coinbase.com

15-check dossier · scoreboard above, section details below

Get a pack →

Scanning…

dns

info

Open standalone →

resolving…

mx

info

Open standalone →

resolving mx…

spf

info

Open standalone →

resolving spf…

dmarc

info

Open standalone →

resolving dmarc…

dkim

info

Open standalone →

probing dkim selectors…

tls

info

Open standalone →

fetching tls cert…

redirects

info

Open standalone →

tracing redirects…

headers

info

Open standalone →

fetching headers…

cors

info

Open standalone →

sending preflight…

web-surface

info

Open standalone →

inspecting web surface…

dnssec

info

Open standalone →

checking dnssec…

mta-sts

info

Open standalone →

checking mta-sts…

tls-rpt

info

Open standalone →

checking tls-rpt…

whois

info

Open standalone →

resolving whois…

ct-log

info

Open standalone →

querying CT logs…

additional context — IP + user-agent lookups

lookups that complement a dossier — useful when investigating a finding, but not part of the dossier engine itself.

IP lookup — geolocation, ASN, ISP for any IP address surfaced by the DNS or redirect sections.
user-agent parser — the browser/OS/device the request came from.
single-record DNS lookup — drill into one record type at a time.

coinbase.com

15-check dossier · scoreboard above, section details below

Get a pack →

A-

Audit-ready · 4 minor advisories

Aggregate grade across 15 checks. Auditors typically flag any High-severity finding.

Pass: 11
Warn: 4
Fail: 0

What an auditor would flag first

low
DKIM
1/6 DKIM selectors valid
SOC 2 CC6.7
low
TLS certificate
cert expires in 83 days
SOC 2 CC6.6ISO 27001 A.13.1.1
low
DNSSEC
DNSSEC not configured — no DS or DNSKEY records found
SOC 2 CC6.6ISO 27001 A.13.1.1

Need this as an artifact your auditor can verify?

Your coinbase.com scan flagged 4 low findings. A signed pack covers the apex plus up to 100 CT-discovered subdomains, Ed25519-signed and ISO-timestamped, delivered in 10–30 minutes.

Get a pack →See methodology See a sample$29

Scanning…

15-check summary

DNS recordsA/AAAA records present
MX5 MX record(s) present
SPF-all hardfail — strict policy
DMARCp=reject — strict policy
DKIM1/6 DKIM selectors valid
TLS certificatecert expires in 83 days
Redirect chainHTTPS served correctly
Security headersall security headers present
CORSno CORS headers — cross-origin requests blocked by default
Web surfaceHTTPS surface reachable (robots ✓, sitemap ✗, title ✓)
MTA-STSnot applicable: no _mta-sts TXT record
TLS-RPTnot applicable: no TLSRPT record
DNSSECDNSSEC not configured — no DS or DNSKEY records found
WHOISdomain expires in 40 days — renew soon
Certificate Transparency58 subdomain(s) found in CT logs (18 wildcard cert(s))

dns

info

Open standalone →

A/AAAA records present

Why it matters: Without authoritative A or AAAA records on the apex, the domain is unreachable. Missing baseline DNS shows up in vendor reviews as evidence of unmanaged infrastructure (SOC 2 CC6.6).

