| Server Header Lookup | GitHub - safe rewrite redirect - defense-in-depth with "always" - Insight at janwillemstegink.nl | |
| Settings to optimize are colored orange. | ||
| RFC 1033 forbids the use of CNAME for the registered, apex domain. The apex domain is the main domain without subdomains, such as ‘example.com’. | ||
| CNAME affects subdomain email settings because MX and SPF cannot differ. Upcoming ANAME is flattened CNAME to just A/AAAA. Outsourced hosting can then be safe. | ||
| The www subdomain is not unnecessary. There are some useful aspects. If you are hosting elsewhere, you will need CNAME, as allowed for subdomain www. | ||
| And for a website with a subdomain, HSTS can be set more precisely. An RFC draft from PowerDNS and DNSimple on ANAME - Cloudflare about ANAME - Me about CNAME | ||
| RFC 9116: "The "Expires" field indicates the date and time after which the data contained in the "security.txt" file is considered stale and should not be used (as per Section 5.3)". | ||
| RFC 9116: "It is RECOMMENDED that the value of this field be less than a year into the future to avoid staleness." | ||
| Suggestion 1: The data contained in the "security.txt" file MUST expire on the date and time as in the "Expires" field, due to the desirability of an annual audit cycle. | ||
| Suggestion 2: For the one-off annual cycle check to work, the "Expires" field date and time is maximally 398 (366+31+1) days into the future, equal to the TLS Certificate Lifespan. | ||
| Suggestion 3: Annual audit requires a scheduled date on an office calendar; and customer requests cannot be dealt with if concentrated in one part of the year. | ||
| RFC 6797, 8.1: "If a UA receives more than one STS header field in an HTTP response message over secure transport, then the UA MUST process only the first such header field." | ||
| Strict Transport Security over secure HTTPS is called HSTS. The server header is only compliant, even if it is just a URL redirect, with a functioning HSTS security header. | ||
| Although browsers do not strictly enforce this rule above, the internet.nl tool tests that the URL is also the first URL over HTTPS for a security header to work. | ||
| With multiple HSTS header values - an application can also set a security header - strictly speaking, the first security header applies to the user agent (UA). | ||
| The internet.nl tool does test for an initial header in the initial server header area. | ||
| Web browser Chrome and the securityheaders.com tool, show values from application to server header level. The first value, starting from server header level, should be set. | ||
| Note: The securityheaders.com tool does not test and report correctly on rewrite to HTTPS and redirection. | ||
| General approach: Comply with proper initial reading of security headers from the server header(s), and note the interpretation of a subsequent value from an identical security header. | ||
| First rewrite the URL to HTTPS using the checkbox in the control panel, secondly set security header values, and finally, if applicable, (conditionally) redirect in the 301 or 302 way. | ||
| A server header requires sufficient settings before public Internet access can be used safely. And avoid the HSTS preload list without understanding its implications. | ||
| For search engines in general, a no-indexing statement is necessary to clean up. For deletion in Google Search, even re-registration of the domain may be necessary. | ||
| Note that robots.txt content - for more control over crawling - can block any processing by a search engine, such as the desired removal of search results. | ||
| metaregistrar.com | www.metaregistrar.com | |
| Retrieved from metaregistrar.com on 2026-02-22 at 05:29:58 UTC in 5 seconds. | ||
| initial: 301 - http://metaregistrar.com/ (safe from http://metaregistrar.com/ to https://metaregistrar.com/) | initial: 301 - http://www.metaregistrar.com/ (safe from http://www.metaregistrar.com/ to https://www.metaregistrar.com/) | |
