HTTP Headers Analysis for https://wheesy.web.app

HTTP Security Headers

Status

Strict-Transport-Security

Excellent

max-age=63072000; includeSubDomains; preload

Content-Security-Policy

Basic

default-src; script-src; style-src; +8 more

default-src 'self';script-src 'self' 'unsafe-eval' 'unsafe-inline' sgtm.new-energie.de www.googletagmanager.com *.usercentrics.eu *.facebook.net *.facebook.com facebook.com *.linkedin.com *.licdn.com *.analytics.tiktok.com analytics.tiktok.com *.mouseflow.com login.new.de login-test.new.de *.new.de *.new-energie.de new-energie.de sst.klickenergie.de *.klickenergie.de images.ctfassets.net graphql.contentful.com https://app.contentful.com *.friendlycaptcha.com *.trustedshops.com *.trustbadge.com *.api.etrusted.com *.etrusted.com *.moin.ai *.staging.realperson.cloud *.realperson.cloud wss://*.realperson.cloud *.chime.aws wss://*.chime.aws *.cituro.com *.app.cituro.com *.talk-n-job.de talk-n-job.de *.pixel.spotify.com https://pixel.byspotify.com https://pixels.spotify.com *.vlink.com *.eaglepixelstreaming.com wss://*.eaglepixelstreaming.com *.eagle3dstreaming.com;style-src 'self' 'unsafe-inline' login.new.de login-test.new.de *.new.de *.new-energie.de new-energie.de sst.klickenergie.de *.klickenergie.de images.ctfassets.net graphql.contentful.com *.trustedshops.com *.trustbadge.com *.api.etrusted.com *.etrusted.com *.eaglepixelstreaming.com wss://*.eaglepixelstreaming.com *.eagle3dstreaming.com;worker-src 'self' blob:;font-src 'self' 'unsafe-inline' data: *.staging.realperson.cloud *.realperson.cloud wss://*.realperson.cloud *.chime.aws wss://*.chime.aws *.cituro.com *.app.cituro.com *.eaglepixelstreaming.com wss://*.eaglepixelstreaming.com *.eagle3dstreaming.com;frame-ancestors 'self' https://app.contentful.com *.eaglepixelstreaming.com wss://*.eaglepixelstreaming.com *.eagle3dstreaming.com;frame-src 'self' *.facebook.net *.facebook.com facebook.com sgtm.new-energie.de www.googletagmanager.com *.usercentrics.eu analytics.google.com *.analytics.google.com google.com *.google.com *.googleadservices.com googleadservices.com *.doubleclick.net *.google.de google.de *.google-analytics.com login.new.de login-test.new.de *.new.de *.new-energie.de new-energie.de sst.klickenergie.de *.klickenergie.de images.ctfassets.net graphql.contentful.com *.talk-n-job.de talk-n-job.de *.jetzt-mitmachen.de *.youtube.nocookie.com *.youtube-nocookie.com *.eaglepixelstreaming.com wss://*.eaglepixelstreaming.com *.eagle3dstreaming.com;child-src 'self' login.new.de login-test.new.de *.new.de *.new-energie.de new-energie.de sst.klickenergie.de *.klickenergie.de images.ctfassets.net graphql.contentful.com *.eaglepixelstreaming.com wss://*.eaglepixelstreaming.com *.eagle3dstreaming.com;connect-src 'self' sgtm.new-energie.de www.googletagmanager.com *.usercentrics.eu *.facebook.net *.facebook.com facebook.com *.linkedin.com *.licdn.com *.analytics.tiktok.com analytics.tiktok.com analytics.google.com *.analytics.google.com google.com *.google.com *.googleadservices.com googleadservices.com *.doubleclick.net *.google.de google.de *.google-analytics.com *.mouseflow.com login.new.de login-test.new.de *.new.de *.new-energie.de new-energie.de sst.klickenergie.de *.klickenergie.de images.ctfassets.net graphql.contentful.com *.friendlycaptcha.com *.algolia.net *.moin.ai *.dienetzwerkpartner.com *.staging.realperson.cloud *.realperson.cloud wss://*.realperson.cloud *.chime.aws wss://*.chime.aws *.cituro.com *.app.cituro.com *.pixel.spotify.com https://pixel.byspotify.com https://pixels.spotify.com *.eaglepixelstreaming.com wss://*.eaglepixelstreaming.com *.eagle3dstreaming.com;media-src 'self' *.eaglepixelstreaming.com wss://*.eaglepixelstreaming.com *.eagle3dstreaming.com;img-src 'self' data: 'unsafe-inline' sgtm.new-energie.de www.googletagmanager.com *.usercentrics.eu *.facebook.net *.facebook.com facebook.com *.bing.com bat.bing-int.com *.jquery.com *.cookiebox.pro *.dwin1.com *.obs.eu-de.otc.t-systems.com www.redditstatic.com *.ad-srv.net *.adscale.de *.linkedin.com *.licdn.com *.analytics.tiktok.com analytics.tiktok.com analytics.google.com *.analytics.google.com google.com *.google.com *.googleadservices.com googleadservices.com *.doubleclick.net *.google.de google.de *.google-analytics.com *.mouseflow.com blob: login.new.de login-test.new.de *.new.de *.new-energie.de new-energie.de sst.klickenergie.de *.klickenergie.de images.ctfassets.net graphql.contentful.com *.moin.ai *.staging.realperson.cloud *.realperson.cloud wss://*.realperson.cloud *.chime.aws wss://*.chime.aws *.cituro.com *.app.cituro.com *.talk-n-job.de talk-n-job.de *.vlink.com *.eaglepixelstreaming.com wss://*.eaglepixelstreaming.com *.eagle3dstreaming.com

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

no-referrer

Permissions-Policy

Missing

Not configured

Recommendations

• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Consider adding Permissions-Policy to control browser features

Performance Headers

2 headers

Connection

Performance

close

Vary

Performance

Accept-Encoding

Caching Headers

2 headers

Cache-Control

Caching

s-maxage=10, stale-while-revalidate=31535990

Etag

Caching

"vlof8jiyaq5wy9"

Content Headers

2 headers

Content-Length

Content

276686

Content-Type

Content

text/html; charset=utf-8

Server Headers

0 headers

No server headers found

CORS Headers

1 headers

Access-Control-Allow-Origin

Cors

localhost:3000

Cookies Headers

1 headers

Set-Cookie

Cookies

CSRF-TOKEN=MDZnaEpMRHF1SXBMVC8waGZobjhhSTluci8waG95c21STXhIbmlRbWQzSEZxRjVsTjNJMGF6TkdVMHRrWVRWaEsxUkJUQT09.TURabmFFcE1SSEYxU1hCTVZDOHdhR1pvYmpoaFNUbHVjaTh3YUc5NWMyMVNUWGhJYm1sUmJXUXpTRVp4UmpWc1RqTkpNR0Y2VGtkVk1IUnJXVlJXYUVzeFVrSlVRVDA5bXlTZWNyZXRLZXk%3D; Path=/api; Secure; HttpOnly; SameSite=true

Other Headers

6 headers

Alt-Svc

Other

h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

Cdn-Cache-Status

Other

miss

Date

Other

Mon, 01 Dec 2025 07:11:42 GMT

Via

Other

1.1 google

X-Dns-Prefetch-Control

Other

on

X-Nextjs-Cache

Other

STALE

Recommendations

Enable compression (gzip/brotli) to improve performance