Why it matters: MX records direct inbound mail. Misconfiguration silently breaks email delivery and lets attackers stand up parallel MX hosts for spoofing campaigns (ISO 27001 A.8.21).
Why it matters: DMARC binds SPF and DKIM into an enforceable policy (quarantine or reject) and surfaces spoofing attempts via aggregate reports. `p=none` or absent means spoofing succeeds silently (SOC 2 CC6.7).
Recommendations
Upgrade to p=reject once your SPF and DKIM pass rates are consistently high
Why it matters: SPF tells receiving servers which hosts may send mail for the domain. Without it, any sender can forge the envelope-from — the primary mechanism behind business-email-compromise (SOC 2 CC6.7).
Why it matters: DKIM signs outbound mail so receivers can detect tampering. Missing selectors or rotated-away keys break DMARC alignment and let receivers downgrade trust (ISO 27001 A.8.24).
Recommendations
Check the missing selectors in your DNS provider and re-add any removed records
DNSSEC enabled — DS records present and chain validated (AD flag)
Why it matters: DNSSEC cryptographically signs DNS responses, blocking cache-poisoning attacks. US federal civilian agencies are required to enable it under OMB M-22-09 (NIST SC-20).
Why it matters: MTA-STS forces inbound SMTP to use TLS and refuse downgraded connections. Without it, an in-path attacker can strip TLS and read mail in plaintext (SOC 2 CC6.7).
Why it matters: Without authoritative A or AAAA records on the apex, the domain is unreachable. Missing baseline DNS shows up in vendor reviews as evidence of unmanaged infrastructure (SOC 2 CC6.6).
Why it matters: A valid current TLS certificate is the baseline for data in transit. Expiry, weak chain, or hostname mismatch break HTTPS and fail PCI 4.2.1 / SOC 2 CC6.1.
Why it matters: Every certificate issued for this domain is published in Certificate Transparency logs — including subdomains you may have forgotten. Unknown subdomains in CT are pre-disclosed attack surface (ISO 27001 A.8.16).
Why it matters: Bare HTTP requests must redirect to HTTPS without dropping the user mid-chain. Plain-text fallback or open redirects fail PCI 4.2.1 and feed phishing chains (SOC 2 CC6.6).
no CORS headers — cross-origin requests blocked by default
Why it matters: Overly permissive CORS (wildcard with credentials, or reflected origin) lets any origin read authenticated responses from this domain. OWASP A05 misconfiguration territory (NIST AC-4).
origin
https://drwho.me
method
GET
preflight status
301
access-control-* headers
access-control-allow-origin
—
access-control-allow-methods
—
access-control-allow-headers
—
access-control-allow-credentials
—
access-control-max-age
—
access-control-expose-headers
—
no access-control-* headers returned — site does not advertise CORS to this origin
HTTPS surface reachable (robots ✓, sitemap ✗, title ✓)
Why it matters: Public files — robots.txt, sitemap.xml, head meta — are what attackers see first during reconnaissance. Misadvertised paths, stale sitemaps, and verbose generators leak more than intended (ISO 27001 A.8.9).
robots.txt
present
# Greetings, human beings!,
#
# If you're sniffing around this file, and you're not a robot, we're looking to meet curious folks such as yourself.
#
# Think you have what it takes to join the best white-hat SEO growth hackers on the planet, and help improve the way people everywhere find jobs?
#
# Run - don't crawl - to apply to join Glassdoor's SEO team here http://jobs.glassdoor.com
#
#
#### Rules for ANY User-Agent
User-agent: *
Disallow: /*?*hostSite=*
Disallow: /1347171559/
Disallow: /about/board/
Disallow: /about/contact/
Disallow: /about/faq/
Disallow: /about/forCareerCenters/
Disallow: /about/forLibraries/
Disallow: /about/forStudents/
Disallow: /about/guidelines/
Disallow: /about/index/
Disallow: /about/jobs/
Disallow: /about/learn/
Disallow: /about/overview/
Disallow: /about/privacy/
Disallow: /about/syndicationCenter/
Disallow: /about/team/
Disallow: /about/terms/
Disallow: /about/widgetTerms/
Disallow: /ajax/
Disallow: /abtest
Disallow: /browse/
Disallow: /chat
Disallow: /Compare/choose
Disallow: /employerinfo/
Disallow: /employerInfo/
Disallow: /Explore/browse-companies
Disallow: /home/
Disallow: /integrations/facebook/glassdoor/eep
Disallow: /jobview/
Disallow: /legal/
Disallow: /lists/
Disallow: /more/
Disallow: /partner/
Disallow: /partner-center/
Disallow: /partners/company/
Disallow: /partners/insights/
Disallow: /partners/jobs/
Disallow: /partners/reports/
Disallow: /partners/resumeView
Disallow: /partners/settings/
Disallow: /parts
Disallow: /Polls
Disallow: /profile/
Allow: /profile/login_input.htm
Allow: /profile/joinNow_input.htm
Allow: /member/profile/login
Allow: /member/profile/joinNow
Disallow: /Resume/user-profile/
Disallow: /rss/*
Disallow: /search/
Disallow: /Search/
Disallow: /survey/
Disallow: /surveys
Disallow: /surveys/
Disallow: /util/
Disallow: /getAdSlotContentsAjax.htm
Disallow: /developer/index.htm
Disallow: /developer/widget/builder/
Disallow: /event-ingestion
Disallow: /employers/ec
Disallow: /employers/enhanced/billing_*
Disallow: /slink.htm
Disallow: /*encryptedUserId
Disallow: /*followId
Disallow: /*userValidationKey
Disallow: */trackClickAsync.htm
Disallow: /mz-survey/
Disallow: /user-activation/
Disallow: /member/
Disallow: /resume/build/
Disallow: /userprofile/
Disallow: /sourcing$
Disallow: /knowyourworth/
Disallow: /Reviews/index.htm?