| destination: 200 - https://metaregistrar.com/ | destination: 200 - https://metaregistrar.com/ | |
| initial: 200 - https://metaregistrar.com/ | initial: 301 - https://www.metaregistrar.com/ (safe from https://www.metaregistrar.com/ to https://metaregistrar.com/) | |
| destination: 200 - https://metaregistrar.com/ | destination: 200 - https://metaregistrar.com/ | |
| metaregistrar.com works with A IPv4 TTL 600, A 213.249.70.254 points to rDNS: infra.yourdomainprovider.net points to FCrDNS TTL 300, A 213.249.70.254 | www.metaregistrar.com works with A IPv4 TTL 600, A 213.249.70.254 points to rDNS: infra.yourdomainprovider.net points to FCrDNS TTL 300, A 213.249.70.254 | |
| metaregistrar.com works with quad A IPv6 TTL 300, AAAA 2a01:448:1004::254 points to rDNS: infra.yourdomainprovider.net points to FCrDNS TTL 300, AAAA 2a01:448:1004::254 | www.metaregistrar.com works with quad A IPv6 TTL 300, AAAA 2a01:448:1004::254 points to rDNS: infra.yourdomainprovider.net points to FCrDNS TTL 300, AAAA 2a01:448:1004::254 | |
| metaregistrar.com TTL 600, CAA 0 issue letsencrypt.org metaregistrar.com TTL 600, CAA 0 issue digicert.com metaregistrar.com TTL 600, CAA 0 issue comodoca.com | ||
| metaregistrar.com TTL 300, MX 10 filter01.yourdomainprovider.net. IPv4: 213.249.66.8 IPv6: 2a01:448:1:1002::8 metaregistrar.com TTL 300, MX 10 filter02.yourdomainprovider.net. IPv4: 213.249.66.9 IPv6: 2a01:448:1:1002::9 | ("0 ." would block email to A/AAAA; Null MX not in cPanel) | |
| metaregistrar.com TTL 600, TXT apple-domain-verification=gJueEtL8cfYZrgIe metaregistrar.com TTL 600, TXT v=spf1 ip4:213.249.80.0/24 ip4:213.249.70.254/32 include:spf.afas.online include:spf-prov.metaregistrar.com include:spf.yourdomainprovider.net include:mail.zendesk.com include:spf.mandrillapp.com include:25601448.spf06.hubspotemail.net -all | ("v=spf1 -all" plus "reject" in DMARC would block email) | |
| _dmarc.metaregistrar.com TTL 300, TXT v=DMARC1; p=reject; rua=mailto:fsxrgmoe@ag.eu.dmarcadvisor.com; | _dmarc.metaregistrar.com TTL 300, TXT v=DMARC1; p=reject; rua=mailto:fsxrgmoe@ag.eu.dmarcadvisor.com; | |
| (To name and achieve the desired situation: different AS, AnyCast, DNSSEC algorithm 13, different DNS software) | ||
| Autonomous system IPv4: countryCode: NL regionName: South Holland city: Gouda isp: Metaregistrar B.V. org: Metaregistrar B.V as: AS42585 Metaregistrar B.V. asname: METAREGISTRAR reverse: infra.yourdomainprovider.net query: 213.249.70.254 | Autonomous system IPv4: countryCode: NL regionName: South Holland city: Gouda isp: Metaregistrar B.V. org: Metaregistrar B.V as: AS42585 Metaregistrar B.V. asname: METAREGISTRAR reverse: infra.yourdomainprovider.net query: 213.249.70.254 | |
| Autonomous system IPv6: countryCode: NL regionName: North Holland city: Amsterdam isp: Metaregistrar B.V. org: Metaregistrar B.V as: AS42585 Metaregistrar B.V. asname: METAREGISTRAR reverse: infra.yourdomainprovider.net query: 2a01:448:1004::254 | Autonomous system IPv6: countryCode: NL regionName: North Holland city: Amsterdam isp: Metaregistrar B.V. org: Metaregistrar B.V as: AS42585 Metaregistrar B.V. asname: METAREGISTRAR reverse: infra.yourdomainprovider.net query: 2a01:448:1004::254 | |
| Start of Authority: (this can be one of a registrant, second-level or top-level domain) host: metaregistrar.com class: IN ttl: 300 type: SOA mname: ns-cloud-b1.googledomains.com rname: cloud-dns-hostmaster.google.com serial: 1 refresh: 21600 retry: 3600 expire: 259200 minimum-ttl: 300 | Start of Authority: (no registrant domain) | |
| https://metaregistrar.com/robots.txt | https://www.metaregistrar.com/robots.txt https://metaregistrar.com/robots.txt | |
| User-agent: * Disallow: /wp-admin/ Allow: /wp-admin/admin-ajax.php Sitemap: https://metaregistrar.com/wp-sitemap.xml | User-agent: * Disallow: /wp-admin/ Allow: /wp-admin/admin-ajax.php Sitemap: https://metaregistrar.com/wp-sitemap.xml | |
