Check Detail
distriplac.com · HEADER
Incomplete
Grade D
42.3%
Result Detail
HEADERAlerts
- Strict-Transport-Security: max-age=31536000 (not secure)
- Content-Security-Policy: Content-Security-Policy missing
- Referrer-Policy: Header missing
- Permissions-Policy: Permissions-Policy missing
- Cross-Origin-Opener-Policy: Header missing
- Cross-Origin-Embedder-Policy: Header missing
- Cross-Origin-Resource-Policy: Header missing
- Expect-CT: Expect-CT missing
- X-Permitted-Cross-Domain-Policies: Header missing
- Access-Control-Allow-Origin: Access-Control-Allow-Origin missing
- Origin-Agent-Cluster: Header missing
Normalized headers
| date | Wed, 15 Oct 2025 13:58:41 GMT |
|---|---|
| content-type | text/html; charset=UTF-8 |
| vary | Accept-Encoding |
| content-security-policy-report-only | font-src data: *.gstatic.com oct8necdneu.azureedge.net *.oct8ne.com data: 'self' 'unsafe-inline'; form-action geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com pilot-payflowlink.paypal.com www.paypal.com www.sandbox.paypal.com sis-t.redsys.es:* sis.redsys.es sis-t.sermepa.es:* sis.sermepa.es *.cardinalcommerce.com *.paypal.com 3ds-secure.cardcomplete.com www.clicksafe.lloydstsb.com pay.activa-card.com *.wirecard.com acs.sia.eu *.touchtechpayments.com www.securesuite.co.uk rsa3dsauth.com *.monzo.com *.arcot.com *.wlp-acs.com * 'self' 'unsafe-inline'; frame-ancestors *.googleapis.com 'self'; frame-src fast.amc.demdex.net *.adobe.com geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com *.youtube.com *.youtube-nocookie.com bid.g.doubleclick.net www.paypal.com www.sandbox.paypal.com pilot-payflowlink.paypal.com player.vimeo.com https://www.google.com/recaptcha/ www.googletagmanager.com consentcdn.cookiebot.com *.vimeo.com *.oct8ne.com c.paypal.com checkout.paypal.com assets.braintreegateway.com pay.google.com *.cardinalcommerce.com *.paypal.com * 'self' 'unsafe-inline'; img-src assets.adobedtm.com amcglobal.sc.omtrdc.net dpm.demdex.net cm.everesttech.net *.adobe.com widgets.magentocommerce.com data: www.googleadservices.com www.google-analytics.com googleads.g.doubleclick.net www.google.com bid.g.doubleclick.net analytics.google.com www.googletagmanager.com *.ftcdn.net *.behance.net t.paypal.com www.paypal.com www.paypalobjects.com fpdbs.paypal.com fpdbs.sandbox.paypal.com *.vimeocdn.com i.ytimg.com *.youtube.com *.googleapis.com *.google.com *.google.es *.google.com.br *.gstatic.com *.googletagmanager.com *.google-analytics.com *.g.doubleclick.net oct8necdneu.azureedge.net *.cookiebot.com *.ggpht *.oct8ne.com www.sandbox.paypal.com b.stats.paypal.com dub.stats.paypal.com assets.braintreegateway.com c.paypal.com checkout.paypal.com *.paypal.com *.distriplac.com data: 'self' 'unsafe-inline'; script-src assets.adobedtm.com *.adobe.com geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com www.googleadservices.com www.google-analytics.com googleads.g.doubleclick.net analytics.google.com www.googletagmanager.com www.paypal.com www.sandbox.paypal.com www.paypalobjects.com t.paypal.com s.ytimg.com www.googleapis.com vimeo.com www.vimeo.com *.vimeocdn.com *.youtube.com https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ consent.cookiebot.com polyfill.io *.googleapis.com *.google.com *.google.es *.google.com.br *.gstatic.com *.googletagmanager.com *.google-analytics.com *.g.doubleclick.net *.cookiebot.com *.oct8ne.com *.adyen.com *.hotjar.com js.braintreegateway.com assets.braintreegateway.com c.paypal.com pay.google.com api.braintreegateway.com api.sandbox.braintreegateway.