Disallow: *filter.searchKeyword=
#logging related
Disallow: */lib$
Disallow: */lib/
Disallow: */globalize/
Disallow: */globalize$
Disallow: */ASCIISumThreshold$
Disallow: */LogClient$
Disallow: */MsgBuilder$
Disallow: */UserAgent$
Disallow: */Constants$
Disallow: */init/
Disallow: */init$
Disallow: */LogServer$
Disallow: */GDLogger$
Disallow: */gd-perf$
Disallow: */gd-site-hdr-dropdown$
Disallow: */bundles$
Disallow: */wait$
Disallow: */extend$
Disallow: */strings$
Disallow: */strings/
Disallow: */document$
Disallow: */*Ajax.htm
Disallow: */json$
Disallow: */json/
# Blocking track urls (ACQ-2468)
Disallow: /track
#Blocking non standard job view and job search URLs, and paginated job SERP URLs (TRFC-2831)
Disallow: /job-listing/*_IE*.htm
Disallow: /job-listing/JV.htm?*
Disallow: /Job/*_IP*
Disallow: /Job/bwl.htm
# TRFC-3125 Block 'sex jobs' jobs infosite pages from being indexed
Disallow: /Jobs/*-sex-*Jobs-EI*
# TRFC-4037 Block page from being indexed
Disallow: /Reviews/Barbizon-scam-*
# Block Glassdoor jobs. Intent is to remove misleading site links SERP. Details at TRFC-3197
Disallow: /Jobs/Glassdoor-Jobs-E100431.htm
# Blocking pagination on employer infosite TR-12
Disallow: /Jobs/*_P*.htm*
Disallow: /Jobs/*_IP*.htm*
Disallow: /Reviews/*_P*.htm*
Disallow: /Reviews/*_IP*.htm*
Allow: /Reviews/*-reviews-SRCH_*_IP2.htm*
Disallow: /Interview/*_P*.htm*
Disallow: /Interview/*_IP*.htm*
Disallow: /Benefits/*_IP*.htm*
Disallow: /Salaries/*_IP*.htm*
Allow: /Salaries/*_IP2.htm*
Allow: /Salaries/*_IP3.htm*
Allow: /Salaries/*_IP4.htm*
Allow: /Salaries/*_IP5.htm*
# Blocking bots from crawling DoubleClick for Publisher and Google Analytics related URL's (which aren't real URL's)
Disallow: /1060761/*
# Indeed callback only
Disallow:
sitemap.xml
absent
head
title
Security | Glassdoor
description
—
social
no OpenGraph or Twitter meta tags found
fetched 2026-05-23T09:28:04.883Z
B
Mostly compliant · 4 items need attention
Aggregate grade across 15 checks. Auditors typically flag any High-severity finding.
Pass
11
Warn
4
Fail
0
What an auditor would flag first
medium
Security headers
2 security header(s) missing
SOC 2 CC6.6ISO 27001 A.14.1.2
low
DMARC
p=quarantine — receivers send to spam
SOC 2 CC6.7ISO 27001 A.13.2.1
low
DKIM
2/6 DKIM selectors valid
SOC 2 CC6.7
Need this as an artifact your auditor can verify?
Your glassdoor.com scan flagged 1 medium and 3 low findings. A signed pack covers the apex plus up to 100 CT-discovered subdomains, Ed25519-signed and ISO-timestamped, delivered in 10–30 minutes.
Why it matters: Registrar and expiry tell auditors the domain is owned, current, and not about to lapse. An expired or about-to-expire domain fails business-continuity evidence (SOC 2 A1.2).