Why it matters: MX records direct inbound mail. Misconfiguration silently breaks email delivery and lets attackers stand up parallel MX hosts for spoofing campaigns (ISO 27001 A.8.21).
Why it matters: DMARC binds SPF and DKIM into an enforceable policy (quarantine or reject) and surfaces spoofing attempts via aggregate reports. `p=none` or absent means spoofing succeeds silently (SOC 2 CC6.7).
Why it matters: SPF tells receiving servers which hosts may send mail for the domain. Without it, any sender can forge the envelope-from — the primary mechanism behind business-email-compromise (SOC 2 CC6.7).
Why it matters: DKIM signs outbound mail so receivers can detect tampering. Missing selectors or rotated-away keys break DMARC alignment and let receivers downgrade trust (ISO 27001 A.8.24).
Recommendations
Check the missing selectors in your DNS provider and re-add any removed records
Why it matters: MTA-STS forces inbound SMTP to use TLS and refuse downgraded connections. Without it, an in-path attacker can strip TLS and read mail in plaintext (SOC 2 CC6.7).
DNSSEC not configured — no DS or DNSKEY records found
Why it matters: DNSSEC cryptographically signs DNS responses, blocking cache-poisoning attacks. US federal civilian agencies are required to enable it under OMB M-22-09 (NIST SC-20).
Recommendations
Enable DNSSEC in your DNS provider's control panel and add the resulting DS record at your registrar
Why it matters: Without authoritative A or AAAA records on the apex, the domain is unreachable. Missing baseline DNS shows up in vendor reviews as evidence of unmanaged infrastructure (SOC 2 CC6.6).
Why it matters: A valid current TLS certificate is the baseline for data in transit. Expiry, weak chain, or hostname mismatch break HTTPS and fail PCI 4.2.1 / SOC 2 CC6.1.
subject cn:
gitlab.com
issuer:
Sectigo Public Server Authentication CA DV R36 / Sectigo Limited
Why it matters: Every certificate issued for this domain is published in Certificate Transparency logs — including subdomains you may have forgotten. Unknown subdomains in CT are pre-disclosed attack surface (ISO 27001 A.8.16).
no CORS headers — cross-origin requests blocked by default
Why it matters: Overly permissive CORS (wildcard with credentials, or reflected origin) lets any origin read authenticated responses from this domain. OWASP A05 misconfiguration territory (NIST AC-4).
origin
https://domainposture.com
method
GET
preflight status
200
access-control-* headers
access-control-allow-origin
—
access-control-allow-methods
—
access-control-allow-headers
—
access-control-allow-credentials
—
access-control-max-age
—
access-control-expose-headers
—
no access-control-* headers returned — site does not advertise CORS to this origin
Why it matters: Bare HTTP requests must redirect to HTTPS without dropping the user mid-chain. Plain-text fallback or open redirects fail PCI 4.2.1 and feed phishing chains (SOC 2 CC6.6).
Why it matters: Registrar and expiry tell auditors the domain is owned, current, and not about to lapse. An expired or about-to-expire domain fails business-continuity evidence (SOC 2 A1.2).
HTTPS surface reachable (robots ✓, sitemap ✓, title ✓)
Why it matters: Public files — robots.txt, sitemap.xml, head meta — are what attackers see first during reconnaissance. Misadvertised paths, stale sitemaps, and verbose generators leak more than intended (ISO 27001 A.8.9).
