Domain & Email
Security Assessment

MX: meridiandefence-com-au.mail.protection.outlook.com
TLSA lookup: _25._tcp.meridiandefence-com-au.mail.protection.outlook.com → No records

Note: Microsoft 365 does not natively support DANE for inbound mail. DANE for SMTP is supported for outbound connections only as of March 2024.

Netier Recommendation: While Microsoft 365 does not support inbound DANE, configure outbound DANE validation in Exchange Online via PowerShell:

Set-TransportConfig -DnsSec Enabled

For full DANE compliance, consider deploying a dedicated MTA gateway (e.g., Sophos Email Gateway) in front of Exchange Online that supports TLSA records. Netier can architect and deploy this as part of the Email Security Enhancement service.

Mobile Lighthouse Scores:
  Performance: 72 (threshold: 80+)
  LCP: 3.2s (threshold: ≤2.5s)
  TBT: 180ms (threshold: ≤200ms — marginal)
  CLS: 0.08 (threshold: ≤0.1 — passing)
  Speed Index: 3.5s (threshold: ≤3.4s — marginal)

Desktop Performance: 88 (passing)

Netier Recommendation: Engage Netier's Web Performance Optimisation service to:
1. Implement lazy loading for below-fold images and iframes
2. Defer non-critical JavaScript execution (reduce TBT)
3. Serve WebP/AVIF images via Cloudflare Polish (already on Cloudflare)
4. Enable Cloudflare Rocket Loader for JavaScript optimisation
5. Configure Cloudflare Image Resizing for responsive images

Estimated improvement: 72 → 85+ with Cloudflare optimisations alone.

DNS lookup: default._bimi.meridiandefence.com.au → No records

Prerequisites met:
  ✓ DMARC p=reject (required for BIMI)
  ✓ DKIM signing active (required for BIMI)
  ✗ VMC (Verified Mark Certificate) — required for Gmail/Apple Mail logo display

Netier Recommendation: Implement BIMI in two phases:

Phase 1 (Immediate, 30 min):
  Add DNS TXT record: default._bimi.meridiandefence.com.au
  Value: v=BIMI1; l=https://meridiandefence.com.au/.well-known/logo.svg
  Host the SVG logo in Tiny PS format at the specified URL.

Phase 2 (2-4 weeks):
  Obtain a Verified Mark Certificate (VMC) from DigiCert or Entrust.
  Cost: ~$1,500 AUD/year. Requires a registered trademark.
  Update BIMI record: v=BIMI1; l=<svg-url>; a=<vmc-url>

Netier can manage the VMC procurement and DNS configuration as part of the Email Security service.

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.meridiandefence.com.au; ...

Present directives: default-src, script-src, style-src, img-src, font-src, frame-ancestors, base-uri, form-action, upgrade-insecure-requests
Missing: object-src, media-src, worker-src

Netier Recommendation: Replace 'unsafe-inline' with CSP nonces or hashes:

1. Generate a random nonce per request in the application server
2. Add nonce to CSP header: script-src 'self' 'nonce-{random}' https://cdn.meridiandefence.com.au
3. Add nonce attribute to all inline <script> tags: <script nonce="{random}">
4. Add missing directives: object-src 'none'; media-src 'self'; worker-src 'self'

Netier's Web Application Security team can implement this during the next scheduled maintenance window.

Current CSP directives (9): default-src, script-src, style-src, img-src, font-src, frame-ancestors, base-uri, form-action, upgrade-insecure-requests

Missing (3): object-src, media-src, worker-src

Recommended additions:
  object-src 'none' — blocks Flash/Java plugins
  media-src 'self' — restricts audio/video sources
  worker-src 'self' — restricts service worker origins

Netier Recommendation: Add the missing directives to the Cloudflare Transform Rule or application header configuration:

object-src 'none'; media-src 'self'; worker-src 'self'

This is a low-risk, high-value change that can be deployed via Cloudflare dashboard without application changes. Netier can implement this within a standard change window (15 minutes).

strict-transport-security: max-age=31536000; includeSubDomains; preload

HSTS Preload Status: Not on preload list
Preload requirements met:
  ✓ max-age ≥ 31536000
  ✓ includeSubDomains present
  ✓ preload directive present
  ✗ Submitted to hstspreload.org

Netier Recommendation: Submit meridiandefence.com.au to the HSTS preload list:

1. Visit https://hstspreload.org
2. Enter meridiandefence.com.au
3. Confirm all subdomains support HTTPS (verify: autodiscover, mail, portal, vpn, intranet, dev, staging)
4. Submit for inclusion

Processing time: 2-4 weeks for list inclusion, then distributed via browser updates.

