Deep SSL/TLS Vulnerability Test

This report provides a deep analysis of the SSL/TLS configuration of app.nordantech.com. It checks for protocol support, cipher strength, and known vulnerabilities.

Scan Results

Testing all IP addresses (port 443): 13.32.164.13 13.32.164.32 13.32.164.61 13.32.164.73
-----------------------------------------------------
 Start 2026-07-08 15:58:01        -->> 13.32.164.13:443 (app.nordantech.com) <<--

 Further IP addresses:   13.32.164.73 13.32.164.32 13.32.164.61 
 rDNS (13.32.164.13):    server-13-32-164-13.ord58.r.cloudfront.net.
 Service detected:       HTTP

 Testing for server implementation bugs 

 No bugs found.

 Testing HTTP header response @ "/" 

 HTTP Status Code             200 OK
 HTTP clock skew              +1 sec from localtime
 HTTP Age (RFC 7234)          1975196
 Strict Transport Security    365 days=31536000 s, includeSubDomains, preload
 Public Key Pinning           --
 Server banner                AmazonS3
 Application banner           --
 Cookie(s)                    (none issued at "/")
 Security headers             X-Frame-Options: SAMEORIGIN
                              X-Content-Type-Options: nosniff
                              Content-Security-Policy: default-src 'self';
                                script-src 'self' 'unsafe-inline' 'unsafe-eval'
                                https://cdn.tailwindcss.com
                                https://app.intercom.io
                                https://widget.intercom.io
                                https://js.intercomcdn.com; style-src 'self'
                                'unsafe-inline' https://fonts.googleapis.com;
                                img-src 'self' data: blob: https://*; font-src
                                'self' data: https://*.intercomcdn.com
                                https://fonts.googleapis.com
                                https://fonts.gstatic.com; connect-src 'self'
                                https://*.nordan.tech https://*.pusher.com
                                https://*.pusherapp.com wss://*.pusher.com
                                wss://*.pusherapp.com https://sentry.io
                                https://*.intercom.io wss://*.intercom.io
                                https://*.intercom-messenger.com
                                wss://*.intercom-messenger.com
                                https://*.intercomcdn.com
                                https://*.intercomcdn.eu
                                https://*.intercomusercontent.com
                                https://*.loom.com; media-src 'self' data:
                                blob: https://*.intercomcdn.com
                                https://*.intercomcdn.eu; object-src 'none';
                                child-src 'self' https://intercom-sheets.com
                                https://www.intercom-reporting.com
                                https://www.youtube.com
                                https://player.vimeo.com
                                https://fast.wistia.net; frame-src 'self'
                                https://*.nordan.tech
                                https://view.officeapps.live.com
                                https://intercom-sheets.com
                                https://www.intercom-reporting.com
                                https://*.loom.com; worker-src 'self' blob:;
                                frame-ancestors 'self'; form-action 'self'
                                https://intercom.help https://*.intercom.io
                                https://canny.io https://*.canny.io; report-uri
                                https://o142630.ingest.sentry.io/api/1237888/security/?sentry_key=483fe2c079a94ae99d457687c4af4d36&sentry_environment=production
                              X-XSS-Protection: 1; mode=block
                              Referrer-Policy: strict-origin-when-cross-origin
                              Cache-Control: public, max-age=31557600
 Reverse Proxy banner         X-Cache: Hit from cloudfront
                              Via: 1.1 a4888bfa57444daa340ca8dc53629170.cloudfront.net (CloudFront)


 Testing vulnerabilities 

 Secure Renegotiation (RFC 5746)           supported (OK)
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
 BREACH (CVE-2013-3587)                    potentially NOT ok, "gzip" HTTP compression detected. - only supplied "/" tested
                                           Can be ignored for static pages or if no secrets in the page
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
 TLS_FALLBACK_SCSV (RFC 7507)              No fallback possible (OK), no protocol below TLS 1.2 offered
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services, see
                                           https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=7AE3706AB6CA222A5D5CA8483E451CFB50BF9582DBFC9DD45BAD79A073CE57D5
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
 BEAST (CVE-2011-3389)                     not vulnerable (OK), no SSL3 or TLS1
 LUCKY13 (CVE-2013-0169), experimental     not vulnerable (OK)
 Winshock (CVE-2014-6321), experimental    not vulnerable (OK)
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)


 Done 2026-07-08 15:59:19 [  87s] -->> 13.32.164.13:443 (app.nordantech.com) <<--

-----------------------------------------------------
 Start 2026-07-08 15:59:19        -->> 13.32.164.32:443 (app.nordantech.com) <<--

 Further IP addresses:   13.32.164.73 13.32.164.13 13.32.164.61 
 rDNS (13.32.164.32):    server-13-32-164-32.ord58.r.cloudfront.net.
 Service detected:       HTTP

 Testing for server implementation bugs 

 No bugs found.

