HTTP Headers Analysis for https://datawrapper.de

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=63072000

Content-Security-Policy

Missing

Not configured

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Add Content-Security-Policy header to prevent XSS attacks
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

3 headers

Connection

Performance

close

Transfer-Encoding

Performance

chunked

Vary

Performance

accept-encoding

Caching Headers

1 headers

Etag

Caching

W/"almnb"

Content Headers

1 headers

Content-Type

Content

text/html

Server Headers

1 headers

Server

cloudflare

CORS Headers

0 headers

No CORS headers found

Cookies Headers

0 headers

No cookies headers found

Other Headers

6 headers

Cf-Cache-Status

Other

DYNAMIC

Cf-Ray

Other

9bbf70e649143e6c-IAD

Content-Security-Policy-Report-Only

Other

default-src 'self'; frame-src 'self' https://datawrapper.dwcdn.net https://js.chargebee.com https://js.stripe.com https://datawrapper-test.chargebee.com https://youtube-nocookie.com https://platform.twitter.com; worker-src blob:; connect-src 'self' data: https://ifconfig.me/ip wss://ws.datawrapper.de https://pwk.datawrapper.de https://js.chargebee.com https://*.cloudfront.net https://*.sentry.io https://*.gstatic.com https://static.dwcdn.net https://datawrapper.dwcdn.net https://comments.datawrapper.de https://staging-chart-tests.s3.eu-central-1.amazonaws.com https://fonts.googleapis.com/ https://app.datawrapper.de https://api.fontsource.org/v1/fonts/ app.datawrapper.de ; font-src 'self' data: https://static.dwcdn.net https://fonts.gstatic.com https://fonts.dwcdn.net ; img-src * data: blob:; media-src * data:; script-src 'self' 'unsafe-eval' https://appsforoffice.microsoft.com https://datawrapper.dwcdn.net https://pwk.datawrapper.de 'nonce-05BuFdgjzv3upBKEug61iw=='; script-src-elem 'self' https://pwk.datawrapper.de https://js.chargebee.com https://js.stripe.com https://appsforoffice.microsoft.com https://platform.twitter.com https://pt.dwcdn.net https://datawrapper.dwcdn.net/ https://pwk.datawrapper.de https://app.datawrapper.de https://comments.datawrapper.de 'nonce-05BuFdgjzv3upBKEug61iw=='; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://datawrapper.dwcdn.net https://static.dwcdn.net https://pt.dwcdn.net; style-src-elem 'self' 'unsafe-inline' https://static.dwcdn.net https://js.chargebee.com https://fonts.googleapis.com https://pt.dwcdn.net https://datawrapper.dwcdn.net https://js.chargebee.com/assets/; report-uri %%CSP_REPORT_URI%%

Date

Other

Sat, 10 Jan 2026 21:59:21 GMT

Www-Authenticate

Other

Session, Token

X-Sveltekit-Page

Other

true

Recommendations

Enable compression (gzip/brotli) to improve performance

Add Cache-Control header to optimize caching