Welcome - WAFDOG

Check Detail

mediamarkt.de · HEADER

Incomplete Grade F

26.9%

Hostname	mediamarkt.de
Check name	HEADER
last run	15/10/2025 17:45
Result	Incomplete Grade B 75.6%

Result Detail

HEADER

Alerts

Strict-Transport-Security: max-age=31536000 (not secure)
Content-Security-Policy: Content-Security-Policy missing
X-Content-Type-Options: Header missing
Referrer-Policy: Header missing
Permissions-Policy: Permissions-Policy missing
Cross-Origin-Opener-Policy: Header missing
Cross-Origin-Embedder-Policy: Header missing
Cross-Origin-Resource-Policy: Header missing
Expect-CT: Expect-CT missing
X-Permitted-Cross-Domain-Policies: Header missing
Access-Control-Allow-Origin: Access-Control-Allow-Origin missing
Server: Sensitive header exposed
Origin-Agent-Cluster: Header missing

Normalized headers

date	Wed, 15 Oct 2025 15:45:35 GMT
content-type	text/html; charset=utf-8
server	cloudflare
cf-ray	98f071c4ce669247-FRA
cf-cache-status	HIT
accept-ranges	bytes
age	104
cache-control	public, max-age=120, stale-while-revalidate=600
link	<https://www.mediamarkt.de/assets/fonts/noto-sans-display-v10-latin-400.woff2>; rel="preload"; as="font"; crossorigin; type="font/woff2"; nopush, <https://www.mediamarkt.de/assets/fonts/noto-sans-display-v10-latin-600.woff2>; rel="preload"; as="font"; crossorigin; type="font/woff2"; nopush, <https://www.mediamarkt.de/assets/fonts/noto-sans-display-v10-latin-700.woff2>; rel="preload"; as="font"; crossorigin; type="font/woff2"; nopush, <https://www.mediamarkt.de/assets/fonts/MMHeadlineProWebTT-Regular_subset.woff2>; rel="preload"; as="font"; crossorigin; type="font/woff2"; nopush, <https://www.mediamarkt.de/assets/fonts/MediaMarktPreise.woff2>; rel="preload"; as="font"; crossorigin; type="font/woff2"; nopush
set-cookie	optid=e9241286-506f-4cde-9b49-9cfc282a486a; Domain=.mediamarkt.de; Path=/; __cf_bm=lOuwk5d_T3xvWrZpgN8mILFhiThS1gtt4qpZ.oCR_2k-1760543135-1.0.1.1-FMs3tLhqGABOkfhmNRKdiCZCIP0A_OiBuONIZIAPqRNFIfloWYgGwJhn9iyl26oQU4guIhDYv_Q4gX6AEuKYBGqJkFUL68IOvAKr0bb_hmU03SvL.jwhlcxXPl6zkw4B; path=/; expires=Wed, 15-Oct-25 16:15:35 GMT; domain=.mediamarkt.de; HttpOnly; Secure; SameSite=None; _cfuvid=nXmeTrCt9KkxHju7zUOYBNCMb400xByQpaWyWtS1I3M-1760543135520-0.0.1.1-604800000; path=/; domain=.mediamarkt.de; HttpOnly; Secure; SameSite=None
vary	Accept-Encoding
via	1.1 google, 1.1 google
server-timing	total;dur=601
x-frame-options	SAMEORIGIN
x-mms-cf-d
x-mms-variation	exp-1076_-_navise_-_homepage_personalized_categories:control&exp-1077_-_homepage_-_onereco_-_hyperpersonal_product_recos_v2:variation_v2&exp-1127_-_plp_srp_-_inp_optimization_with_start_transition:optimized_interaction
strict-transport-security	max-age=31536000
x-we-are-hiring	We appreciate developers that love to explore what goes on under the hood of software. Apply now at https://careers.mediamarktsaturn.com/MediaMarktSaturn!

Transport

Check name	Status	Actual	Expected	Detail	Severity	Recommendation
Strict-Transport-Security	⚠️ Attention	max-age=31536000	max-age>=15768000; includeSubDomains; preload	max-age=31536000 (not secure)	Critical	Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Expect-CT	⚠️ Attention		enforce; max-age>=86400	Expect-CT missing	Medium	Expect-CT: enforce, max-age=86400, report-uri="https://report.example.com"

Content Security

Check name	Status	Actual	Expected	Detail	Severity	Recommendation
Content-Security-Policy	⚠️ Attention		default-src 'self'; frame-ancestors 'none'	Content-Security-Policy missing	Critical	Content-Security-Policy: default-src 'self'; frame-ancestors 'none'

MIME

Check name	Status	Actual	Expected	Detail	Severity	Recommendation
X-Content-Type-Options	⚠️ Attention		nosniff	Header missing	High	X-Content-Type-Options: nosniff

Framing

Check name	Status	Actual	Expected	Detail	Severity	Recommendation
X-Frame-Options	✅ OK	SAMEORIGIN	DENY or SAMEORIGIN	Value accepted	High	X-Frame-Options: DENY

