HTTP Headers Analysis for https://tink.de

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=84600; includeSubDomains

Content-Security-Policy

Basic

default-src; script-src; style-src; +2 more

default-src 'self' data: https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://app.usercentrics.eu *.cloudfront.net https://messenger.dixa.io https://js-agent.newrelic.com https://widget.reviews.io https://tagalys-assets.s3.ap-southeast-1.amazonaws.com https://www.google.com https://www.paypal.com https://pay.google.com https://cert.tryggehandel.net https://maps.googleapis.com https://cdnjs.cloudflare.com https://static.klaviyo.com https://widget.thuiswinkel.org https://static-tracking.klaviyo.com https://cdn.parcellab.com https://www.youtube.com *.parcellab.com *.tagalys.com *.criteo.com *.criteo.net https://api.braintreegateway.com https://sandbox.braintreegateway.com https://api.sandbox.braintreegateway.com https://braintreegateway.com https://payments.braintree-api.com https://sandbox.braintree-api.com https://songbird.cardinalcommerce.com https://songbirdstag.cardinalcommerce.com https://js.braintreegateway.com https://x.klarnacdn.net https://static-eu.payments-amazon.com https://js.klarna.com https://cdn.tink.de https://cdn.tink.at https://cdn-vattenfall.tink.de https://cdn-deutsche-giganetz.tink.de https://cdn-kpn.tink.nl https://cdn.tink.nl https://cdn.tink.net https://cdn.tink.be https://cdn-plus.tink.de https://d2810q2tlzpt0m.cloudfront.net cdn.builder.io https://widget.thuiswinkel-cdn.org https://*.heyflow.com https://*.heyflow.cloud https://www.googletagmanager.com https://ww1.tink.de https://ww1.tink.at https://ww1.tink.nl https://ww1.tink.be https://vf1.tink.de https://js.appboycdn.com https://s.ytimg.com https://content.zeotap.com https://bat.bing.com https://googleads.g.doubleclick.net https://www.googleadservices.com https://www.gstatic.com https://connect.facebook.net https://*.getsitecontrol.com https://www.dwin1.com https://d.impactradius-event.com https://cdn.taboola.com https://lantern.roeyecdn.com https://code.jquery.com https://s.pinimg.com https://tr.fatmedia.io https://trc.taboola.com https://analytics.tiktok.com https://www.shopperapproved.com https://analytics.fatmedia.io https://www.awin1.com https://static.hotjar.com https://script.hotjar.com https://*.ad-srv.net https://*.adsrvr.org https://*.doubleclick.net https://*.adform.net https://*.adition.com https://*.adfarm.com https://app.varify.io https://origin.acuityplatform.com https://cdn.pdst.fm https://ct.pinterest.com https://redditstatic.com https://www.redditstatic.com https://consent.cookiebot.com https://consentcdn.cookiebot.com https://widget.thuiswinkel.org; style-src 'self' 'unsafe-inline' 'unsafe-eval' data: https://messenger.dixa.io https://assets.reviews.io https://static.klaviyo.com https://*.getsitecontrol.com https://cdn.parcellab.com https://static-tracking.klaviyo.com https://api.braintreegateway.com https://sandbox.braintreegateway.com https://api.sandbox.braintreegateway.com https://braintreegateway.com https://payments.braintree-api.com https://sandbox.braintree-api.com https://songbird.cardinalcommerce.com https://songbirdstag.cardinalcommerce.com https://js.braintreegateway.com https://x.klarnacdn.net https://static-eu.payments-amazon.com https://js.klarna.com https://cdn.tink.de https://cdn.tink.at https://cdn-vattenfall.tink.de https://cdn-deutsche-giganetz.tink.de https://cdn-kpn.tink.nl https://cdn.tink.nl https://cdn.tink.net https://cdn.tink.be https://cdn-plus.tink.de https://d2810q2tlzpt0m.cloudfront.net cdn.builder.io https://widget.thuiswinkel-cdn.org https://*.heyflow.com https://*.heyflow.cloud; connect-src *; frame-ancestors 'self' https://builder.io https://*.builder.io

X-Frame-Options

Excellent

DENY

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

no-referrer-when-downgrade

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Consider adding Permissions-Policy to control browser features

Performance Headers

3 headers

Accept-Ranges

Performance

bytes

Connection

Performance

keep-alive

Vary

Performance

Accept-Encoding

Caching Headers

4 headers

Age

Caching

0

Cache-Control

Caching

s-maxage=3600, stale-while-revalidate=31532400

Etag

Caching

W/"j8srqsl8noqtso"

Expires

Caching

Mon, 30 Apr 2008 10:00:00 GMT

Content Headers

2 headers

Content-Length

Content

1252423

Content-Type

Content

text/html; charset=utf-8

Server Headers

1 headers

X-Powered-By

Server

Next.js

CORS Headers

0 headers

No CORS headers found

Cookies Headers

0 headers

No cookies headers found

Other Headers

2 headers

Date

Other

Mon, 24 Nov 2025 18:30:47 GMT

X-Nextjs-Cache

Other

HIT

Recommendations

Enable compression (gzip/brotli) to improve performance

Consider removing X-Powered-By header to hide server technology