HTTP Headers Analysis for https://auc.dk

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=15768000; includeSubdomains; preload;

Content-Security-Policy

Good

default-src; font-src; script-src; +7 more

default-src 'self' https://*.aau.dk https://*.azurewebsites.net https://*.dropbox.com https://*.dropboxusercontent.com https://podcastpusher.com https://*.doubleclick.net https://*.fonts.net https://*.linkedin.com https://*.facebook.com https://*.snapchat.com https://*.google.com https://*.youtube.com https://*.twitter.com https://*.survey-xact.dk https://*.microsoftonline.com https://*.office.com https://*.gstatic.com https://*.cookieinformation.com; font-src 'self' data: fonts.gstatic.com; script-src https://www.clarity.ms https://cxppusa1formui01cdnsa01-endpoint.azureedge.net/ https://www.clarity.ms/tag/n87ghf3gw4?ref=gtm2 https://www.googletagmanager.com/ https://www.youtube-nocookie.com 'self' 'unsafe-inline' https://*.scratcher.io https://*.elfsightcdn.com https://*.snapchat.com https://*.readpeak.com https://*.sc-static.net https://*.licdn.com https://*.google.com https://*.googleapis.com https://*.elfsight.com https://*.googletagmanager.com https://*.google-analytics.com https://*.facebook.net https://*.twitter.com https://*.cookieinformation.com https://*.youtube.com https://*.vimeo.com; connect-src https://dc.services.visualstudio.com https://widget-data.service.elfsight.com https://core.service.elfsight.com https://public-eur.mkt.dynamics.com https://cxppusa1formui01cdnsa01-endpoint.azureedge.net/ https://assets-eur.mkt.dynamics.com/ 'self' wss://aau-its-caai-shared-haandbog-prod.azurewebsites.net/ https://prod-aaudxp-vacancy-app.azurewebsites.net/ wss://aau-its-caai-studieservice-adgangstjek-prod.azurewebsites.net https://*.azurewebsites.net https://*.elfsightcdn.com https://*.aau.dk https://*.licdn.com https://*.linkedin.com https://*.google.com https://*.doubleclick.net https://*.snapchat.com https://*.oribi.io https://*.analytics.google.com https://*.googleapis.com https://*.elfsight.com https://*.google-analytics.com https://*.cookieinformation.com; img-src 'self' data: image/* https://*.aau.dk https://*.plan2learn.dk https://*.elfsight.com https://*.linkedin.com https://*.licdn.com https://*.googletagmanager.com https://*.google-analytics.com https://*.ivanenko.workers.dev https://*.taboola.com https://*.doubleclick.net https://*.adnxs.com https://*.readpeak.com https://*.google.dk https://*.gstatic.com https://*.dropbox.com https://*.dropboxusercontent.com https://*.google.com https://*.twimg.com https://*.facebook.com https://*.vimeocdn.com https://*.ytimg.com https://*.youtube.com https://*.googleapis.com https://*.elfsightcdn.com; frame-src https://kuula.co https://madsheiselberg.github.io https://copilotstudio.preview.microsoft.com https://login.windows.net https://login.windows.net/ https://aaublanketterdev.powerappsportals.com/ http://mfc-print03.aau.dk https://assets-eur.mkt.dynamics.com/ https://www.clarity.ms https://serviceinfo.dk 'self' https://www.youtube-nocookie.com/ https://www.googletagmanager.com/ https://public-eur.mkt.dynamics.com https://*.geckobooking.dk https://*.powerapps.com https://*.cobe.dk https://*.powerbi.com https://*.scratcher.io https://*.youtube.com https://*.plandisc.com https://*.moodle.aau.dk https://*.matterport.com https://*.microsoftonline.com https://*.360company.dk https://*.snapchat.com https://*.doubleclick.net https://*.spotify.com https://*.google.com https://*.vercel.app https://*.serviceinfo.dk https://*.libraryh3lp.com https://*.aau.dk https://*.facebook.com https://*.survey-xact.dk *.svc.dynamics.com https://*.office.com https://*.kuula.co https://*.cookieinformation.com https://*.vimeo.com; style-src 'self' 'unsafe-inline' https://*.google.com https://*.googleapis.com; base-uri 'self'; form-action 'self' https://*.facebook.com; frame-ancestors 'none';

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Present

no-referrer, strict-origin-when-cross-origin

Permissions-Policy

Present

geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Strengthen CSP by removing 'unsafe-eval'

Performance Headers

2 headers

Connection

Performance

keep-alive

Vary

Performance

Accept-Encoding

Caching Headers

2 headers

Cache-Control

Caching

s-maxage=60, stale-while-revalidate

Etag

Caching

"ryfteywtlv5igi"

Content Headers

2 headers

Content-Length

Content

257694

Content-Type

Content

text/html; charset=utf-8

Server Headers

2 headers

Server

nginx

X-Powered-By

Server

Next.js

CORS Headers

3 headers

Access-Control-Allow-Headers

Cors

aau-search-url, X-CSRF-Token, X-Requested-With, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version

Access-Control-Allow-Methods

Cors

GET,OPTIONS,POST

Access-Control-Allow-Origin

Cors

*

Cookies Headers

1 headers

Set-Cookie

Cookies

ARRAffinitySameSite=cbc831ce47266eb6d483c838d82ace921a429d976bcf91839973f3abcbd2e75c;Path=/;HttpOnly;SameSite=None;Secure;Domain=www.aau.dk

Other Headers

24 headers

Client-Ip

Other

[fd40:4bde:12:6e2b:7912:100:a4c:1f04]:36334

Date

Other

Fri, 21 Nov 2025 00:58:55 GMT

Disguised-Host

Other

www.aau.dk

Host

Other

www.aau.dk

Max-Forwards

Other

10

Original-Path

Other

/

User-Agent

Other

mint/1.7.1

Was-Default-Hostname

Other

prod-aaudxp-website-001-app.azurewebsites.net

X-Appservice-Proto

Other

https

X-Arr-Log-Id

Other

fa50a57f-dc6b-4196-ab5f-5c83349893aa

X-Arr-Ssl

Other

2048|256|CN=Microsoft Azure RSA TLS Issuing CA 07, O=Microsoft Corporation, C=US|CN=*.azurewebsites.net, O=Microsoft Corporation, L=Redmond, S=WA, C=US

X-Client-Ip

Other

10.76.31.4

X-Client-Port

Other

0

X-Forwarded-For

Other

64.34.81.174, 10.76.31.4

X-Forwarded-Host

Other

www.aau.dk

X-Forwarded-Port

Other

8080

X-Forwarded-Proto

Other

https

X-Forwarded-Tlsversion

Other

1.3

X-Middleware-Rewrite

Other

/_sites/aHR0cHM6Ly93d3cuYWF1LmRr/ISR/

X-Nextjs-Cache

Other

HIT

X-Original-Url

Other

/

X-Real-Ip

Other

64.34.81.174

X-Site-Deployment-Id

Other

prod-aaudxp-website-001-app

X-Waws-Unencoded-Url

Other

/

Recommendations

Enable compression (gzip/brotli) to improve performance

Consider removing X-Powered-By header to hide server technology