Why it matters: DMARC binds SPF and DKIM into an enforceable policy (quarantine or reject) and surfaces spoofing attempts via aggregate reports. `p=none` or absent means spoofing succeeds silently (SOC 2 CC6.7).
Why it matters: MX records direct inbound mail. Misconfiguration silently breaks email delivery and lets attackers stand up parallel MX hosts for spoofing campaigns (ISO 27001 A.8.21).
Why it matters: SPF tells receiving servers which hosts may send mail for the domain. Without it, any sender can forge the envelope-from — the primary mechanism behind business-email-compromise (SOC 2 CC6.7).
Why it matters: DKIM signs outbound mail so receivers can detect tampering. Missing selectors or rotated-away keys break DMARC alignment and let receivers downgrade trust (ISO 27001 A.8.24).
Recommendations
Check the missing selectors in your DNS provider and re-add any removed records
Why it matters: MTA-STS forces inbound SMTP to use TLS and refuse downgraded connections. Without it, an in-path attacker can strip TLS and read mail in plaintext (SOC 2 CC6.7).
DNSSEC not configured — no DS or DNSKEY records found
Why it matters: DNSSEC cryptographically signs DNS responses, blocking cache-poisoning attacks. US federal civilian agencies are required to enable it under OMB M-22-09 (NIST SC-20).
Recommendations
Enable DNSSEC in your DNS provider's control panel and add the resulting DS record at your registrar
Why it matters: Without authoritative A or AAAA records on the apex, the domain is unreachable. Missing baseline DNS shows up in vendor reviews as evidence of unmanaged infrastructure (SOC 2 CC6.6).
Why it matters: A valid current TLS certificate is the baseline for data in transit. Expiry, weak chain, or hostname mismatch break HTTPS and fail PCI 4.2.1 / SOC 2 CC6.1.
no CORS headers — cross-origin requests blocked by default
Why it matters: Overly permissive CORS (wildcard with credentials, or reflected origin) lets any origin read authenticated responses from this domain. OWASP A05 misconfiguration territory (NIST AC-4).
origin
https://drwho.me
method
GET
preflight status
301
access-control-* headers
access-control-allow-origin
—
access-control-allow-methods
—
access-control-allow-headers
—
access-control-allow-credentials
—
access-control-max-age
—
access-control-expose-headers
—
no access-control-* headers returned — site does not advertise CORS to this origin
Why it matters: Every certificate issued for this domain is published in Certificate Transparency logs — including subdomains you may have forgotten. Unknown subdomains in CT are pre-disclosed attack surface (ISO 27001 A.8.16).
Why it matters: Registrar and expiry tell auditors the domain is owned, current, and not about to lapse. An expired or about-to-expire domain fails business-continuity evidence (SOC 2 A1.2).
Recommendations
Enable auto-renewal at your registrar to avoid accidental expiry
Why it matters: Bare HTTP requests must redirect to HTTPS without dropping the user mid-chain. Plain-text fallback or open redirects fail PCI 4.2.1 and feed phishing chains (SOC 2 CC6.6).
HTTPS surface reachable (robots ✓, sitemap ✗, title ✗)
Why it matters: Public files — robots.txt, sitemap.xml, head meta — are what attackers see first during reconnaissance. Misadvertised paths, stale sitemaps, and verbose generators leak more than intended (ISO 27001 A.8.9).
robots.txt
present
#
# ///////
# // //
# // //
# // // /// /// ///
# // // /// ///
# // /// // //// /// /// /// //// /// //// /// //// /// ////
# // /// /// // ////////// /// ////////// /////////// ////////// ///////////
# // // // // /// /// /// /// /// /// /// /// /// ///
# // // // // /// /// /// /// /// /// /// /// /// ///
# // // // // /// /// /// /// /// /// /// /// /// ///
# // // // // ////////// /// /// ////////// /// /// //////////
# // ///// //
# // ///// //
# // /// /// //
# ////// //////
#
#
# Hello bot, engineer, or very lost layperson! Welcome to your stay on the Airbnb site, we're happy to have you as a guest.
# If you're a human who likes solving interesting challenges with other humans, check out our careers page: https://careers.airbnb.com/positions/?_departments=engineering
# If you're a bot who likes crawling webpages, please mind the house rules and avoid accessing any disallowed subfolders to earn a 5-star review from us.
