HTTP Headers Analysis for https://obosnett.no

HTTP Security Headers

Status

Strict-Transport-Security

Excellent

max-age=63072000; includeSubDomains; preload

Content-Security-Policy

Basic

default-src; script-src; frame-src; +5 more

default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' *.obos.no *.doubleclick.net *.youtube.com *.googletagmanager.com *.gstatic.com *.amplitude.com static.hotjar.com *.analytics.google.com https://*.adform.net https://*.google-analytics.com https://*.episerver.net https://*.adsrvr.org https://*.adnxs.com https://*.snapchat.com https://*.googlesyndication.com https://*.skyra.no https://www.googleadservices.com https://adservice.google.com https://cdn.cookielaw.org https://script.hotjar.com https://cdn.mookie1.com https://connect.facebook.net https://siteimproveanalytics.com https://snap.licdn.com https://sc-static.net https://bat.bing.com *.itxuc.com; frame-src 'self' *.obos.no *.doubleclick.net www.youtube.com https://*.adsrvr.org https://*.snapchat.com https://vars.hotjar.com *.itxuc.com https://www.youtube-nocookie.com/embed/; font-src 'self' script.hotjar.com https://fonts.gstatic.com *.obos.no; media-src 'self' res.cloudinary.com *.obos.no; style-src 'unsafe-inline' 'self' https://fonts.googleapis.com *.gstatic.com *.googletagmanager.com *.itxuc.com *.amplitude.com; img-src 'self' 'unsafe-inline' data: blob: *.obos.no *.doubleclick.net *.google-analytics.com *.hotjar.com *.youtube.com *.google.com *.amplitude.com *.gstatic.com cdn.sanity.io cdn.cookielaw.org res.cloudinary.com www.googletagmanager.com https://*.siteimproveanalytics.io https://*.adsrvr.org https://*.adnxs.com https://*.mookie1.com https://*.facebook.com https://*.linkedin.com https://*.snapchat.com https://*.episerver.net https://*.bing.com https://www.google.no https://optanon.blob.core.windows.net https://i.ytimg.com/; connect-src 'self' *.obos.no *.snapchat.com *.apicdn.sanity.io *.api.sanity.io *.doubleclick.net *.hotjar.com *.hotjar.io *.google-analytics.com *.youtube.com *.google.com *.amplitude.com cdn.sanity.io cdn.cookielaw.org dc.services.visualstudio.com wss://*.hotjar.com https://*.adform.net https://*.googlesyndication.com https://*.sentry.io https://*.google.no https://*.bing.com https://*.skyra.no https://*.adsrvr.org https://*.adnxs.com https://youtube.com https://www.googleadservices.com https://cdn.linkedin.oribi.io https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location https://privacyportal-eu.onetrust.com https://surveystats.hotjar.io https://cookies-data.onetrust.io/bannersdk https://www.facebook.com/tr *.linkedin.com https://res.cloudinary.com https://data.brreg.no/enhetsregisteret/api/enheter;

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin-when-cross-origin

Permissions-Policy

Missing

Not configured

Recommendations

• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Consider adding Permissions-Policy to control browser features

Performance Headers

3 headers

Connection

Performance

close

Transfer-Encoding

Performance

chunked

Vary

Performance

RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Router-Segment-Prefetch, Accept-Encoding

Caching Headers

1 headers

Cache-Control

Caching

private, no-cache, no-store, max-age=0, must-revalidate

Content Headers

1 headers

Content-Type

Content

text/html; charset=utf-8

Server Headers

1 headers

X-Powered-By

Server

Next.js

CORS Headers

0 headers

No CORS headers found

Cookies Headers

0 headers

No cookies headers found

Other Headers

3 headers

Date

Other

Sun, 25 Jan 2026 13:48:39 GMT

X-Azure-Ref

Other

20260125T134839Z-166685794dcjhk5dhC1BL1kkkn0000000vbg00000000ab6b

X-Cache

Other

CONFIG_NOCACHE

Recommendations

Enable compression (gzip/brotli) to improve performance

Consider removing X-Powered-By header to hide server technology