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com *.paypal.com songbirdstag.cardinalcommerce.com preassets.empathybroker.com x.empathy.co x.staging.empathy.co 'self' 'unsafe-inline' 'unsafe-eval'; style-src *.adobe.com *.googleapis.com unsafe-inline assets.braintreegateway.com 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; media-src *.adobe.com 'self' 'unsafe-inline'; manifest-src 'self' 'unsafe-inline'; connect-src dpm.demdex.net amcglobal.sc.omtrdc.net geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com vimeo.com www.google-analytics.com www.googleadservices.com analytics.google.com www.googletagmanager.com www.sandbox.paypal.com www.paypalobjects.com www.paypal.com pilot-payflowlink.paypal.com consentcdn.cookiebot.com *.google.com *.google.es *.google.com.br *.googletagmanager.com *.google-analytics.com *.g.doubleclick.net *.oct8ne.com *.adyen.com *.googleapis.com *.cookiebot.com api.braintreegateway.com api.sandbox.braintreegateway.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com *.braintree-api.com *.paypal.com *.cardinalcommerce.com google.com distriplac.com *.empathybroker.com *.empathy.co *.staging.empathy.co 'self' 'unsafe-inline'; child-src assets.braintreegateway.com c.paypal.com *.paypal.com http: https: blob: 'self' 'unsafe-inline'; default-src 'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self' 'unsafe-inline'; |
| x-content-type-options | nosniff |
| x-xss-protection | 1; mode=block |
| x-frame-options | SAMEORIGIN |
| x-backend-server | z98sl138pdst5wb |
| sysops-powered-by | Teradisk Cloud Services |
| pragma | no-cache |
| expires | -1 |
| cache-control | no-store, no-cache, must-revalidate, max-age=0 |
| accept-ranges | bytes |
| content-length | 398595 |
| connection | keep-alive |
| set-cookie | visid_incap_2221724=ytxKkcQ5RHOvNj8Aq9vlw0my72gAAAAAQUIPAAAAAAD0TgZoBQq6dBvOTpC0g7TE; expires=Wed, 14 Oct 2026 22:20:06 GMT; HttpOnly; path=/; Domain=.distriplac.com; Secure; SameSite=None; incap_ses_728_2221724=TOWaG660P3eZBMYPkmAaCkmy72gAAAAAvpHL7ZibextR/hqTTupKcQ==; path=/; Domain=.distriplac.com; Secure; SameSite=None |
| strict-transport-security | max-age=31536000 |
| x-cdn | Imperva |
| x-iinfo | 13-50382978-50382985 NNNN CT(12 14 0) RT(1760539210159 59) q(0 0 0 12) r(0 0) U6 |
Transport
| Check name | Status | Actual | Expected | Detail | Severity | Recommendation |
|---|---|---|---|---|---|---|
| Strict-Transport-Security | ⚠️ Attention | max-age=31536000 | max-age>=15768000; includeSubDomains; preload | max-age=31536000 (not secure) | Critical | Strict-Transport-Security: max-age=63072000; includeSubDomains; preload |
| Expect-CT | ⚠️ Attention | enforce; max-age>=86400 | Expect-CT missing | Medium | Expect-CT: enforce, max-age=86400, report-uri="https://report.example.com" |
Content Security
| Check name | Status | Actual | Expected | Detail | Severity | Recommendation |
|---|---|---|---|---|---|---|
| Content-Security-Policy | ⚠️ Attention | default-src 'self'; frame-ancestors 'none' | Content-Security-Policy missing | Critical | Content-Security-Policy: default-src 'self'; frame-ancestors 'none' |
MIME
| Check name | Status | Actual | Expected | Detail | Severity | Recommendation |
|---|---|---|---|---|---|---|
| X-Content-Type-Options | ✅ OK | nosniff | nosniff | Value matches recommendation | High | X-Content-Type-Options: nosniff |
Framing
| Check name | Status | Actual | Expected | Detail | Severity | Recommendation |
|---|---|---|---|---|---|---|
| X-Frame-Options | ✅ OK | SAMEORIGIN | DENY or SAMEORIGIN | Value accepted | High | X-Frame-Options: DENY |
Privacy
| Check name | Status | Actual | Expected | Detail | Severity | Recommendation |
|---|---|---|---|---|---|---|
| Referrer-Policy | ⚠️ Attention | strict-origin-when-cross-origin / same-origin | Header missing | Medium | Referrer-Policy: strict-origin-when-cross-origin |
