~/tools / security-headers

Security Headers Checker

Scan HTTP security headers. Grades HSTS, CSP, X-Frame-Options and others, with explanations of what each header protects.

>
[ WARNING ] Decent but improvable (68/100) — missing: Permissions-Policy · weak: content-security-policy
── output ─────
68
security_score
HTTP 200 · https://www.bol.com/nl/nl/
Strict-Transport-Security (HSTS)
[ STRONG ]
// Forces HTTPS for all connections. Prevents downgrade attacks.
max-age=31536000
Content-Security-Policy (CSP)
[ WEAK ]
// Defines which sources of scripts/styles/images are allowed. Prevents XSS.
connect-src https://*.adtrafficquality.google https://*.adyen.com https://*.akstat.io https://*.doubleclick.net https://*.google-analytics.com https://*.google.com https://*.googlesyndication.com https://*.gstatic.com https://*.kobo.com https://*.mpstat.us https://*.s-bol.com https://*.sentry.io https://aai.bol.com https://api.bol.com https://bat.bing.com https://bat.bing.net https://beta.bol.com https://c.go-mpulse.net https://chat1.bol.com https://chatr.bol.com https://fbstatic-a.akamaihd.net https://firefly.bol.com https://google.com https://googleadservices.com https://rsproxy.bol.com https://spoor.bol.com https://suggestions.bol.com https://swa.bol.com https://txrx.bol.com https://www.bol.com https://www.google.be https://www.google.nl https://www.googleadservices.com; default-src https://beta.bol.com https://tpc.googlesyndication.com https://www.bol.com; font-src blob: data: https://*.s-bol.com https://beta.bol.com https://fonts.gstatic.com https://partner.bol.com https://www.bol.com; frame-src blob: https://*.2mdn.net https://*.adtrafficquality.google https://*.adyen.com https://*.akstat.io https://*.doubleclick.net https://*.mpstat.us https://*.safeframe.googlesyndication.com https://*.youtube-nocookie.com https://beta.bol.com https://chat1.bol.com https://chatr.bol.com https://info.bol.com https://platform.twitter.com https://s-static.ak.facebook.com https://tpc.googlesyndication.com https://www.bol.com https://www.facebook.com https://www.google.com; img-src blob: data: https://*.2mdn.net https://*.adtrafficquality.google https://*.adyen.com https://*.akstat.io https://*.contentstack.com https://*.contentstack.eu https://*.doubleclick.net https://*.google-analytics.com https://*.google.be https://*.google.nl https://*.krxd.net https://*.moatads.com https://*.mpstat.us https://*.s-bol.com https://adservice.google.be https://adservice.google.com https://adservice.google.nl https://bat.bing.com https://bat.bing.net https://beta.bol.com https://bol.com https://bol.ugc.bazaarvoice.com https://cbks0.googleapis.com https://cbks1.googleapis.com https://cdn.kobo.com https://csi.gstatic.com https://ds-aksb-a.akamaihd.net https://fbstatic-a.akamaihd.net https://getbook.kobo.com https://img.youtube.com https://kbimages1-a.akamaihd.net https://khms0.googleapis.com https://khms1.googleapis.com https://m.bol.com https://maps.googleapis.com https://maps.gstatic.com https://media.bol.com https://mts0.googleapis.com https://mts1.googleapis.com https://pagead2.googlesyndication.com https://partner.bol.com https://photos-eu.bazaarvoice.com https://platform.twitter.com https://ssl.gstatic.com https://static.bol.com https://swa.bol.com https://syndication.twitter.com https://tpc.googlesyndication.com https://txrx.bol.com https://weblog.bol.com https://www.bol.com https://www.facebook.com https://www.google.com https://www.googleadservices.com https://www.googletagmanager.com https://www.gstatic.com https://www.ups.com; manifest-src https://assets.s-bol.com https://static.bol.com; media-src blob: https://*.contentstack.com https://*.contentstack.eu https://*.kobo.com https://*.phononet.de https://*.s-bol.com https://beta.bol.com https://rovimusic.rovicorp.com https://static.bol.com https://www.bol.com; object-src https://beta.bol.com https://www.bol.com; script-src 'unsafe-eval' 'unsafe-inline' blob: data: https://*.2mdn.net https://*.adtrafficquality.google https://*.adyen.com https://*.doubleclick.net https://*.google-analytics.com https://*.krxd.net https://*.moatads.com https://*.s-bol.com https://aai.bol.com https://adservice.google.be https://adservice.google.com https://adservice.google.nl https://ajax.googleapis.com https://apis.google.com https://bat.bing.com https://beta.bol.com https://bol.com https://c.go-mpulse.net https://cbks0.googleapis.com https://cdn.ampproject.org https://cdn.syndication.twimg.com https://cdn.syndication.twitter.com https://chat1.bol.com https://connect.facebook.net https://ds-aksb-a.akamaihd.net https://fbstatic-a.akamaihd.net https://firefly.bol.com https://googleadservices.com https://maps.googleapis.com https://maps.gstatic.com https://mts0.googleapis.com https://mts1.googleapis.com https://pagead2.googlesyndication.com https://partner.bol.com https://partner.googleadservices.com https://platform.twitter.com https://static.bol.com https://tpc.googlesyndication.com https://translate.googleapis.com https://txrx.bol.com https://weblog.bol.com https://www.bol.com https://www.google.com https://www.googleadservices.com https://www.googletagmanager.com https://www.googletagservices.com https://www.gstatic.com; style-src 'unsafe-inline' blob: https://*.s-bol.com https://beta.bol.com https://bol.com https://fonts.googleapis.com https://gstatic.com https://partner.bol.com https://platform.twitter.com https://static.bol.com https://txrx.bol.com https://www.bol.com; worker-src blob: https://beta.bol.com https://www.bol.com; frame-ancestors 'self'; report-to csp-endpoints;
X-Frame-Options
[ STRONG ]
// Prevents clickjacking by blocking iframe embedding from other origins.
SAMEORIGIN
X-Content-Type-Options
[ STRONG ]
// Prevents MIME sniffing. Should be 'nosniff'.
nosniff
Referrer-Policy
[ PRESENT ]
// Controls how much referrer info is leaked when navigating away.
strict-origin-when-cross-origin
Permissions-Policy
[ MISSING ]
// Restricts which browser features (camera, mic, etc.) the page can use.
// missing — add this header to improve security
// Save bol.com → we'll run this daily and alert on changes. /signup →