core.app

.app crawl

First seen 2026-04-13 · Last seen 2026-05-07 · ok HTTP/1.1 200 1539 ms crawled 2026-05-07

US · 104.18.35.56 · AS13335 Cloudflare, Inc.

Reputation 100/100

Classifying

HTML metadata

Title: Best Avalanche (AVAX) Wallet and Portfolio
Description: Your home for exploring Avalanche and beyond. Native Bitcoin Bridge. Supports all EVMs. No fees or middlemen.
Language: en-US
Canonical: https://core.app/

Open Graph

url: https://core.app/
title: Best Avalanche (AVAX) Wallet and Portfolio
description: Your home for exploring Avalanche and beyond. Native Bitcoin Bridge. Supports all EVMs. No fees or middlemen.

Technology

CDN: Cloudflare

Analytics

Cloudflare Insights

Fonts

Google Fonts

Third-party hosts loaded (3)

fonts.googleapis.com×2
fonts.gstatic.com×1
static.cloudflareinsights.com×1

Contact

Phone

39285714285714

DNS records live

NS

nile.ns.cloudflare.com
rihana.ns.cloudflare.com

MX

1 aspmx.l.google.com
10 alt3.aspmx.l.google.com
10 alt4.aspmx.l.google.com
5 alt1.aspmx.l.google.com
5 alt2.aspmx.l.google.com

TXT

google-site-verification=e9w4KKnaK_UNuzA_afguX6hgfV_cOc9LQ62CdeJuYyU

Email authentication strong

SPF

v=spf1 include:_spf.google.com include:7522520.spf04.hubspotemail.net ~all

softfail (~all)

DMARC

v=DMARC1; p=reject;rua=mailto:monitor@avalabs.org,mailto:avalabs@rua.netcraft.com; ruf=mailto:avalabs@ruf.netcraft.com

policy: reject (enforced)

DKIM

s1: k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4uPedjcRo806+yiuM1dAbyehbM+3x4+JnYIETjMB0yVSaGJVyEVoXPchiar35mxe0uqbL7b08fKBkPXDFU…
s2: k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmW7u+HkA58W3r9ylCmd3D5W+FVyXsZrtjvxjQkd9qjRAT3KvPkU/3JXcsXCko9j+OI97bJjOH2bg/Q+GQR…

selectors probed

Certificate (current)

WE1

from 2026-04-21 to 2026-07-20

Expires in 62 days

Full certificate history on crt.sh ↗

HTTP security headers

Header hygiene 85/100 Checked live page: https://core.app/

present

strict-transport-security
content-security-policy
x-frame-options
x-content-type-options
referrer-policy
cross-origin-opener-policy

findings

CSP allows unsafe inline scripts/styles
CSP uses wildcard sources
missing Permissions Policy

Header values

referrer-policy: no-referrer
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
content-security-policy: default-src 'self' https://*.avax.network https://*.avax-test.network;font-src 'report-sample' 'self' https://core.app https://fonts.gstatic.com;img-src 'self' data: blob: https: ipfs:;object-src 'none';script-src 'report-sample' 'self' 'strict-dynamic' 'nonce-aab1752fcd979bd91cf901e81b7023d2' https://static.cloudflareinsights.com https://www.recaptcha.net https://www.google.com https://gstatic.com https://*.googletagmanager.com https://*.google-analytics.com https://static.ads-twitter.com https://ads-twitter.com https://ads-api.twitter.com https://analytics.twitter.com;script-src-attr 'nonce-aab1752fcd979bd91cf901e81b7023d2';style-src 'self' https: 'unsafe-inline';connect-src 'self' data: https: wss: ipfs:;frame-src 'self' https://www.youtube.com https://www.google.com https://www.recaptcha.net https://recaptcha.google.com https://verify.walletconnect.com https://verify.walletconnect.org https://secure.walletconnect.com https://secure.walletconnect.org https://app.halliday.xyz https:/
strict-transport-security: max-age=31536000000
cross-origin-opener-policy: same-origin-allow-popups

Links to (2)

apple.com×2
google.com×2

Linked from (2)

avalabs.org×2
blockaid.io×1