 7507)              No fallback possible (OK), no protocol below TLS 1.2 offered
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services, see
                                           https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=FE1AB6ABEC4833D6906AF654413AF48C3D368514BD53A65ABC3FF174C2B641B3
 LOGJAM (CVE-2015-4000), experimental      common prime with 2048 bits detected: RFC7919/ffdhe2048 (2048 bits),
                                           but no DH EXPORT ciphers
 BEAST (CVE-2011-3389)                     not vulnerable (OK), no SSL3 or TLS1
 LUCKY13 (CVE-2013-0169), experimental     not vulnerable (OK)
 Winshock (CVE-2014-6321), experimental    not vulnerable (OK)
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)


 Done 2026-01-09 04:54:14 [ 189s] -->> 18.192.192.224:443 (api.maestra.io) <<--

-----------------------------------------------------
Done testing now all IP addresses (on port 443): 18.157.154.242 52.28.87.86 18.192.192.224