# Either way, thanks for stopping by! There's no need to collect your garbage at the end of your stay - we use Javascript for that.
# See you on the next crawl!
User-agent: Googlebot
Allow: /calendar/ical/
Allow: /.well-known/amphtml/apikey.pub
Disallow: /.well-known/assetlinks.json
Disallow: /*/skeleton
Disallow: /*/sw_skeleton
Disallow: /500
Disallow: /account
Disallow: /alumni
Disallow: /api/v1/trebuchet
Disallow: /associates/click
Disallow: /book/
Disallow: /calendar/
Disallow: /contact_host
Disallow: /disaster/lookup
Disallow: /email/unsubscribe
Disallow: /embeddable
Disallow: /experiences/*?*scheduled_id
Disallow: /experiences/*?*modal
Disallow: /experiences/*/book
Disallow: /external_link?
Disallow: /fix-it
Disallow: /fixit
Disallow: /forgot_password
Disallow: /google_place_photo
Disallow: /api/v2/google_place_photos
Disallow: /groups
Disallow: /guidebooks
Disallow: /help/feedback
Disallow: /help/search
Disallow: /help/search
Disallow: /home/dashboard
Disallow: /inbox
Disallow: /login_with_redirect
Disallow: /logout
Disallow: /manage-listing
Disallow: /messaging/ajax_already_messaged/
Disallow: /my_listings
Disallow: /oauth_connect
Disallow: /payments/book
Disallow: /reservation
Disallow: /rooms/*/amenities
Disallow: /rooms/*/enhanced-cleaning
Disallow: /rooms/*/house-rules
Disallow: /rooms/*/location
Disallow: /rooms/*/photos
Disallow: /rooms/*/reviews
Disallow: /rooms/*/safety
Disallow: /rooms/*?viralityEntryPoint
Disallow: /rooms/*/cancellation-policy
Disallow: /rooms/*/description
Disallow: /s/guidebooks
Disallow: /signed_out_modal.json
Disallow: /signup_modal
Disallow: /stories
Disallow: /trips/upcoming
Disallow: /trips/v1/
Disallow: /update-your-browser
Disallow: /users/*/listings
Disallow: /users/show
Disallow: /users/profile
Disallow: /api/v3/LandingPageStaysQuery
Disallow: /s/*?
Disallow: /s/*/homes
Disallow: /things-to-do/places
User-agent: Bingbot
Allow: /calendar/ical/
Allow: /.well-known/amphtml/apikey.pub
Disallow: /.well-known/assetlinks.json
Disallow: /*/skeleton
Disallow: /*/sw_skeleton
Disallow: /500
Disallow: /account
Disallow: /alumni
Disallow: /api/v1/trebuchet
Disallow: /associates/click
Disallow: /book/
Disallow: /calendar/
Disallow: /contact_host
Disallow: /disaster/lookup
Disallow: /email/unsubscribe
Disallow: /embeddable
Disallow: /experiences/*?*scheduled_id
Disallow: /experiences/*?*modal
Disallow: /experiences/*/book
Disallow: /external_link?
Disallow: /fix-it
Disallow: /fixit
Disallow: /forgot_password
Disallow: /google_place_photo
Disallow: /api/v2/google_place_photos
Disallow: /groups
Disallow: /guidebooks
Disallow: /
sitemap.xml
absent
head
title
—
description
—
social
twitter:widgets:csp
on
fetched 2026-05-23T09:25:34.101Z
A-
Audit-ready · 5 minor advisories
Aggregate grade across 15 checks. Auditors typically flag any High-severity finding.
Pass
10
Warn
5
Fail
0
What an auditor would flag first
low
DKIM
1/6 DKIM selectors valid
SOC 2 CC6.7
low
TLS certificate
cert expires in 46 days
SOC 2 CC6.6ISO 27001 A.13.1.1
low
Security headers
2 security header(s) missing
SOC 2 CC6.6ISO 27001 A.14.1.2
Need this as an artifact your auditor can verify?
Your airbnb.com scan flagged 5 low findings. A signed pack covers the apex plus up to 100 CT-discovered subdomains, Ed25519-signed and ISO-timestamped, delivered in 10–30 minutes.