robots.txt
present
# See http://www.robotstxt.org/robotstxt.html for documentation on how to use the robots.txt file
#
# To ban all spiders from the entire site uncomment the next two lines:
# User-Agent: *
# Disallow: /
# Add a 1 second delay between successive requests to the same server, limits resources used by crawler
# Only some crawlers respect this setting, e.g. Googlebot does not
# Crawl-delay: 1
# Based on details in https://gitlab.com/gitlab-org/gitlab/blob/master/config/routes.rb,
# https://gitlab.com/gitlab-org/gitlab/blob/master/spec/routing, and using application
# Global routes
User-Agent: *
Disallow: /autocomplete/users
Disallow: /autocomplete/projects
Disallow: /search
Disallow: /admin
Disallow: /profile
Disallow: /dashboard
Disallow: /users
Disallow: /api/v*
Disallow: /help
Disallow: /s/
Disallow: /-/profile
Disallow: /-/profile/
Disallow: /-/user_settings/
Disallow: /-/ide/
Disallow: /-/experiment
# Restrict allowed routes to avoid very ugly search results
Allow: /users/sign_in
Allow: /users/sign_up
Allow: /users/*/snippets
# Generic resource routes like new, edit, raw
# This will block routes like:
# - /projects/new
# - /gitlab-org/gitlab-foss/issues/123/-/edit
User-Agent: *
Disallow: /*/new
Disallow: /*/edit
Disallow: /*/raw
Disallow: /*/realtime_changes
# Group details
User-Agent: *
Disallow: /groups/*/-/analytics
Disallow: /groups/*/-/analytics/
Disallow: /groups/*/-/insights/
Disallow: /groups/*/-/issues_analytics
Disallow: /groups/*/-/contribution_analytics
Disallow: /groups/*/-/group_members
Disallow: /groups/*/-/saml/
Disallow: /groups/*/-/saml_group_links
Disallow: /groups/*/-/settings/
Disallow: /groups/*/-/billings
Disallow: /groups/*/-/hooks
Disallow: /groups/*/-/projects
# Project details
User-Agent: *
Disallow: /*/*.git$
Disallow: /*/*.git/*
Disallow: /*/archive/
Disallow: /*/repository/archive*
Disallow: /*/activity
Disallow: /*/-/project_members
Disallow: /*/-/blame/
Disallow: /*/-/branches
Disallow: /*/-/commits/
Disallow: /*/-/commit
Disallow: /*/commit/*.patch
Disallow: /*/commit/*.diff
Disallow: /*/-/compare/
Disallow: /*/-/network/
Disallow: /*/path_locks
Disallow: /*/merge_requests/*.patch
Disallow: /*/merge_requests/*.diff
Disallow: /*/merge_requests/*/diffs
Disallow: /*/services
Disallow: /*/uploads/
Disallow: /*/-/import
Disallow: /*/-/requirements_management/
Disallow: /*/-/pipelines
Disallow: /*/-/pipeline_schedules
Disallow: /*/-/jobs
Disallow: /*/-/ci/
Disallow: /*/-/quality/
Disallow: /*/-/licenses
Disallow: /*/-/security/
Disallow: /*/-/dependencies
Disallow: /*/-/audit_events
Disallow: /*/-/on_demand_scans
Disallow: /*/-/feature_flags
Disallow: /*/-/ml/
Disallow: /*/-/environments
Disallow: /*/-/clusters
Disallow: /*/-/terraform
Disallow: /*/-/terraform_module_registry
Disallow: /*/-/*/configuration
Disallow: /*/-/error_tracking
Disallow: /*/-/metrics
Disallow: /*/-/alert_management
Disallow: /*/-/incidents
Disallow: /*/-/oncall_schedules
Disallow: /*/-/escalation_policies
Disallow: /*/-/*/service_desk
Disallow: /*/-/analytics
Disallow: /*/-/analytics/
Disallow: /*/-/value_stream_analytics
Disallow: /*/-/graphs/
Disallow: /*/insights/
Disallow: /*/-/pipelines/
Disallow: /*/-/settings/
Disallow: /*/-/hooks
Disallow: /*/-/usage_quotas
sitemap.xml
present — 419 url(s)
head
title
Finally, AI for the entire software lifecycle.
description
Your intelligent orchestration platform for DevSecOps
social
og:type
website
og:title
Finally, AI for the entire software lifecycle.
og:description
Your intelligent orchestration platform for DevSecOps
Your intelligent orchestration platform for DevSecOps
twitter:creator
@GitLab
fetched 2026-06-04T03:19:13.004Z
A-
Audit-ready · 3 minor advisories
Aggregate grade across 15 checks. Auditors typically flag any High-severity finding.
Pass
12
Warn
3
Fail
0
What an auditor would flag first
low
DKIM
1/6 DKIM selectors valid
SOC 2 CC6.7
low
Security headers
5 security header(s) missing
SOC 2 CC6.6ISO 27001 A.14.1.2
low
DNSSEC
DNSSEC not configured — no DS or DNSKEY records found
SOC 2 CC6.6ISO 27001 A.13.1.1
Need this as an artifact your auditor can verify?
Your gitlab.com scan flagged 3 low findings. A signed pack covers the apex plus up to 100 CT-discovered subdomains, Ed25519-signed and ISO-timestamped, delivered in 10–30 minutes.