Security Headers Checker

HTTP 200 · https://www.o2online.de/

[ STRONG ]

// Forces HTTPS for all connections. Prevents downgrade attacks.

max-age=15552000

[ WEAK ]

// Defines which sources of scripts/styles/images are allowed. Prevents XSS.

object-src 'none'; child-src blob: *; worker-src blob: *; frame-ancestors 'self' https://tv.o2online.de https://deploy.mca.tid.es https://deploy.tid.es https://*.o2.de https://*.o2.com https://*.o2online.de https://*.telefonica.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.tiktok.com *.o2.com *.o2.de *.spatialbuzz.com *.usercentrics.eu *.baqend.com *.o2online.de *.telefonica.de *.o9.de *.googletagmanager.com *.trbo.com *.google-analytics.com *.kampyle.com *.adoberesources.net *.matelso.de *.contentsquare.net *.contentsquare.com bat.bing.com *.nowinteract.com *.demoup.com *.auracognitive.com *.adtelligence.de *.aklamio.com *.promisejs.org *.usabilla.com *.jsdelivr.net *.cloudflare.com *.abtasty.com *.blob.core.windows.net *.blau.o9.de *.blau.de *.ad4m.at track.adform.net www.facebook.com *.doubleclick.net a.twiago.com www.youtube.com o2-music-cms-a.preprod.ava-digi.de www.google.co.in dpm.demdex.net embeddable-widgets.insided.com www.google-analytics.com imagesrv.adition.com *.google.com dsum-sec.casalemedia.com rtb-csync.smartadserver.com ih.adscale.de trc.taboola.com ad11.adfarm1.adition.com ad4m.at *.spatialbuzz.net *.sprinklr.com https://s2.adform.net;

[ MISSING ]

// Prevents clickjacking by blocking iframe embedding from other origins.

// missing — add this header to improve security

[ STRONG ]

// Prevents MIME sniffing. Should be 'nosniff'.

nosniff

[ MISSING ]

// Controls how much referrer info is leaked when navigating away.

// missing — add this header to improve security

[ MISSING ]

// Restricts which browser features (camera, mic, etc.) the page can use.

// missing — add this header to improve security