 Testing HTTP header response @ "/" 

 HTTP Status Code             200 OK
 HTTP clock skew              +1 sec from localtime
 HTTP Age (RFC 7234)          1975283
 Strict Transport Security    365 days=31536000 s, includeSubDomains, preload
 Public Key Pinning           --
 Server banner                AmazonS3
 Application banner           --
 Cookie(s)                    (none issued at "/")
 Security headers             X-Frame-Options: SAMEORIGIN
                              X-Content-Type-Options: nosniff
                              Content-Security-Policy: default-src 'self';
                                script-src 'self' 'unsafe-inline' 'unsafe-eval'
                                https://cdn.tailwindcss.com
                                https://app.intercom.io
                                https://widget.intercom.io
                                https://js.intercomcdn.com; style-src 'self'
                                'unsafe-inline' https://fonts.googleapis.com;
                                img-src 'self' data: blob: https://*; font-src
                                'self' data: https://*.intercomcdn.com
                                https://fonts.googleapis.com
                                https://fonts.gstatic.com; connect-src 'self'
                                https://*.nordan.tech https://*.pusher.com
                                https://*.pusherapp.com wss://*.pusher.com
                                wss://*.pusherapp.com https://sentry.io
                                https://*.intercom.io wss://*.intercom.io
                                https://*.intercom-messenger.com
                                wss://*.intercom-messenger.com
                                https://*.intercomcdn.com
                                https://*.intercomcdn.eu
                                https://*.intercomusercontent.com
                                https://*.loom.com; media-src 'self' data:
                                blob: https://*.intercomcdn.com
                                https://*.intercomcdn.eu; object-src 'none';
                                child-src 'self' https://intercom-sheets.com
                                https://www.intercom-reporting.com
                                https://www.youtube.com
                                https://player.vimeo.com
                                https://fast.wistia.net; frame-src 'self'
                                https://*.nordan.tech
                                https://view.officeapps.live.com
                                https://intercom-sheets.com
                                https://www.intercom-reporting.com
                                https://*.loom.com; worker-src 'self' blob:;
                                frame-ancestors 'self'; form-action 'self'
                                https://intercom.help https://*.intercom.io
                                https://canny.io https://*.canny.io; report-uri
                                https://o142630.ingest.sentry.io/api/1237888/security/?sentry_key=483fe2c079a94ae99d457687c4af4d36&sentry_environment=production
                              X-XSS-Protection: 1; mode=block
                              Referrer-Policy: strict-origin-when-cross-origin
                              Cache-Control: public, max-age=31557600
 Reverse Proxy banner         X-Cache: Hit from cloudfront
                              Via: 1.1 452324c4cfd54555e3a2d8c074edaf78.cloudfront.net (CloudFront)


 Testing vulnerabilities 

 Secure Renegotiation (RFC 5746)           supported (OK)
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
 BREACH (CVE-2013-3587)                    potentially NOT ok, "gzip" HTTP compression detected. - only supplied "/" tested
                                           Can be ignored for static pages or if no secrets in the page
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
 TLS_FALLBACK_SCSV (RFC 7507)              No fallback possible (OK), no protocol below TLS 1.2 offered
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services, see
                                           https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=7AE3706AB6CA222A5D5CA8483E451CFB50BF9582DBFC9DD45BAD79A073CE57D5
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
 BEAST (CVE-2011-3389)                     not vulnerable (OK), no SSL3 or TLS1
 LUCKY13 (CVE-2013-0169), experimental     not vulnerable (OK)
 Winshock (CVE-2014-6321), experimental    not vulnerable (OK)
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)


 Done 2026-07-08 16:00:37 [ 165s] -->> 13.32.164.32:443 (app.nordantech.com) <<--

-----------------------------------------------------
 Start 2026-07-08 16:00:37        -->> 13.32.164.61:443 (app.nordantech.com) <<--

 Further IP addresses:   13.32.164.73 13.32.164.13 13.32.164.32 
 rDNS (13.32.164.61):    server-13-32-164-61.ord58.r.cloudfront.net.
 Service detected:       HTTP

 Testing for server implementation bugs 

 No bugs found.

