Security Headers Checker

HTTP 200 · https://www.zoho.com/nl/?sredirect=true

[ STRONG ]

// Forces HTTPS for all connections. Prevents downgrade attacks.

max-age=64072000; includeSubDomains; preload

[ WEAK ]

// Defines which sources of scripts/styles/images are allowed. Prevents XSS.

script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.zohostatic.jp https://*.zohopublic.jp https://maillist-manage.com https://www.buzzsprout.com https://*.nimbuspop.com https://*.zoho.com https://*.google.com https://cdnjs.cloudflare.com https://platform.twitter.com https://player.vimeo.com https://*.maillist-manage.com https://*.manageengine.com https://*.pagesense.io https://*.zapier.com https://*.zoho.com.au https://*.zoho.eu https://*.zoho.in https://*.zoho.jp https://*.zoho.sa https://*.zohocdn.com https://*.zohocloud.ca https://*.zohostatic.com https://*.zohowebstatic.com https://cdn.ampproject.org https://cdn.checkhq.com https://fast.wistia.com https://run.pstmn.io https://www.youtube.com https://www.youtube-nocookie.com https://*.zoho.ae https://*.zohopublic.com https://*.zohopublic.in https://*.zohopublic.eu https://*.zohosalesiq.com https://*.zohocorp.com https://*.zohoexternal.in https://*.zohoexternal.com https://*.zoho.uk https://*.catalystserverless.in https://*.catalystserverless.com https://*.zohobookings.com https://*.zohobookings.eu https://*.zohobookings.in https://*.zohocdn.com.cn https://*.scoreapp.com;connect-src 'self' blob: https://*.zohopublic.jp https://*.zohostratus.com https://*.zoho.in https://*.zoho.com https://*.zoho.com.au https://*.zoho.eu https://*.zoho.jp https://*.zohocloud.ca https://*.zoho.uk https://*.zoho.sa https://*.zoho.ae https://*.zohosalesiq.com https://*.zohocorp.com https://*.zohoexternal.in https://*.zohoexternal.com https://*.zohostatic.com https://*.wistia.com https://*.maillist-manage.com https://*.maillist-manage.in https://*.maillist-manage.eu https://*.catalystserverless.in https://*.catalystserverless.com https://*.zapier.com https://api.github.com https://player.vimeo.com https://twitter.com https://*.zohocdn.com https://*.zohopublic.com https://*.zohopublic.in wss://*.zohopublic.jp wss://*.zohopublic.in wss://*.zohopublic.eu wss://vts.zohopublic.com https://*.zohowebstatic.com https://*.zohobookings.com https://*.zohobookings.eu https://*.zohobookings.in https://*.zohocdn.com.cn https://*.zohopublic.eu https://*.scoreapp.com https://*.cdn.pagesense.io https://*.zohoportal.in https://*.cdn-in.pagesense.io;frame-src 'self' blob: https://*.nimbuspop.com https://www.manageengine.in https://www.manageengine.com https://www.manageengine.eu https://www.manageengine.com.au https://www.buzzsprout.com https://*.zohobookings.com https://*.zohobookings.eu https://*.zohobookings.in https://anchor.fm https://*.zohosites.com https://*.spotify.com https://platform.twitter.com https://player.captivate.fm https://player.vimeo.com https://vimeo.com https://*.soundcloud.com https://www.google.com https://www.youtube.com https://www.youtube-nocookie.com https://*.zohoshowtime.com https://*.maillist-manage.com https://*.maillist-manage.eu https://*.pagesense.io https://*.zoho.ae https://*.zoho.com https://*.zoho.com.au https://*.zoho.eu https://*.zoho.in https://*.zoho.jp https://*.zoho.sa https://*.zohocdn.com https://*.zohocloud.ca https://*.zohopublic.com https://*.zohopublic.in https://*.zohosalesiq.com https://*.zohocorp.com https://*.zohoexternal.in https://*.zohoexternal.com https://*.zohowebstatic.com https://*.zohostatic.com https://*.zoho.uk https://*.catalystserverless.in https://*.catalystserverless.com https://*.zohocdn.com.cn https://*.zohopublic.eu https://*.scoreapp.com https://capture.navattic.com https://*.campaign-view.in https://*.campaign-view.com https://*.campaign-view.eu https://*.zohopublic.jp;

[ MISSING ]

// Prevents clickjacking by blocking iframe embedding from other origins.

// missing — add this header to improve security

[ STRONG ]

// Prevents MIME sniffing. Should be 'nosniff'.

nosniff

[ MISSING ]

// Controls how much referrer info is leaked when navigating away.

// missing — add this header to improve security

[ MISSING ]

// Restricts which browser features (camera, mic, etc.) the page can use.

// missing — add this header to improve security