A: ttl=253 172.64.152.241
ttl=253 104.18.35.15
AAAA: ttl=140 2a06:98c1:3105::6812:230f
ttl=140 2606:4700:440a::ac40:98f1
NS: ttl=85061 sam.ns.cloudflare.com.
ttl=85061 sue.ns.cloudflare.com.
SOA: ttl=1800 sam.ns.cloudflare.com. dns.cloudflare.com. 2404868812 10000 2400 604800 1800
CAA: ttl=300 \# 35 00 05 69 6f 64 65 66 6d 61 69 6c 74 6f 3a 73 65 63 75 72 69 74 79 40 63 6f 69 6e 62 61 73 65 2e 63 6f 6d
ttl=300 \# 20 00 05 69 73 73 75 65 61 6d 61 7a 6f 6e 61 77 73 2e 63 6f 6d
ttl=300 \# 19 00 05 69 73 73 75 65 64 69 67 69 63 65 72 74 2e 63 6f 6d
ttl=300 \# 22 00 05 69 73 73 75 65 6c 65 74 73 65 6e 63 72 79 70 74 2e 6f 72 67
ttl=300 \# 41 00 05 69 73 73 75 65 70 6b 69 2e 67 6f 6f 67 3b 20 63 61 6e 73 69 67 6e 68 74 74 70 65 78 63 68 61 6e 67 65 73 3d 79 65 73
TXT: ttl=300 "1password-site-verification=2JYSQ7TWXVDP7DWPHTZRLBRESI"
ttl=300 "DirectFedAuthUrl=https://coinbase.okta.com/app/coinbase_pwc_1/exk1ke47d0l3gh5gp0x8/sso/saml"
ttl=300 "MS=ms23710130"
ttl=300 "TSW_ODg1dGVyYXN3aXRjaA=="
ttl=300 "ahrefs-site-verification_cc6fbe8f6b26b9b07f97892536cda45b7ce7917b040baacf81facc14e820e887"
ttl=300 "applause-verification:4e8f0335-526a-4a52-8da4-f4ecedc931ef"
ttl=300 "apple-domain-verification=7XHeC6zhfdUOulBSjnUyABNhGLx2RMnjebZj2HMPH4w"
ttl=300 "apple-domain-verification=8HpWlON81jar5xva"
ttl=300 "atlassian-domain-verification=hDuZ4Ho1Rts/J4kaoxR9K2Qnywy2Uo+GV8bDIwXEsE4uovTo0vcL+8AVpI4+3j2V"
ttl=300 "cursor-domain-verification-tqme34=zHJPl1GeHjzl9e5kOqNqpcepA"
ttl=300 "de7f455f-f2f0-4669-8193-08e31bfab40f"
ttl=300 "docusign=642eb6c3-8697-4ebd-8a51-a48a05713018"
ttl=300 "docusign=8ace657e-b7bc-4ed2-9cb3-8aa55e7d0597"
ttl=300 "dropbox-domain-verification=ap29irieph9f"
ttl=300 "facebook-domain-verification=qbphvvib286cbvluswam0qypj99ofm"
ttl=300 "google-site-verification=5Vrsjlgs1uhwN5AU2Vg1TPuEBasNdhX3CgxtfTdXOQQ"

fetched 2026-05-23T10:34:01.487Z

dns

info

Open standalone →

resolving…

mx

info

Open standalone →

5 MX record(s) present

Why it matters: MX records direct inbound mail. Misconfiguration silently breaks email delivery and lets attackers stand up parallel MX hosts for spoofing campaigns (ISO 27001 A.8.21).

pri=1 aspmx.l.google.com.
pri=5 alt1.aspmx.l.google.com.
pri=5 alt2.aspmx.l.google.com.
pri=10 alt3.aspmx.l.google.com.
pri=10 alt4.aspmx.l.google.com.

fetched 2026-05-23T10:34:01.483Z

mx

info

Open standalone →

resolving mx…

spf

info

Open standalone →

-all hardfail — strict policy

Why it matters: SPF tells receiving servers which hosts may send mail for the domain. Without it, any sender can forge the envelope-from — the primary mechanism behind business-email-compromise (SOC 2 CC6.7).

v=spf1 include:amazonses.com include:_spf.google.com -all

v=spf1
include:amazonses.com
include:_spf.google.com
-all

fetched 2026-05-23T10:34:01.486Z

spf

info

Open standalone →

resolving spf…

dmarc

info

Open standalone →

p=reject — strict policy

Why it matters: DMARC binds SPF and DKIM into an enforceable policy (quarantine or reject) and surfaces spoofing attempts via aggregate reports. `p=none` or absent means spoofing succeeds silently (SOC 2 CC6.7).

v=DMARC1; p=reject; adkim=s; aspf=s; fo=1; rua=mailto:jpohmdhp@ag.dmarcian.com; ruf=mailto:jpohmdhp@fr.dmarcian.com;

v=: DMARC1
p=: reject
adkim=: s
aspf=: s
fo=: 1
rua=: mailto:jpohmdhp@ag.dmarcian.com
ruf=: mailto:jpohmdhp@fr.dmarcian.com

fetched 2026-05-23T10:34:01.484Z

dmarc

info

Open standalone →

resolving dmarc…

dkim

low

Open standalone →

1/6 DKIM selectors valid

Why it matters: DKIM signs outbound mail so receivers can detect tampering. Missing selectors or rotated-away keys break DMARC alignment and let receivers downgrade trust (ISO 27001 A.8.24).

