Security Headers Checker

HTTP 200 · https://n26.com/en-eu

[ STRONG ]

// Forces HTTPS for all connections. Prevents downgrade attacks.

max-age=31536000; includeSubDomains; preload

[ WEAK ]

// Defines which sources of scripts/styles/images are allowed. Prevents XSS.

report-uri /report-csp;report-to /report-csp;base-uri 'self';child-src number26://* *.n26.com n26.com *.doubleclick.net pixel.mathtag.com n26.go2cloud.org www.googletagmanager.com *.youtube-nocookie.com youtube-nocookie.com boards.greenhouse.io;connect-src 'self' https://spc.n26.com * https://*.logs.datadoghq.eu;font-src 'self' data:;img-src https://spc.n26.com 'self' data: images.ctfassets.net images.contentful.com * *.greenhouse.io;media-src videos.contentful.com videos.ctfassets.net;object-src 'none';style-src 'unsafe-inline' 'self' tagmanager.google.com;script-src 'self' cdn.number26.de 'unsafe-inline' * connect.facebook.net *.youtube-nocookie.com s.ytimg.com youtube-nocookie.com youtube.com boards.greenhouse.io datadoghq.eu datadoghq-browser-agent.com cdn.cookielaw.org;worker-src 'self';default-src *;frame-ancestors app.contentful.com 'self' *.n26.com;frame-src *.n26.com www.googletagmanager.com *.doubleclick.net www.youtube-nocookie.com boards.greenhouse.io job-boards.greenhouse.io

[ MISSING ]

// Prevents clickjacking by blocking iframe embedding from other origins.

// missing — add this header to improve security

[ STRONG ]

// Prevents MIME sniffing. Should be 'nosniff'.

nosniff

[ MISSING ]

// Controls how much referrer info is leaked when navigating away.

// missing — add this header to improve security

[ PRESENT ]

// Restricts which browser features (camera, mic, etc.) the page can use.

accelerometer=(), autoplay=(self), camera=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), usb=()