HTTP Headers Analysis for https://netcup.de

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=31536000

Content-Security-Policy

Basic

base-uri; font-src; form-action; +12 more

base-uri 'none'; font-src 'self' https: data:; form-action https://green.netcup.com https://red.netcup.com https://blue.netcup.com https://www.netcup.com https://www.facebook.com; frame-ancestors 'self'; img-src https://green.netcup.com https://red.netcup.com https://blue.netcup.com https://www.netcup.com https://ads-twitter.com https://ads-api.twitter.com https://analytics.twitter.com https://mautic.netcup.news https://px.ads.linkedin.com 'self' blob: data: https:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src https://green.netcup.com https://red.netcup.com https://blue.netcup.com https://www.netcup.com https://cdn.cookielaw.org https://cookie-cdn.cookiepro.com https://*.onetrust.com https://measure.netcup.com https://www.googleadservices.com https://pagead2.googlesyndication.com https://widget.trustpilot.com https://cdn.brevo.com/js/sdk-loader.js 'self' 'wasm-unsafe-eval' 'nonce-iqskpBgnjP5YM2OiIzVCx/PW'; upgrade-insecure-requests; connect-src https://green.netcup.com https://red.netcup.com https://blue.netcup.com https://www.netcup.com https://ads-twitter.com https://ads-api.twitter.com https://analytics.twitter.com https://cdn.cookielaw.org https://cookie-cdn.cookiepro.com https://*.onetrust.com https://www.google.com https://in-automate.brevo.com https://measure.netcup.com https://google.com https://px.ads.linkedin.com https://*.clarity.ms/ 'self' https://*.analytics.google.com https://*.google-analytics.com https://stats.g.doubleclick.net https://eu-api.friendlycaptcha.eu https://googleads.g.doubleclick.net https://www.googleadservices.com https://cdn.cookielaw.org https://adservice.google.com https://pagead2.googlesyndication.com https://www.redditstatic.com https://pixel-config.reddit.com https://analytics.tiktok.com https://ads.tiktok.com https://bat.bing.com https://widget.trustpilot.com; worker-src blob:; child-src blob: https://td.doubleclick.net; script-src-elem https://green.netcup.com https://red.netcup.com https://blue.netcup.com https://www.netcup.com https://cdn.brevo.com/js/sdk-loader.js https://sibautomation.com/sa.js https://sibforms.com/ https://www.googleadservices.com https://www.redditstatic.com 'self' 'unsafe-inline' https://*.googletagmanager.com https://static.ads-twitter.com https://snap.licdn.com https://bat.bing.com https://connect.facebook.net https://*.clarity.ms https://googleads.g.doubleclick.net https://cdn.cookielaw.org https://analytics.tiktok.com https://ads.tiktok.com https://measure.netcup.com https://www.youtube.com https://pagead2.googlesyndication.com https://widget.trustpilot.com; frame-src https://td.doubleclick.net https://www.facebook.com https://www.googletagmanager.com https://measure.netcup.com https://www.youtube-nocookie.com/ https://widget.trustpilot.com https://green.netcup.com https://red.netcup.com https://blue.netcup.com https://www.netcup.com;

X-Frame-Options

Excellent

DENY

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin-when-cross-origin

Permissions-Policy

Present

camera=(), display-capture=(), fullscreen=(), geolocation=(), microphone=()

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Improve CSP by adding more specific directives and removing 'unsafe-inline'

Performance Headers

2 headers

Connection

Performance

close

Keep-Alive

Performance

timeout=30

Caching Headers

2 headers

Age

Caching

0

Cache-Control

Caching

max-age=0, s-maxage=5, public

Content Headers

2 headers

Content-Length

Content

1199626

Content-Type

Content

text/html;charset=utf-8

Server Headers

0 headers

No server headers found

CORS Headers

1 headers

Access-Control-Allow-Origin

Cors

*

Cookies Headers

1 headers

Set-Cookie

Cookies

__Secure-CDNCID=JPq2g8IT9eSXxAoDMgvV3m6tjzS6aKLTEKqG5tYmMd6aIu52BaPfc5GfHmoyv0d4pP3YChq2g1eiHXtLoX3Twh8HekrPnDPR+x9Qr5m4KlLxC2sfDOQavK5PIKxFFovv; Path=/; Max-Age=86400; Secure; HttpOnly; SameSite=Lax

Other Headers

7 headers

Alt-Svc

Other

h3=":443"; ma=600

Date

Other

Sun, 25 Jan 2026 20:38:35 GMT

Origin-Agent-Cluster

Other

?1

X-Dns-Prefetch-Control

Other

off

X-Download-Options

Other

noopen

X-Permitted-Cross-Domain-Policies

Other

none

X-Trace-Id

Other

b9df5bda-a207-409e-baf3-1bf0d69154bc

Recommendations

Enable compression (gzip/brotli) to improve performance