~/tools / security-headers
Security Headers Checker
Scan HTTP security headers. Grades HSTS, CSP, X-Frame-Options and others, with explanations of what each header protects.
[ OK ]
Strong security headers (80/100) — weak: content-security-policy.
── output ─────
80
security_score
HTTP 200 · https://www.kpn.com/
Strict-Transport-Security (HSTS)
[ STRONG ]
// Forces HTTPS for all connections. Prevents downgrade attacks.
max-age=31536000; includeSubDomains
Content-Security-Policy (CSP)
[ WEAK ]
// Defines which sources of scripts/styles/images are allowed. Prevents XSS.
connect-src 'self' *.kpn.com kpn.com *.kpn.org *.adobetm.com edge.adobedc.net *.googletagmanager.com *.amplitude.com region1.analytics.google.com cloud.51degrees.com *.customersaas.com *.google-analytics.com *.analytics-google.com *.mouseflow.com kpn.api.ruwido.com api-agendaplanner.kpnretail.nl scripts.kpn.nl pastease.mopinion.com kpn.mopinion.com deploy.mopinion.com cacheorcheck.mopinion.com survey.mopinion.com kpn-compleet-fpi-info.fourstack.nl wss://*.twilio.com https://*.twilio.com https://*.demdex.net https://assets.adobedtm.com *.tt.omtrdc.net https://adobeioruntime.net emea1-proxy.adobemc.com wss://*.kpn.com/chat-engine *.cookielaw.org *.onetrust.com www.pingvp.com kpn.pingvp.com https://pingvp.com *.insided.com *.algolia.net *.algolia.com fonts.googleapis.com maps.googleapis.com *.linkedin.com *.licdn.com *.useinsider.com cloud.51degrees.com https://kpngroup.emsecure.net https://*.arcgis.com https://*.arcgisonline.nl https://kpnnl.maps.arcgis.com *.doubleclick.net *.qelpcare.com https://kpn-com-forms-upload-limbo-nonprod.s3.amazonaws.com/ https://kpn-com-forms-upload-limbo-prod.s3.amazonaws.com/ *.ctfcloud.net *.invote.nl https://api.eu.amplitude.com https://web.braintainment.com *.contentsquare.net *.contentsquare.com https://heapanalytics.com https://*.ingest.de.sentry.io https://www.googleadservices.com https://www.google.com https://pagead2.googlesyndication.com *.bing.com; default-src 'self' *.kpn.com *.kpn.org; font-src 'self' *.kpn.com *.kpn.org www.pingvp.com kpn.pingvp.com https://pingvp.com fonts.gstatic.com gstatic.mopinion.com *.customersaas.com *.insided.com *.algolia.net *.algolia.com fonts.googleapis.com *.useinsider.com https://web.braintainment.com https://heapanalytics.com data:; frame-ancestors 'self' mijnzakelijk.kpn.com www.grip-on-it.com https://app.contentful.com https://*.rooom.com https://virtuelewinkel.kpn.com; frame-src 'self' *.kpn.com *.kpn.org *.adobetm.com *.googletagmanager.com *.doubleclick.net callmenow.eu3.vanadaloha.net rpv.reviva.nl portal.bp.nu www.youtube.com www.youtube-nocookie.com kpngroup.emsecure.net kpn.mopinion.com kpn-mini.speedtestcustom.com kpn-itns.speedtestcustom.com www.pingvp.com kpn.pingvp.com https://pingvp.com reload.alphacomm.network www.grip-on-it.com https://*.demdex.net emea1-proxy.adobemc.com www.facebook.com *.onetrust.com *.atdmt.com *.adservice.google.nl tagmanager.google.com www.linkedin.com *.useinsider.com https://kpnnl.maps.arcgis.com https://open.spotify.com https://*.rooom.com https://virtuelewinkel.kpn.com https://embed-standalone.spotify.com https://sonata.aklamio.com; img-src 'self' blob: data: *.kpn.org *.ctfassets.net *.kpn.com *.customersaas.com www.google.nl www.google.com www.facebook.com *.doubleclick.net adservice.google.com invitation.opinionbar.com www.pingvp.com kpn.pingvp.com https://pingvp.com d35v9wsdymy32b.cloudfront.net csi.gstatic.com maps.gstatic.com maps.googleapis.com kpn.com fonts.googleapis.com *.analytics-google.com *.google-analytics.com d3mwk3f7r8fv9u.cloudfront.net d6tizftlrpuof.cloudfront.net cms-images.s3.amazonaws.com kpncomvod.download.kpnstreaming.nl w.usabilla.com www.telfort.nl mobielshop.test.marketingmakers.nl fra1.digitaloceanspaces.com cacheorcheck.mopinion.com survey.mopinion.com https://*.demdex.net https://assets.adobedtm.com https://*.arcgis.com https://*.arcgisonline.nl opt.objectiveportal.com *.cookielaw.org *.onetrust.com *.atdmt.com *.adservice.google.nl *.linkedin.com *.licdn.com p.adsymptotic.com api.useinsider.com kpnnl.api.useinsider.com *.dwin1.com *.bing.com *.112.2o7.net https://web.braintainment.com https://horizon-cms.s3.eu-central-1.amazonaws.com *.contentsquare.net https://heapanalytics.com https://www.googleadservices.com; media-src 'self' kpncomvod.download.kpnstreaming.nl *.kpn.com pingmediavod.download.kpnstreaming.nl kpn.pingvp.com https://pingvp.com https://pingvp.pingvp.com/ media.licdn.com *.ctfassets.net; object-src 'self' https://kpnnl.maps.arcgis.com; script-src 'nonce-20mdkyfYPXC5PWH9b3SHujMn' 'strict-dynamic' https://pingvp.com/z/* https://web.braintainment.com/* *.contentsquare.net app.contentsquare.com https://cdn.heapanalytics.com https://heapanalytics.com; style-src 'unsafe-inline' 'self' *.kpn.com *.kpn.org d1r5etm691cejh.cloudfront.net *.customersaas.com d6tizftlrpuof.cloudfront.net fonts.mopinion.com kpn.mopinion.com tagmanager.google.com *.googletagmanager.com cacheorcheck.mopinion.com survey.mopinion.com *.insided.com *.algolia.net *.algolia.com fonts.googleapis.com *.licdn.com www.pingvp.com kpn.pingvp.com https://pingvp.com *.useinsider.com https://www.gstatic.com https://kpngroup.emsecure.net https://web.braintainment.com https://heapanalytics.com; upgrade-insecure-requests
X-Frame-Options
[ STRONG ]
// Prevents clickjacking by blocking iframe embedding from other origins.
DENY
X-Content-Type-Options
[ STRONG ]
// Prevents MIME sniffing. Should be 'nosniff'.
nosniff
Referrer-Policy
[ PRESENT ]
// Controls how much referrer info is leaked when navigating away.
strict-origin-when-cross-origin
Permissions-Policy
[ PRESENT ]
// Restricts which browser features (camera, mic, etc.) the page can use.
camera=(), display-capture=(), fullscreen=self "https://www.youtube.com", geolocation=self, microphone=()