| viewport: width=device-width, initial-scale=1 robots: max-image-preview:large generator: Elementor 3.35.5; features: additional_custom_breakpoints; settings: css_print_method-external, google_font-enabled, font_display-auto msapplication-tileimage: https://metaregistrar.com/wp-content/uploads/2021/02/mr-favicon.svg | viewport: width=device-width, initial-scale=1 robots: max-image-preview:large generator: Elementor 3.35.5; features: additional_custom_breakpoints; settings: css_print_method-external, google_font-enabled, font_display-auto msapplication-tileimage: https://metaregistrar.com/wp-content/uploads/2021/02/mr-favicon.svg | |
| https://metaregistrar.com/security.txt | https://www.metaregistrar.com/security.txt https://metaregistrar.com/security.txt | |
| HTTP code 404 received. | HTTP code 404 received. | |
| https://metaregistrar.com/.well-known/security.txt | https://www.metaregistrar.com/.well-known/security.txt | |
| Contact: mailto:infra@metaregistrar.com Expires: 2027-09-19T08:00:00.000Z Preferred-Languages: en,nl Policy: https://metaregistrar.com/wp-content/uploads/2022/10/Information-Security-Policy-Metaregistrar.pdf | Contact: mailto:infra@metaregistrar.com Expires: 2027-09-19T08:00:00.000Z Preferred-Languages: en,nl Policy: https://metaregistrar.com/wp-content/uploads/2022/10/Information-Security-Policy-Metaregistrar.pdf | |
| HSTS active, no subdomains, no complicating preload | HSTS active, no subdomains, no complicating preload | |
| If unexpectedly unsafe: The always directive in Apache ensures that a header is set, even for error responses. By default, Nginx only sets headers for successful responses (2xx, 3xx). | ||
| HTTP/2 200 server: nginx date: Sun 22 Feb 2026 05:30:00 GMT content-type: text/html; charset=UTF-8 x-powered-by: PHP/8.3.30 x-frame-options: sameorigin link: <https://metaregistrar.com/wp-json/>; rel="https://api.w.org/" <https://metaregistrar.com/wp-json/wp/v2/pages/23>; rel="alternate"; title="JSON"; type="application/json" <https://metaregistrar.com/>; rel=shortlink access-control-allow-origin: * vary: Origin strict-transport-security: max-age=31536000 x-cache-status: MISS x-powered-by: PleskLin | HTTP/2 301 server: nginx date: Sun 22 Feb 2026 05:30:00 GMT content-type: text/html; charset=UTF-8 x-powered-by: PHP/8.3.30 x-frame-options: sameorigin x-redirect-by: WordPress location: https://metaregistrar.com/ access-control-allow-origin: * vary: Origin strict-transport-security: max-age=31536000 x-cache-status: MISS x-powered-by: PleskLin | |
| url: https://metaregistrar.com/ content_type: text/html; charset=UTF-8 http_code: 200 header_size: 522 request_size: 180 filetime: -1 ssl_verify_result: 0 redirect_count: 0 total_time: 0.351728 namelookup_time: 0.002819 connect_time: 0.004939 pretransfer_time: 0.0191 size_upload: 0 size_download: 0 speed_download: 0 speed_upload: 0 download_content_length: -1 upload_content_length: 0 starttransfer_time: 0.351224 redirect_time: 0 redirect_url: primary_ip: 2a01:448:1004::254 certinfo: Array primary_port: 443 local_ip: 2a01:7c8:bb09:14:5054:ff:fe2d:7878 local_port: 48334 http_version: 3 protocol: 2 ssl_verifyresult: 0 scheme: HTTPS appconnect_time_us: 18940 connect_time_us: 4939 namelookup_time_us: 2819 pretransfer_time_us: 19100 redirect_time_us: 0 starttransfer_time_us: 351224 total_time_us: 351728 | url: https://www.metaregistrar.com/ content_type: text/html; charset=UTF-8 http_code: 301 header_size: 363 request_size: 184 filetime: -1 ssl_verify_result: 0 redirect_count: 0 total_time: 0.277585 namelookup_time: 0.001878 connect_time: 0.004115 pretransfer_time: 0.019642 size_upload: 0 size_download: 0 speed_download: 0 speed_upload: 0 download_content_length: -1 upload_content_length: 0 starttransfer_time: 0.277521 redirect_time: 0 redirect_url: https://metaregistrar.com/ primary_ip: 2a01:448:1004::254 certinfo: Array primary_port: 443 local_ip: 2a01:7c8:bb09:14:5054:ff:fe2d:7878 local_port: 48342 http_version: 3 protocol: 2 ssl_verifyresult: 0 scheme: HTTPS appconnect_time_us: 19505 connect_time_us: 4115 namelookup_time_us: 1878 pretransfer_time_us: 19642 redirect_time_us: 0 starttransfer_time_us: 277521 total_time_us: 277585 | |