 Testing HTTP header response @ "/" 

 HTTP Status Code             200 OK
 HTTP clock skew              +1 sec from localtime
 HTTP Age (RFC 7234)          1975364
 Strict Transport Security    365 days=31536000 s, includeSubDomains, preload
 Public Key Pinning           --
 Server banner                AmazonS3
 Application banner           --
 Cookie(s)                    (none issued at "/")
 Security headers             X-Frame-Options: SAMEORIGIN
                              X-Content-Type-Options: nosniff
                              Content-Security-Policy: default-src 'self';
                                script-src 'self' 'unsafe-inline' 'unsafe-eval'
                                https://cdn.tailwindcss.com
                                https://app.intercom.io
                                https://widget.intercom.io
                                https://js.intercomcdn.com; style-src 'self'
                                'unsafe-inline' https://fonts.googleapis.com;
                                img-src 'self' data: blob: https://*; font-src
                                'self' data: https://*.intercomcdn.com
                                https://fonts.googleapis.com
                                https://fonts.gstatic.com; connect-src 'self'
                                https://*.nordan.tech https://*.pusher.com
                                https://*.pusherapp.com wss://*.pusher.com
                                wss://*.pusherapp.com https://sentry.io
                                https://*.intercom.io wss://*.intercom.io
                                https://*.intercom-messenger.com
                                wss://*.intercom-messenger.com
                                https://*.intercomcdn.com
                                https://*.intercomcdn.eu
                                https://*.intercomusercontent.com
                                https://*.loom.com; media-src 'self' data:
                                blob: https://*.intercomcdn.com
                                https://*.intercomcdn.eu; object-src 'none';
                                child-src 'self' https://intercom-sheets.com
                                https://www.intercom-reporting.com
                                https://www.youtube.com
                                https://player.vimeo.com
                                https://fast.wistia.net; frame-src 'self'
                                https://*.nordan.tech
                                https://view.officeapps.live.com
                                https://intercom-sheets.com
                                https://www.intercom-reporting.com
                                https://*.loom.com; worker-src 'self' blob:;
                                frame-ancestors 'self'; form-action 'self'
                                https://intercom.help https://*.intercom.io
                                https://canny.io https://*.canny.io; report-uri
                                https://o142630.ingest.sentry.io/api/1237888/security/?sentry_key=483fe2c079a94ae99d457687c4af4d36&sentry_environment=production
                              X-XSS-Protection: 1; mode=block
                              Referrer-Policy: strict-origin-when-cross-origin
                              Cache-Control: public, max-age=31557600
 Reverse Proxy banner         X-Cache: Hit from cloudfront
                              Via: 1.1 2055b120599156ec1f3f6f60a3c2047e.cloudfront.net (CloudFront)


 Testing vulnerabilities 

 Secure Renegotiation (RFC 5746)           supported (OK)
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
 BREACH (CVE-2013-3587)                    potentially NOT ok, "gzip" HTTP compression detected. - only supplied "/" tested
                                           Can be ignored for static pages or if no secrets in the page
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
 TLS_FALLBACK_SCSV (RFC 7507)              No fallback possible (OK), no protocol below TLS 1.2 offered
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services, see
                                           https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=7AE3706AB6CA222A5D5CA8483E451CFB50BF9582DBFC9DD45BAD79A073CE57D5
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
 BEAST (CVE-2011-3389)                     not vulnerable (OK), no SSL3 or TLS1
 LUCKY13 (CVE-2013-0169), experimental     not vulnerable (OK)
 Winshock (CVE-2014-6321), experimental    not vulnerable (OK)
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)


 Done 2026-07-08 16:01:58 [ 246s] -->> 13.32.164.61:443 (app.nordantech.com) <<--

-----------------------------------------------------
 Start 2026-07-08 16:01:58        -->> 13.32.164.73:443 (app.nordantech.com) <<--

 Further IP addresses:   13.32.164.13 13.32.164.32 13.32.164.61 
 rDNS (13.32.164.73):    server-13-32-164-73.ord58.r.cloudfront.net.
 Service detected:       HTTP

 Testing for server implementation bugs 

 No bugs found.