Recommendations

Check the missing selectors in your DNS provider and re-add any removed records

default:: —
google:: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCcyd0NulNlOnDdwuGu8nXjOwarJFGEtwCuxU8In3S6ZHuPHADJJ06bJxPcR1Z4fo5E23lVwsT1RVgne+1XDZHGa5zP+usOe4fl7xnOjy8HkhAHYad/TYJQQgCX0IWLrsw8f3ONDJi06wufhoLLmmTlJG49mLy5J11/XpDblcYekwIDAQAB
k1:: —
selector1:: —
selector2:: —
mxvault:: —

fetched 2026-05-23T10:34:01.489Z

dkim

info

Open standalone →

probing dkim selectors…

tls

low

Open standalone →

cert expires in 83 days

Why it matters: A valid current TLS certificate is the baseline for data in transit. Expiry, weak chain, or hostname mismatch break HTTPS and fail PCI 4.2.1 / SOC 2 CC6.1.

Recommendations

Schedule certificate renewal — consider enabling auto-renewal

subject cn:: coinbase.com
issuer:: WE1 / Google Trust Services
valid:: May 17 03:56:51 2026 GMT → Aug 15 04:56:49 2026 GMT
authorized:: yes
sha256:: 9B:AC:83:89:C1:84:1D:3C:9B:E7:80:80:B0:23:CB:AA:F3:F2:3F:A9:6A:58:76:B1:06:05:A6:7F:5A:B6:50:C2
sans: coinbase.com
*.coinbase.com

fetched 2026-05-23T10:34:01.535Z

tls

info

Open standalone →

fetching tls cert…

redirects

info

Open standalone →

HTTPS served correctly

Why it matters: Bare HTTP requests must redirect to HTTPS without dropping the user mid-chain. Plain-text fallback or open redirects fail PCI 4.2.1 and feed phishing chains (SOC 2 CC6.6).

final status: 403 · 2 hops

[302] https://coinbase.com/
[403] https://www.coinbase.com/

fetched 2026-05-23T10:34:01.609Z

redirects

info

Open standalone →

tracing redirects…

headers

info

Open standalone →

all security headers present

Why it matters: Security headers — HSTS, CSP, X-Frame-Options, Referrer-Policy — defend against XSS, clickjacking, and downgrade attacks. Absent headers map directly to OWASP ASVS V14 findings (ISO 27001 A.8.23).

final url: https://www.coinbase.com/

security headers

strict-transport-security: max-age=31536000; includeSubDomains; preload
content-security-policy: default-src 'none'; script-src 'nonce-P5DBSAgIX8SdjtfVcD9jsu' 'unsafe-eval' https://challenges.cloudflare.com; script-src-attr 'none'; style-src 'unsafe-inline'; img-src 'self' https://challenges.cloudflare.com; connect-src 'self' https://challenges.cloudflare.com; frame-src 'self' https://challenges.cloudflare.com blob:; child-src 'self' https://challenges.cloudflare.com blob:; worker-src blob:; form-action http: https:; base-uri 'self'
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
referrer-policy: same-origin
permissions-policy: accelerometer=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=(),xr-spatial-tracking=(self)

other headers

accept-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
cf-mitigated: challenge
cf-ray: a00367dffad83b0b-IAD
connection: close
content-encoding: gzip
content-type: text/html; charset=UTF-8
critical-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: same-origin
date: Sat, 23 May 2026 10:34:01 GMT
nel: {"report_to":"cf-nel","success_fraction":0.01,"max_age":604800}
origin-agent-cluster: ?1
report-to: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=kcW00VqIP69JER5UkIrR4i6FleL2Q7sao9HafJ51ivPQnBBB%2FtIv2rIEfnuEnK3sttLHG8Ftq4j82hW3zsDeAm3s3RlU%2FIPwSEvfMH5ZGwtidR2fmGTeot%2FnaKo%2FeVO1UhM%3D"}]}
server: cloudflare
server-timing: chlray;desc="a00367dffad83b0b"
set-cookie: __cf_bm=jAtIIE7qvFIaAaiwTSHswrZFTZxjn6LlrFFzu7Iazws-1779532441.5982747-1.0.1.1-7udvm2LXsSjtLzgyzDJXgdBtJXM8e4jqghOhHD3.dqsDpweZ5ikieaZFfo.h11dM7IlJ2GFA.HcsCzeio.rHz8XgrYSIGYh39vRC3kw23R0RuijhHlOf5.CydCLsq516; HttpOnly; SameSite=None; Secure; Path=/; Domain=coinbase.com; Expires=Sat, 23 May 2026 11:04:01 GMT
transfer-encoding: chunked
vary: accept-encoding