⚠️ WARNING: Preload is permanent. Ensure ALL subdomains serve valid HTTPS before submitting. Netier should audit all 12 known subdomains first.

Discovered subdomains (12):
  www, mail, autodiscover, sip, lyncdiscover,
  enterpriseregistration, enterpriseenrollment,
  portal, vpn, intranet, dev, staging

High-interest subdomains:
  dev.meridiandefence.com.au — Development environment
  staging.meridiandefence.com.au — Staging environment
  intranet.meridiandefence.com.au — Internal portal
  vpn.meridiandefence.com.au — VPN gateway

Netier Recommendation:
1. Verify dev/staging are behind Cloudflare Access (Zero Trust) — restrict to Netier and Meridian IP ranges
2. Ensure intranet is not publicly accessible — should resolve to internal IP only or be behind Zero Trust
3. Review VPN endpoint hardening (certificate-based auth, MFA)
4. Consider removing dev/staging from public DNS if they're internal-only (use split-horizon DNS)

Netier can configure Cloudflare Access policies for all sensitive subdomains as part of the Zero Trust deployment.

MTA-STS Policy:
  version: STSv1
  mode: enforce
  mx: meridiandefence-com-au.mail.protection.outlook.com
  max_age: 604800 (7 days)

Recommended: max_age ≥ 2592000 (30 days)
Best practice: max_age = 31557600 (1 year)

Netier Recommendation: Update the MTA-STS policy file at https://mta-sts.meridiandefence.com.au/.well-known/mta-sts.txt:

version: STSv1
mode: enforce
mx: meridiandefence-com-au.mail.protection.outlook.com
max_age: 31557600

Update the DNS TXT record _mta-sts.meridiandefence.com.au with a new id value to trigger cache refresh.

This is a 5-minute change with no risk.

security.txt contents:
  Contact: security@meridiandefence.com.au
  Expires: 2027-03-06T00:00:00.000Z
  Preferred-Languages: en
  Canonical: https://meridiandefence.com.au/.well-known/security.txt
  Policy: https://meridiandefence.com.au/security-policy

Missing: Encryption field (PGP key URL)

Netier Recommendation: Generate a dedicated GPG key for security disclosures and add to security.txt:

1. gpg --full-generate-key (RSA 4096, security@meridiandefence.com.au)
2. Export public key: gpg --armor --export security@meridiandefence.com.au > security-pgp.asc
3. Host at: https://meridiandefence.com.au/.well-known/security-pgp.asc
4. Add to security.txt: Encryption: https://meridiandefence.com.au/.well-known/security-pgp.asc

Estimated effort: 30 minutes.

Cookie: meridian_session
  Secure: true ✓
  HttpOnly: true ✓
  SameSite: Lax (recommended: Strict for defence applications)
  Path: /
  Domain: meridiandefence.com.au

Netier Recommendation: Update the session cookie configuration to use SameSite=Strict. Test thoroughly as Strict may break OAuth/SSO redirect flows.

If SSO redirects break with Strict, consider a dual-cookie pattern:
  - Session cookie: SameSite=Strict (primary authentication)
  - SSO redirect cookie: SameSite=Lax (temporary, short-lived)

Netier can implement and test this during the next application maintenance window.

x-xss-protection: 0

Note: Setting to '0' is correct per modern security guidance:
  - Chrome removed XSS Auditor in v78 (Oct 2019)
  - Mozilla never implemented it in Firefox
  - The auditor could be weaponised for information leakage
  - CSP provides superior XSS protection

However, some automated scanning tools flag '0' as a finding.