Browser Features
| Check name | Status | Actual | Expected | Detail | Severity | Recommendation |
|---|---|---|---|---|---|---|
| Permissions-Policy | ⚠️ Attention | camera=(); geolocation=(); microphone=() | Permissions-Policy missing | Medium | Permissions-Policy: camera=(), geolocation=(), microphone=() |
Cross-Origin
| Check name | Status | Actual | Expected | Detail | Severity | Recommendation |
|---|---|---|---|---|---|---|
| Cross-Origin-Opener-Policy | ⚠️ Attention | same-origin | Header missing | High | Cross-Origin-Opener-Policy: same-origin | |
| Cross-Origin-Embedder-Policy | ⚠️ Attention | require-corp | Header missing | High | Cross-Origin-Embedder-Policy: require-corp | |
| Cross-Origin-Resource-Policy | ⚠️ Attention | same-origin | Header missing | Medium | Cross-Origin-Resource-Policy: same-origin | |
| Origin-Agent-Cluster | ⚠️ Attention | ?1 | Header missing | Low | Origin-Agent-Cluster: ?1 |
Caching
| Check name | Status | Actual | Expected | Detail | Severity | Recommendation |
|---|---|---|---|---|---|---|
| Cache-Control | ✅ OK | no-store, no-cache, must-revalidate, max-age=0 | no-store, private, max-age=0 | no-store, private, max-age=0 | High | Cache-Control: no-store, private, max-age=0 |
Legacy
| Check name | Status | Actual | Expected | Detail | Severity | Recommendation |
|---|---|---|---|---|---|---|
| X-Permitted-Cross-Domain-Policies | ⚠️ Attention | none | Header missing | Low | X-Permitted-Cross-Domain-Policies: none |
CORS
| Check name | Status | Actual | Expected | Detail | Severity | Recommendation |
|---|---|---|---|---|---|---|
| Access-Control-Allow-Origin | ⚠️ Attention | Scoped origin (no wildcard) | Access-Control-Allow-Origin missing | Medium | Access-Control-Allow-Origin: https://app.example.com |
Information Disclosure
| Check name | Status | Actual | Expected | Detail | Severity | Recommendation |
|---|---|---|---|---|---|---|
| Server | ✅ OK | Header removed or generic | Header not exposed | High | Remove Server header or set to a generic token | |
| X-Powered-By | ✅ OK | Header removed | Header not exposed | High | Remove X-Powered-By header | |
| X-AspNet-Version | ✅ OK | Header removed | Header not exposed | Medium | Remove framework version headers |
Raw headers
HTTP/1.1 200 OK Date: Wed, 15 Oct 2025 13:58:41 GMT Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Security-Policy-Report-Only: font-src data: *.gstatic.com oct8necdneu.azureedge.net *.oct8ne.com data: 'self' 'unsafe-inline'; form-action geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com pilot-payflowlink.paypal.com www.paypal.com www.sandbox.paypal.com sis-t.redsys.es:* sis.redsys.es sis-t.sermepa.es:* sis.sermepa.es *.cardinalcommerce.com *.paypal.com 3ds-secure.cardcomplete.com www.clicksafe.lloydstsb.com pay.activa-card.com *.wirecard.com acs.sia.eu *.touchtechpayments.com www.securesuite.co.uk rsa3dsauth.com *.monzo.com *.arcot.com *.wlp-acs.com * 'self' 'unsafe-inline'; frame-ancestors *.googleapis.com 'self'; frame-src fast.amc.demdex.net *.adobe.com geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com *.youtube.com *.youtube-nocookie.com bid.g.doubleclick.net www.paypal.com www.sandbox.paypal.com pilot-payflowlink.paypal.com player.vimeo.com https://www.google.com/recaptcha/ www.googletagmanager.com consentcdn.cookiebot.com *.vimeo.com *.oct8ne.com c.paypal.com checkout.paypal.com assets.braintreegateway.com pay.google.com *.cardinalcommerce.com *.paypal.com * 'self' 'unsafe-inline'; img-src assets.adobedtm.com amcglobal.sc.omtrdc.net dpm.demdex.net cm.everesttech.net *.adobe.com widgets.magentocommerce.com data: