Security Headers Checker

HTTP 200 · https://www.sparkasse.de/

[ STRONG ]

// Forces HTTPS for all connections. Prevents downgrade attacks.

max-age=31536000; includeSubDomains; preload

[ WEAK ]

// Defines which sources of scripts/styles/images are allowed. Prevents XSS.

default-src 'self' amazon-adsystem.com *.amazon-adsystem.com paa-reporting-advertising.amazon *.paa-reporting-advertising.amazon; script-src 'unsafe-inline' 'unsafe-eval' 'self' www.googletagmanager.com www.yellowmap.de cdn.yellowmap.de cdn.trustcommander.net www.youtube.com www.google-analytics.com *.doubleclick.net connect.facebook.net assets.adobedtm.com adobedc.demdex.net edge.adobedc.net *.adform.net static.hotjar.com script.hotjar.com *.amazon-adsystem.com t23.intelliad.de *.outbrain.com *.helixjobs.com bt.fraud0.com *.fraud0.com; style-src 'self' 'unsafe-inline' cdn.yellowmap.de static.hotjar.com script.hotjar.com *.helixjobs.com; connect-src 'self' *.sparkasse.de autocomplete.smartmaps.cloud events.flagship.io *.yellowmap.de *.trustcommander.net *.commander1.com *.google-analytics.com *.analytics.google.com *.doubleclick.net *.sparkassen-finanzportal.de eu-api.friendlycaptcha.eu www.facebook.com assets.adobedtm.com adobedc.demdex.net edge.adobedc.net *.hotjar.com *.hotjar.io wss://*.hotjar.com www.google.com/ccm/collect *.paa-reporting-advertising.amazon *.amazon-adsystem.com *.sentry.io api.sparkassen-mediacenter.de cdn.sparkassen-mediacenter.de sparkassen-mediacenter.de *.outbrain.com *.fraud0.com; img-src data: 'self' 'unsafe-inline' i.ytimg.com map.iib-institut.de *.yellowmaps.eu tiles.smartmaps.cloud www.yellowmap.de *.sparkasse.de *.trustcommander.net *.commander1.com img.youtube.com *.google-analytics.com *.analytics.google.com www.googletagmanager.com www.google.com www.google.de api.sparkassen-mediacenter.de kvp-skmc.dbc-gmbh.com *.doubleclick.net images.podigee-cdn.net feeds.sparkassen-finanzportal.de events.flagship.io www.facebook.com widgets.kununu.com assets.kununu.com alias.maptoolkit.net cdn.sparkassen-mediacenter.de static.hotjar.com script.hotjar.com survey-images.hotjar.com api.immobilie1.de cdn.immobilie1.de *.outbrain.com *.fraud0.com portal.fio.de cdnihddipa.cloudimg.io; media-src 'self' blob: api.sparkassen-mediacenter.de cdn.sparkassen-mediacenter.de sparkassen-mediacenter.de kvp-skmc.dbc-gmbh.com youtu.be www.youtube.com youtube.com; frame-src data: 'self' cdn.trustcommander.net widget.civey.com sparkasse.linda-chatbot.de www.youtube.com player.podigee-cdn.net td.doubleclick.net www.googletagmanager.com s-tag.sparkasse.de *.amazon-adsystem.com *.helixjobs.com; font-src data: 'self' webfonts.sparkasse.de cdn.yellowmap.de *.hotjar.com; object-src 'self'; manifest-src 'self'; worker-src 'self' blob:; frame-ancestors 'none';

[ MISSING ]

// Prevents clickjacking by blocking iframe embedding from other origins.

// missing — add this header to improve security

[ STRONG ]

// Prevents MIME sniffing. Should be 'nosniff'.

nosniff

[ PRESENT ]

// Controls how much referrer info is leaked when navigating away.

origin

[ PRESENT ]

// Restricts which browser features (camera, mic, etc.) the page can use.

fullscreen=(self "https://www.youtube.com" "https://youtu.be"), geolocation=(self), camera=(), microphone=()