No action required. The current setting of '0' is correct and follows OWASP and Mozilla security guidance. The Content-Security-Policy header provides comprehensive XSS protection.

Note for compliance: If an auditor or scanner flags this, reference:
  - OWASP: 'The X-XSS-Protection header has been deprecated and should be set to 0'
  - MDN: 'Non-standard; Chrome removed the XSS Auditor in Chrome 78'

CT Log Analysis:
  Total certificates logged: 47
  Certificate Issuers:
    - Let's Encrypt (web, wildcard — automated via Cloudflare)
    - DigiCert Inc (mail.meridiandefence.com.au — Exchange Online)

  Recent certificates:
    *.meridiandefence.com.au — Let's Encrypt (Jan 2026)
    meridiandefence.com.au — Let's Encrypt (Jan 2026)
    mail.meridiandefence.com.au — DigiCert (Nov 2025)

No immediate action required. The dual-issuer pattern is expected:
  - Let's Encrypt: Cloudflare edge certificates (auto-renewed)
  - DigiCert: Microsoft 365 mail certificates (managed by Microsoft)

Netier Recommendation: Ensure CAA records restrict issuance to only these two CAs (already configured ✓). Monitor CT logs via https://crt.sh/?q=meridiandefence.com.au for unexpected issuances.

DNSSEC: Enabled ✓
DS records present in parent zone (.com.au)
Cloudflare manages DNSSEC signing automatically

Note: .com.au is a DNSSEC-signed TLD (auDA requirement since 2021)

No action required. DNSSEC is correctly configured and maintained by Cloudflare.

SPF: v=spf1 include:spf.protection.outlook.com include:_spf.sophos.com ip4:203.45.67.0/24 -all
  Qualifier: hardfail (-all) ✓
  Lookup count: 4/10 ✓

DKIM: 3 selectors found (selector1, selector2, sophos) ✓
  selector1: RSA 2048-bit (Microsoft 365)
  selector2: RSA 2048-bit (Microsoft 365)
  sophos: RSA 2048-bit (Sophos Email Gateway)

DMARC: v=DMARC1; p=reject; rua=mailto:...; ruf=mailto:...; fo=1; adkim=s; aspf=s; pct=100
  Policy: reject ✓
  Alignment: strict (adkim=s, aspf=s) ✓
  Reporting: aggregate + forensic ✓
  Coverage: 100% ✓

No action required. Email authentication is at maximum enforcement. Continue monitoring DMARC reports for authentication failures.

Netier manages DMARC reporting via the Managed Email Security service, with monthly aggregate analysis and incident response for authentication failures.

MTA-STS DNS Record: v=STSv1; id=20260215T000000 ✓
MTA-STS Mode: enforce ✓
MTA-STS Policy File: accessible ✓
TLS-RPT: v=TLSRPTv1; rua=mailto:tls-rpt@meridiandefence.com.au ✓

MTA-STS enforces that sending servers must:
  1. Connect via TLS (not plaintext)
  2. Verify the MX certificate matches the policy
  3. Report failures to the TLS-RPT address

No action required. MTA-STS and TLS-RPT are correctly configured.

Note: Consider increasing max_age from 604800 (7 days) to 31557600 (1 year) — see finding MDS-008.

Security Headers Present (8/9):
  ✓ Strict-Transport-Security (max-age=31536000; includeSubDomains; preload)
  ✓ Content-Security-Policy (comprehensive policy with 9 directives)
  ✓ X-Frame-Options (DENY)
  ✓ X-Content-Type-Options (nosniff)
  ✓ Referrer-Policy (strict-origin-when-cross-origin)
  ✓ Permissions-Policy (camera, microphone, geolocation, payment restricted)
  ✓ X-XSS-Protection (0 — correct modern setting)
  ✓ Cache-Control (present via Cloudflare)

  ✗ Cross-Origin-Embedder-Policy (not set)

Header Score: 89% (A)

Optional enhancement: Add Cross-Origin-Embedder-Policy header for cross-origin isolation:

Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin

⚠️ Test thoroughly — COEP can break third-party resources (images, scripts, iframes) that don't set CORS headers. Only enable if the site doesn't embed external resources.