fetched 2026-05-23T10:34:01.615Z

headers

info

Open standalone →

fetching headers…

cors

info

Open standalone →

no CORS headers — cross-origin requests blocked by default

Why it matters: Overly permissive CORS (wildcard with credentials, or reflected origin) lets any origin read authenticated responses from this domain. OWASP A05 misconfiguration territory (NIST AC-4).

origin: https://drwho.me
method: GET
preflight status: 302

access-control-* headers

access-control-allow-origin: —
access-control-allow-methods: —
access-control-allow-headers: —
access-control-allow-credentials: —
access-control-max-age: —
access-control-expose-headers: —

no access-control-* headers returned — site does not advertise CORS to this origin

fetched 2026-05-23T10:34:01.571Z

cors

info

Open standalone →

sending preflight…

web-surface

info

Open standalone →

HTTPS surface reachable (robots ✓, sitemap ✗, title ✓)

Why it matters: Public files — robots.txt, sitemap.xml, head meta — are what attackers see first during reconnaissance. Misadvertised paths, stale sitemaps, and verbose generators leak more than intended (ISO 27001 A.8.9).

robots.txt

present

#
#
#                                                        :$$$
#                                  $II                   :III
#                                  III                   :III
#                                                        :III
#           +ZZ+        ?ZZ~                 +ZZZI       :III ?I+           IZZ7          +ZZI          IZZ~
#        .7IIIIII    ~IIIIIIII     $II    7IIIIIIIII7    :IIIIIIIII$     IIIIIIIII7     7IIIIIII     77IIIIIII
#       ZIII.   :   ZIII    III    $II    7II     IIII   :III    III7    I      III:   7II.         ZII,    III.
#       III         III      III   $II    7II      III   :III     III=           III   III          II:      III
#      +III        ZII,      III   $II    7II      III   :III      III     .Z$7IIIII   ,III7       $II    +Z$III
#      7II+        $II       7II   $II    7II      III   :III      III   ZIIII~  III     ?IIIII    $IIIIIIIIII:
#      ~III        III=      III   $II    7II      III   :III      III  ZII      III         IIII  III
#       III         III     ,III   $II    7II      III   :III     7II   7II      III          III   III
#       .III7  :$   ~III?  ZIII    $II    7II      III   :III   $III    =III     III   Z$   ~7III    III7    7$
#         IIIIII      IIIIIII?     $II    7II      III   :IIIIIIIII      ,IIIIIIIIII   IIIIIIII.      IIIIIIII
#
#         Bitcoin Made Easy - Coinbase is the simplest way to buy, use, and accept Bitcoin.
#
#         https://www.coinbase.com/careers
#

User-Agent: facebookexternalhit
Allow: /

User-Agent: Twitterbot
Allow: /

User-Agent: LinkedInBot
Allow: /

User-Agent: WhatsApp
Allow: /

User-agent: Slackbot
Allow: /

User-agent: Discordbot
Allow: /

User-agent: AdsBot-Google
Allow: /

User-agent: AdsBot-Google-Mobile
Allow: /

User-Agent: *
Disallow: /oauth/
Disallow: /*/oauth/
Disallow: /signup-interstitial
Disallow: /*/signup-interstitial
Disallow: /join/
Disallow: /*/join/
Disallow: /spot/*
Disallow: /*/spot/*
Disallow: /advanced-trade/spot/
Disallow: /*/advanced-trade/spot/
Disallow: /converter/*/*?currencyPage*
Disallow: /*/converter/*/*?currencyPage*
Disallow: /price/*?locale*
Disallow: /*/price/*?locale*
Disallow: /partner/
Disallow: /*/partner/
Disallow: /lp/
Disallow: /*/lp/
Disallow: /*/cookie-preferences
Disallow: /*/*/cookie-preferences
Disallow: /cookie-preferences
Disallow: /*/cookie-preferences
Allow: /.well-known/