www.googleadservices.com www.google-analytics.com googleads.g.doubleclick.net www.google.com bid.g.doubleclick.net analytics.google.com www.googletagmanager.com *.ftcdn.net *.behance.net t.paypal.com www.paypal.com www.paypalobjects.com fpdbs.paypal.com fpdbs.sandbox.paypal.com *.vimeocdn.com i.ytimg.com *.youtube.com *.googleapis.com *.google.com *.google.es *.google.com.br *.gstatic.com *.googletagmanager.com *.google-analytics.com *.g.doubleclick.net oct8necdneu.azureedge.net *.cookiebot.com *.ggpht *.oct8ne.com www.sandbox.paypal.com b.stats.paypal.com dub.stats.paypal.com assets.braintreegateway.com c.paypal.com checkout.paypal.com *.paypal.com *.distriplac.com data: 'self' 'unsafe-inline'; script-src assets.adobedtm.com *.adobe.com geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com www.googleadservices.com www.google-analytics.com googleads.g.doubleclick.net analytics.google.com www.googletagmanager.com www.paypal.com www.sandbox.paypal.com www.paypalobjects.com t.paypal.com s.ytimg.com www.googleapis.com vimeo.com www.vimeo.com *.vimeocdn.com *.youtube.com https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ consent.cookiebot.com polyfill.io *.googleapis.com *.google.com *.google.es *.google.com.br *.gstatic.com *.googletagmanager.com *.google-analytics.com *.g.doubleclick.net *.cookiebot.com *.oct8ne.com *.adyen.com *.hotjar.com js.braintreegateway.com assets.braintreegateway.com c.paypal.com pay.google.com api.braintreegateway.com api.sandbox.braintreegateway.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com *.paypal.com songbirdstag.cardinalcommerce.com preassets.empathybroker.com x.empathy.co x.staging.empathy.co 'self' 'unsafe-inline' 'unsafe-eval'; style-src *.adobe.com *.googleapis.com unsafe-inline assets.braintreegateway.com 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; media-src *.adobe.com 'self' 'unsafe-inline'; manifest-src 'self' 'unsafe-inline'; connect-src dpm.demdex.net amcglobal.sc.omtrdc.net geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com vimeo.com www.google-analytics.com www.googleadservices.com analytics.google.com www.googletagmanager.com www.sandbox.paypal.com www.paypalobjects.com www.paypal.com pilot-payflowlink.paypal.com consentcdn.cookiebot.com *.google.com *.google.es *.google.com.br *.googletagmanager.com *.google-analytics.com *.g.doubleclick.net *.oct8ne.com *.adyen.com *.googleapis.com *.cookiebot.com api.braintreegateway.com api.sandbox.braintreegateway.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com *.braintree-api.com *.paypal.com *.cardinalcommerce.com google.com distriplac.com *.empathybroker.com *.empathy.co *.staging.empathy.co 'self' 'unsafe-inline'; child-src assets.braintreegateway.com c.paypal.com *.paypal.com http: https: blob: 'self' 'unsafe-inline'; default-src 'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self' 'unsafe-inline'; X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN X-Backend-Server: z98sl138pdst5wb sysops-powered-by: Teradisk Cloud Services Pragma: no-cache Expires: -1 Cache-Control: no-store, no-cache, must-revalidate, max-age=0 Accept-Ranges: bytes Content-Length: 398595 Connection: keep-alive Set-Cookie: visid_incap_2221724=ytxKkcQ5RHOvNj8Aq9vlw0my72gAAAAAQUIPAAAAAAD0TgZoBQq6dBvOTpC0g7TE; expires=Wed, 14 Oct 2026 22:20:06 GMT; HttpOnly; path=/; Domain=.distriplac.com; Secure; SameSite=None Set-Cookie: incap_ses_728_2221724=TOWaG660P3eZBMYPkmAaCkmy72gAAAAAvpHL7ZibextR/hqTTupKcQ==; path=/; Domain=.distriplac.com; Secure; SameSite=None Strict-Transport-Security: max-age=31536000 X-CDN: Imperva X-Iinfo: 13-50382978-50382985 NNNN CT(12 14 0) RT(1760539210159 59) q(0 0 0 12) r(0 0) U6