In this article:
Background
Parked domains can be defined as domains that are not used. For example, they were purchased so that they can’t be used maliciously, or so that they can’t be purchased by anyone else, or they are not in use anymore. The domains were parked where they were purchased, with the various hosting companies. There is no data on them, they just have a default parked page that the hosting company creates that shows it is an unused domain.
https://www.m3aawg.org/sites/default/files/m3aawg_parked_domains_bp-2015-12.pdf
Rules for Parked Domains and Issue Resolution:
-
Only findings in Application Security category are concerned by this article.
- If the parked domain resolves to any site, that site must have HTTPS (SecurityScorecard would not accept refutes in the HTTPS category if the domains resolved)
-
The parked domain must not redirect to an active website. If the parked domain redirects to the company site, the issues will not be allowed for removal.
(Valid parked domain: Domain Register page is served)
(Invalid parked domain: Redirection to a the main company site) -
If there is a nameserver configured on the parked domain, it must have an SPF record.
- If there is no nameserver configured on the parked domain, SecurityScorecard will accept resolution on the SPF record finding.
- There are no active subdomains on the parked domain.
-
Correctly attributed parked domains will not be removed from the scorecard digital footprint.
If all the above conditions are met, the current policies by SecurityScorecard only allow the removal of issues under Application Security category for the domains in question.
SecurityScorecard recommends having security headers in place but for parked assets, this is not mandatory.