Sitemap: https://www.coinbase.com/sitemap-converter-index.xml
Sitemap: https://www.coinbase.com/sitemap-derivatives-index.xml
Sitemap: https://www.coinbase.com/sitemap-prediction-markets-index.xml
Sitemap: https://www.coinbase.com/sitemap-equities-index.xml
Sitemap: https://www.coinbase.com/sitemap-how-to-buy-index.xml
Sitemap: https://www.coinbase.com/sitemap-prices-index.xml
Sitemap: https://www.coinbase.com/sitemap-price-prediction-index.xml
Sitemap: https://www.coinbase.com/sitemap-staking-index.xml
Sitemap: https://www.coinbase.com/sitemap-careers.xml
Sitemap: https://www.coinbase.com/sitemap-learn.xml
Sitemap: https://www.coinbase.com/sitemap-bytes.xml
Sitemap: https://www.coinbase.com/sitemap-institutional.xml
Sitemap: https://www.coinbase.com/sitemap-blog.xml
Sitemap: https://www.coinbase.com/sitemap-marketing.xml
Sitemap: https://www.coinbase.com/sitemap-advanced.xml

sitemap.xml

absent

head

title: Just a moment...
description: —

social

no OpenGraph or Twitter meta tags found

fetched 2026-05-23T10:34:01.656Z

web-surface

info

Open standalone →

inspecting web surface…

dnssec

low

Open standalone →

DNSSEC not configured — no DS or DNSKEY records found

Why it matters: DNSSEC cryptographically signs DNS responses, blocking cache-poisoning attacks. US federal civilian agencies are required to enable it under OMB M-22-09 (NIST SC-20).

Recommendations

Enable DNSSEC in your DNS provider's control panel and add the resulting DS record at your registrar

enabled: no
DS records: —
DNSKEY records: —

fetched 2026-05-23T10:34:01.490Z

dnssec

info

Open standalone →

checking dnssec…

mta-sts

info

Open standalone →

not applicable: no _mta-sts TXT record

Why it matters: MTA-STS forces inbound SMTP to use TLS and refuse downgraded connections. Without it, an in-path attacker can strip TLS and read mail in plaintext (SOC 2 CC6.7).

no _mta-sts TXT record

mta-sts

info

Open standalone →

checking mta-sts…

tls-rpt

info

Open standalone →

not applicable: no TLSRPT record

Why it matters: TLS-RPT publishes a reporting address for SMTP-TLS failures. Without it, downgrade attacks on inbound mail go unnoticed (SOC 2 CC7.2).

no TLSRPT record

tls-rpt

info

Open standalone →

checking tls-rpt…

whois

low

Open standalone →

domain expires in 40 days — renew soon

Why it matters: Registrar and expiry tell auditors the domain is owned, current, and not about to lapse. An expired or about-to-expire domain fails business-continuity evidence (SOC 2 A1.2).

Recommendations

Enable auto-renewal at your registrar to avoid accidental expiry

registrar: MarkMonitor Inc.
created: 2011-07-02T18:23:22Z
expires: 2026-07-02T18:23:22Z
statuses: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited, clientTransferProhibited https://icann.org/epp#clientTransferProhibited, clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited, serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited, serverTransferProhibited https://icann.org/epp#serverTransferProhibited, serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited

fetched 2026-05-23T10:34:01.719Z

whois

info

Open standalone →

resolving whois…

ct-log

info

Open standalone →

check failed: crt.sh: AbortError: This operation was aborted; certspotter: Error: certspotter http 429

Why it matters: Every certificate issued for this domain is published in Certificate Transparency logs — including subdomains you may have forgotten. Unknown subdomains in CT are pre-disclosed attack surface (ISO 27001 A.8.16).

crt.sh: AbortError: This operation was aborted; certspotter: Error: certspotter http 429

ct-log

info

Open standalone →

querying CT logs…

additional context — IP + user-agent lookups

lookups that complement a dossier — useful when investigating a finding, but not part of the dossier engine itself.

IP lookup — geolocation, ASN, ISP for any IP address surfaced by the DNS or redirect sections.
user-agent parser — the browser/OS/device the request came from.
single-record DNS lookup — drill into one record type at a time.