HTTP Headers Analysis for https://store.pwc.nl

HTTP Security Headers

Status

Strict-Transport-Security

Good

max-age=63072000; includeSubDomains

Content-Security-Policy

Good

default-src; connect-src; base-uri; +12 more

default-src 'self' *.piwik.pro *.hotjar.com *.sendinblue.com sibautomation.com wss://ws8.hotjar.com wss://ws12.hotjar.com bid.g.doubleclick.net ipmeta.io *.datocms.com vc.hotjar.io store.pwc.de store.pwc.nl pwc.nl firebaseinstallations.googleapis.com cdn.cookielaw.org stats.g.doubleclick.net www.google-analytics.com *.google-analytics.com in-automate.sendinblue.com k.clarity.ms store.stage.pwc.de cdn.linkedin.oribi.io wss://ws.hotjar.com content.hotjar.io *.clarity.ms r.clarity.ms in-automate.brevo.com *.onetrust.com dpm.demdex.net assets.adobedtm.com plausible.io *.office.com app.getodin.ai cdn.getodin.ai cloud.email.pwc.com;connect-src 'self' https: https://px.ads.linkedin.com https://metrics.hotjar.io wss://ws.hotjar.com https://app.getodin.ai https://cdn.getodin.ai;base-uri 'self';script-src-attr 'nonce-5f5a429b-49f8-459a-94a7-eb59455e3683' 'self' 'strict-dynamic' https: assets.adobedtm.com;script-src 'nonce-5f5a429b-49f8-459a-94a7-eb59455e3683' 'self' 'strict-dynamic' https: https://*.piwik.pro https://googleads.g.doubleclick.net https://ipmeta.io/plugin.js https://www.googleadservices.com https://geolocation.onetrust.com https://ajax.googleapis.com https://snap.licdn.com https://*.en25.com/i/livevalidation_standalone.compressed.js https://cdn.cookielaw.org https://connect.facebook.net https://www.gstatic.com https://500009425.collect.igodigital.com/collect.js https://static.hotjar.com https://www.google-analytics.com *.google-analytics.com https://script.hotjar.com https://www.googletagmanager.com https://store.pwc.de/_Incapsula_Resource https://store.stage.pwc.de/_Incapsula_Resource https://www.youtube.com https://sibautomation.com https://www.clarity.ms https://sc.lfeeder.com https://in-automate.brevo.com https://r.clarity.ms https://cdn.linkedin.oribi.io https://assets.adobedtm.com https://plausible.io/js/plausible.js https://www.office.com https://app.getodin.ai https://cdn.getodin.ai;script-src-elem 'strict-dynamic' 'nonce-5f5a429b-49f8-459a-94a7-eb59455e3683' 'self' https://*.piwik.pro static.hotjar.com https://sibautomation.com https://snap.licdn.com https://sc.lfeeder.com https://www.clarity.ms https://in-automate.brevo.com https://r.clarity.ms https://script.hotjar.com https://cdn.linkedin.oribi.io https://www.googletagmanager.com https://cdn.cookielaw.org https://bat.bing.com https://assets.adobedtm.com https://plausible.io https://*.office.com https://app.getodin.ai https://cdn.getodin.ai;style-src 'self' 'unsafe-inline' https:;media-src 'self' streaming.pwc.de https:;font-src 'self' https: data:;img-src 'self' https: www.datocms-assets.com *.piwik.pro www.google.com www.google.ch www.google.fr www.google.de www.google.pl px.ads.linkedin.com streaming.pwc.de www.pwc.com www.facebook.com googleads.g.doubleclick.net www.googletagmanager.com www.google-analytics.com *.google-analytics.com tr-rc.lfeeder.com data: *.office.com app.getodin.ai cdn.getodin.ai pwc.nl store.pwc.nl cloud.email.pwc.com;frame-src 'self' https://js.stripe.com https://cloud.uk.info.pwc.com https://marvelapp.com https://www.facebook.com https://10000792.fls.doubleclick.net https://www.youtube.com https://www.google.com https://www.youtube-nocookie.com https://www.googletagmanager.com https://vars.hotjar.com https://sibautomation.com https://app.powerbi.com https://docs.google.com https://td.doubleclick.net https://pwcglsc.demdex.net https://*.office.com https://app.getodin.ai https://cdn.getodin.ai https://cloud.email.pwc.com;frame-ancestors 'self' https: https://app.emlen.io https://discover.store.pwc.de/ https://*.office.com https://app.getodin.ai https://cdn.getodin.ai https://cloud.email.pwc.com;form-action 'self';object-src 'none';upgrade-insecure-requests

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin-when-cross-origin

Permissions-Policy

Missing

Not configured

Recommendations

• Consider adding 'preload' to HSTS for maximum security
• Strengthen CSP by removing 'unsafe-eval'
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Consider adding Permissions-Policy to control browser features

Performance Headers

3 headers

Connection

Performance

close

Transfer-Encoding

Performance

chunked

Vary

Performance

Accept-Encoding

Caching Headers

2 headers

Cache-Control

Caching

public, s-maxage=10, stale-while-revalidate=59

Etag

Caching

"78hfof10qb397k"

Content Headers

1 headers

Content-Type

Content

text/html; charset=utf-8

Server Headers

0 headers

No server headers found

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

Cookies

incap_ses_155_3233214=15WWLySMf1dy1OGRJKwmAmVHTmkAAAAAVaJH0Z7mIMfHyvUfXnQ+dw==; path=/; Domain=.pwc.nl; Secure; SameSite=None

Other Headers

7 headers

Date

Other

Fri, 26 Dec 2025 08:29:25 GMT

Request-Context

Other

appId=cid-v1:

X-Cdn

Other

Imperva

X-Dns-Prefetch-Control

Other

off

X-Download-Options

Other

noopen

X-Iinfo

Other

17-126088705-126088706 NNNN CT(80 164 0) RT(1766737765112 12) q(0 0 2 0) r(5 6) U12

X-Permitted-Cross-Domain-Policies

Other

none

Recommendations

Enable compression (gzip/brotli) to improve performance