 Testing HTTP header response @ "/" 

 HTTP Status Code             200 OK
 HTTP clock skew              +1 sec from localtime
 HTTP Age (RFC 7234)          1975455
 Strict Transport Security    365 days=31536000 s, includeSubDomains, preload
 Public Key Pinning           --
 Server banner                AmazonS3
 Application banner           --
 Cookie(s)                    (none issued at "/")
 Security headers             X-Frame-Options: SAMEORIGIN
                              X-Content-Type-Options: nosniff
                              Content-Security-Policy: default-src 'self';
                                script-src 'self' 'unsafe-inline' 'unsafe-eval'
                                https://cdn.tailwindcss.com
                                https://app.intercom.io
                                https://widget.intercom.io
                                https://js.intercomcdn.com; style-src 'self'
                                'unsafe-inline' https://fonts.googleapis.com;
                                img-src 'self' data: blob: https://*; font-src
                                'self' data: https://*.intercomcdn.com
                                https://fonts.googleapis.com
                                https://fonts.gstatic.com; connect-src 'self'
                                https://*.nordan.tech https://*.pusher.com
                                https://*.pusherapp.com wss://*.pusher.com
                                wss://*.pusherapp.com https://sentry.io
                                https://*.intercom.io wss://*.intercom.io
                                https://*.intercom-messenger.com
                                wss://*.intercom-messenger.com
                                https://*.intercomcdn.com
                                https://*.intercomcdn.eu
                                https://*.intercomusercontent.com
                                https://*.loom.com; media-src 'self' data:
                                blob: https://*.intercomcdn.com
                                https://*.intercomcdn.eu; object-src 'none';
                                child-src 'self' https://intercom-sheets.com
                                https://www.intercom-reporting.com
                                https://www.youtube.com
                                https://player.vimeo.com
                                https://fast.wistia.net; frame-src 'self'
                                https://*.nordan.tech
                                https://view.officeapps.live.com
                                https://intercom-sheets.com
                                https://www.intercom-reporting.com
                                https://*.loom.com; worker-src 'self' blob:;
                                frame-ancestors 'self'; form-action 'self'
                                https://intercom.help https://*.intercom.io
                                https://canny.io https://*.canny.io; report-uri
                                https://o142630.ingest.sentry.io/api/1237888/security/?sentry_key=483fe2c079a94ae99d457687c4af4d36&sentry_environment=production
                              X-XSS-Protection: 1; mode=block
                              Referrer-Policy: strict-origin-when-cross-origin
                              Cache-Control: public, max-age=31557600
 Reverse Proxy banner         X-Cache: Hit from cloudfront
                              Via: 1.1 bd02c4a72f88f2bbd693051675941962.cloudfront.net (CloudFront)


 Testing vulnerabilities 

 Secure Renegotiation (RFC 5746)           supported (OK)
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
 BREACH (CVE-2013-3587)                    potentially NOT ok, "gzip" HTTP compression detected. - only supplied "/" tested
                                           Can be ignored for static pages or if no secrets in the page
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
 TLS_FALLBACK_SCSV (RFC 7507)              No fallback possible (OK), no protocol below TLS 1.2 offered
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services, see
                                           https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=7AE3706AB6CA222A5D5CA8483E451CFB50BF9582DBFC9DD45BAD79A073CE57D5
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
 BEAST (CVE-2011-3389)                     not vulnerable (OK), no SSL3 or TLS1
 LUCKY13 (CVE-2013-0169), experimental     not vulnerable (OK)
 Winshock (CVE-2014-6321), experimental    not vulnerable (OK)
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)


 Done 2026-07-08 16:03:31 [ 339s] -->> 13.32.164.73:443 (app.nordantech.com) <<--

-----------------------------------------------------
Done testing now all IP addresses (on port 443): 13.32.164.13 13.32.164.32 13.32.164.61 13.32.164.73

About this Scan

This scan uses testssl.sh to check for:

  • Protocols: SSLv2, SSLv3, TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3
  • Vulnerabilities: Heartbleed, POODLE, FREAK, Logjam, DROWN, etc.
  • Cipher Suites: Weak ciphers, perfect forward secrecy (PFS) support.

Run Another Scan Recent Scans