Security Headers Checker

HTTP 200 · https://www.bunq.com/

[ STRONG ]

// Forces HTTPS for all connections. Prevents downgrade attacks.

max-age=31536000

[ WEAK ]

// Defines which sources of scripts/styles/images are allowed. Prevents XSS.

default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.bunq.com *.visualwebsiteoptimizer.com *.thisgreencolumn.com *.googletagmanager.com *.google-analytics.com *.analytics.google.com *.googlesyndication.com *.doubleclick.net *.google.com framerusercontent.com framer.com *.framer.com *.framerstatic.com *.framerforms.com *.taboola.com *.licdn.com *.redditstatic.com *.ads-twitter.com analytics.tiktok.com sc-static.net *.facebook.net *.snapchat.com *.contentsquare.net *.contentsquare.com www.youtube.com s.ytimg.com; style-src 'self' 'unsafe-inline' *.bunq.com *.googleapis.com framerusercontent.com; img-src 'self' data: blob: *.bunq.com *.google-analytics.com *.analytics.google.com *.googletagmanager.com *.googlesyndication.com *.doubleclick.net *.google.com *.googleadservices.com *.google.nl *.visualwebsiteoptimizer.com *.thisgreencolumn.com framerusercontent.com *.adjust.com *.ads.linkedin.com *.reddit.com t.co analytics.twitter.com *.facebook.com *.contentsquare.net i.ytimg.com; font-src 'self' data: *.gstatic.com framerusercontent.com; media-src 'self' *.bunq.com framerusercontent.com; connect-src 'self' *.bunq.com *.s3.amazonaws.com *.adjust.com *.visualwebsiteoptimizer.com *.google-analytics.com *.analytics.google.com *.googletagmanager.com *.googlesyndication.com *.doubleclick.net *.google.com *.googleadservices.com *.thisgreencolumn.com *.framer.com *.framerstatic.com framerusercontent.com *.framerforms.com *.instatus.com *.reddit.com *.taboola.com *.ads.linkedin.com *.snapchat.com *.tiktokw.us analytics.tiktok.com *.facebook.com *.contentsquare.net *.contentsquare.com *.az.contentsquare.net; frame-src 'self' *.googletagmanager.com framer.com *.bunq.com *.snapchat.com *.contentsquare.com www.youtube.com www.youtube-nocookie.com; worker-src 'self' blob:; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests;

[ MISSING ]

// Prevents clickjacking by blocking iframe embedding from other origins.

// missing — add this header to improve security

[ STRONG ]

// Prevents MIME sniffing. Should be 'nosniff'.

nosniff

[ MISSING ]

// Controls how much referrer info is leaked when navigating away.

// missing — add this header to improve security

[ MISSING ]

// Restricts which browser features (camera, mic, etc.) the page can use.

// missing — add this header to improve security