WebX Auditor

CAA record restricts certificate issuance

A CAA (Certification Authority Authorization) DNS record limits which CAs may issue certificates for the domain, reducing the blast radius of mis-issuance. Defense-in-depth — recommended, not mandatory.

Security RFC 8659 (Certification Authority Authorization) Advanced Security Audit
In short

No CAA record — any certificate authority may issue certificates for this domain. This check is fully automated — the scanner returns a definitive pass or fail.

How to fix it

Publish a CAA record naming only your authorized CA(s), e.g. `0 issue "digicert.com"`. Optionally add an "iodef" contact for violation reports.

Standards this maps to

Frameworks that require this

Advanced Security Audit

Severity

info — an advisory improvement.

Scans this and 300+ other checks across accessibility, SEO, security & speed — first audit free.

Related checks

Contingency Management PlanData ProtectionSQL Injection ProtectionXSS Protection (CSP preferred over X-XSS-Protection)CSRF Token ValidationSecure File UploadInput ValidationTLS 1.2+ EnforcementSecurity Headers CSP and HSTSCookie Security Flags