HTTP Headers Analysis for https://bcu.ac.uk

HTTP Security Headers

Status

Strict-Transport-Security

Excellent

max-age=63072000; includeSubDomains; preload

Content-Security-Policy

Basic

script-src; style-src; img-src; +1 more

script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: https://bcucdn.azureedge.net/ https://tagmanager.google.com/ https://www.googletagmanager.com/ https://az416426.vo.msecnd.net/ https://*.doubleclick.net/ https://www.youtube.com/ https://www.google-analytics.com/ https://www.googleadservices.com/ https://maps.googleapis.com/ https://s.ytimg.com/ https://connect.facebook.net/ https://www.googletagservices.com/ https://www.dynamicnumbers.mediahawk.co.uk/ https://player.vimeo.com https://gt.bcu.ac.uk/ https://libanswers.bcu.ac.uk/ https://platform.twitter.com/ https://*.twimg.com/ https://www.instagram.com/ https://api3-eu.libcal.com/ https://cdn.unibuddy.co/ https://api.mapbox.com/ https://system.spektrix.com/ https://embed.expertfile.com/ https://d2mo5pjlwftw8w.cloudfront.net/ https://sjs.bizographics.com/ https://static.ads-twitter.com/ https://sc-static.net/ https://analytics.twitter.com https://*.mapbox.com https://discoveruni.gov.uk/ https://*.du-widget.com https://www.gstatic.com/ https://www.google.com/ https://snap.licdn.com https://tr.snapchat.com/ https://analytics.tiktok.com/ https://*.stackadapt.com/ https://s3.amazonaws.com/ki.js https://*.riddle.com/ https://rv-vepple-tour.web.app https://www.redditstatic.com/ https://*.clarity.ms/ https://cdn.veritonic.com/; style-src 'self' 'unsafe-inline' https://bcucdn.azureedge.net/ https://tagmanager.google.com/ https://fonts.googleapis.com/ https://platform.twitter.com/ https://*.mapbox.com https://gt.bcu.ac.uk/ https://*.stackadapt.com/; img-src 'self' data: blob: https://img.bcu.ac.uk/ https://cphfcrflaa.cloudimg.io/ https://i.ytimg.com/ https://bcuassets.blob.core.windows.net/ https://bcucdn.azureedge.net/ https://*.gstatic.com/ https://*.doubleclick.net/ https://www.google-analytics.com/ https://pagead2.googlesyndication.com/ https://www.googletagmanager.com/ https://www.google.com/ https://www.google.co.uk/ https://adservice.google.com/ https://www.facebook.com/ https://secure.adnxs.com/ https://pixel.mediaiqdigital.com/ https://syndication.twitter.com/ https://*.twimg.com/ https://platform.twitter.com/ https://image.issuu.com/ https://maps.googleapis.com/ https://pool.a8723.com/ https://pool.adizio.com https://pool.admedo.com https://*.mapbox.com/ https://px.ads.linkedin.com/ https://t.co/ https://discoveruni.gov.uk/ https://*.du-widget.com https://gt.bcu.ac.uk/ https://snap.licdn.com/ https://lh3.googleusercontent.com/ https://*.stackadapt.com/ https://analytics.twitter.com/ https://alb.reddit.com/ https://*.clarity.ms/; frame-ancestors 'self' https://www.bcuinspired.com/;

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin-when-cross-origin

Permissions-Policy

Missing

Not configured

Recommendations

• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Consider adding Permissions-Policy to control browser features

Performance Headers

1 headers

Connection

Performance

close

Caching Headers

1 headers

Cache-Control

Caching

private

Content Headers

2 headers

Content-Length

Content

276718

Content-Type

Content

text/html; charset=utf-8

Server Headers

1 headers

X-Powered-By

Server

ASP.NET

CORS Headers

1 headers

Access-Control-Expose-Headers

Cors

Request-Context

Cookies Headers

1 headers

Set-Cookie

Cookies

bcu-privacy=111; expires=Sun, 12-Jul-2026 05:36:23 GMT; path=/; secure

Other Headers

3 headers

Date

Other

Tue, 13 Jan 2026 05:36:23 GMT

Request-Context

Other

appId=cid-v1:e7617ee1-dc08-4eab-9534-a10f433049b4

X-Ua-Compatible

Other

IE=Edge

Recommendations

Enable compression (gzip/brotli) to improve performance

Consider removing X-Powered-By header to hide server technology