Privacy

Check name	Status	Actual	Expected	Detail	Severity	Recommendation
Referrer-Policy	⚠️ Attention		strict-origin-when-cross-origin / same-origin	Header missing	Medium	Referrer-Policy: strict-origin-when-cross-origin

Browser Features

Check name	Status	Actual	Expected	Detail	Severity	Recommendation
Permissions-Policy	⚠️ Attention		camera=(); geolocation=(); microphone=()	Permissions-Policy missing	Medium	Permissions-Policy: camera=(), geolocation=(), microphone=()

Cross-Origin

Check name	Status	Expected	Detail	Severity	Recommendation
Cross-Origin-Opener-Policy	⚠️ Attention	same-origin	Header missing	High	Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy	⚠️ Attention	require-corp	Header missing	High	Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy	⚠️ Attention	same-origin	Header missing	Medium	Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster	⚠️ Attention	?1	Header missing	Low	Origin-Agent-Cluster: ?1

Caching

Check name	Status	Actual	Expected	Detail	Severity	Recommendation
Cache-Control	✅ OK	public, max-age=120, stale-while-revalidate=600	no-store, private, max-age=0	no-store, private, max-age=0	High	Cache-Control: no-store, private, max-age=0

Legacy

Check name	Status	Actual	Expected	Detail	Severity	Recommendation
X-Permitted-Cross-Domain-Policies	⚠️ Attention		none	Header missing	Low	X-Permitted-Cross-Domain-Policies: none

CORS

Check name	Status	Actual	Expected	Detail	Severity	Recommendation
Access-Control-Allow-Origin	⚠️ Attention		Scoped origin (no wildcard)	Access-Control-Allow-Origin missing	Medium	Access-Control-Allow-Origin: https://app.example.com

Information Disclosure

Check name	Status	Actual	Expected	Detail	Severity	Recommendation
Server	⚠️ Attention	cloudflare	Header removed or generic	Sensitive header exposed	High	Remove Server header or set to a generic token
X-Powered-By	✅ OK		Header removed	Header not exposed	High	Remove X-Powered-By header
X-AspNet-Version	✅ OK		Header removed	Header not exposed	Medium	Remove framework version headers

Raw headers

HTTP/2 200 
date: Wed, 15 Oct 2025 15:45:35 GMT
content-type: text/html; charset=utf-8
server: cloudflare
cf-ray: 98f071c4ce669247-FRA
cf-cache-status: HIT
accept-ranges: bytes
age: 104
cache-control: public, max-age=120, stale-while-revalidate=600
link: <https://www.mediamarkt.de/assets/fonts/noto-sans-display-v10-latin-400.woff2>; rel="preload"; as="font"; crossorigin; type="font/woff2"; nopush, <https://www.mediamarkt.de/assets/fonts/noto-sans-display-v10-latin-600.woff2>; rel="preload"; as="font"; crossorigin; type="font/woff2"; nopush, <https://www.mediamarkt.de/assets/fonts/noto-sans-display-v10-latin-700.woff2>; rel="preload"; as="font"; crossorigin; type="font/woff2"; nopush, <https://www.mediamarkt.de/assets/fonts/MMHeadlineProWebTT-Regular_subset.woff2>; rel="preload"; as="font"; crossorigin; type="font/woff2"; nopush, <https://www.mediamarkt.de/assets/fonts/MediaMarktPreise.woff2>; rel="preload"; as="font"; crossorigin; type="font/woff2"; nopush
set-cookie: optid=e9241286-506f-4cde-9b49-9cfc282a486a; Domain=.mediamarkt.de; Path=/
set-cookie: __cf_bm=lOuwk5d_T3xvWrZpgN8mILFhiThS1gtt4qpZ.oCR_2k-1760543135-1.0.1.1-FMs3tLhqGABOkfhmNRKdiCZCIP0A_OiBuONIZIAPqRNFIfloWYgGwJhn9iyl26oQU4guIhDYv_Q4gX6AEuKYBGqJkFUL68IOvAKr0bb_hmU03SvL.jwhlcxXPl6zkw4B; path=/; expires=Wed, 15-Oct-25 16:15:35 GMT; domain=.mediamarkt.de; HttpOnly; Secure; SameSite=None
set-cookie: _cfuvid=nXmeTrCt9KkxHju7zUOYBNCMb400xByQpaWyWtS1I3M-1760543135520-0.0.1.1-604800000; path=/; domain=.mediamarkt.de; HttpOnly; Secure; SameSite=None
vary: Accept-Encoding
via: 1.1 google, 1.1 google
server-timing: total;dur=601
x-frame-options: SAMEORIGIN
x-mms-cf-d: 
x-mms-variation: exp-1076_-_navise_-_homepage_personalized_categories:control&exp-1077_-_homepage_-_onereco_-_hyperpersonal_product_recos_v2:variation_v2&exp-1127_-_plp_srp_-_inp_optimization_with_start_transition:optimized_interaction
strict-transport-security: max-age=31536000
x-we-are-hiring: We appreciate developers that love to explore what goes on under the hood of software. Apply now at https://careers.mediamarktsaturn.com/MediaMarktSaturn!