Our platform checks all publicly queried hostnames but can't tell if a scan is done on a CNAME. To reassess the findings, we need to confirm the DNS pair that shows the asset is a CNAME target. We can’t act on assets used as a "front door" because it could lead to security risks and set a bad precedent.
When a CNAME is scanned, the Support team can implement a rule to skip checks on the Common Name and Subject Alternative Name fields during SSL Certificate scans for the relevant domains. As a result, findings related to Certificate Name Mismatch will be cleared, and the overall rating will be recalculated. This ensures the scan results accurately reflect the CNAME configuration without unnecessary warnings. While these findings are removed, all other SSL Configuration findings will be flagged as usual.
Feedback
0 comments
Please sign in to leave a comment.