Welcome - WAFDOG

Check Detail

hamburg.de · HEADER

Passed Grade C

61.5%

Hostname	hamburg.de
Check name	HEADER
last run	15/10/2025 22:09
Result	Passed Grade B 87.2%

Result Detail

HEADER

Alerts

Referrer-Policy: Header missing
Permissions-Policy: Permissions-Policy missing
Cross-Origin-Opener-Policy: Header missing
Cross-Origin-Embedder-Policy: Header missing
Cross-Origin-Resource-Policy: Header missing
Expect-CT: Expect-CT missing
X-Permitted-Cross-Domain-Policies: Header missing
Access-Control-Allow-Origin: Access-Control-Allow-Origin missing
Origin-Agent-Cluster: Header missing

Normalized headers

date	Wed, 15 Oct 2025 20:09:22 GMT
content-type	text/html;charset=UTF-8
content-length	269657
set-cookie	DELIVERY_SESSIONID=1760558963.623.52.509545\|1159ac26c93a51b3b09facab6ec6661e; Path=/; Secure; HttpOnly
x-content-type-options	nosniff
x-xss-protection	0
strict-transport-security	max-age=31536000; includeSubDomains; max-age=31536000
x-frame-options	DENY
content-security-policy	default-src 'self'; connect-src 'self' .hamburg.de .contentflow.net www.etracker.de .dataport.de sgx.geodatenzentrum.de sg.geodatenzentrum.de www.captcha.eu .stage.bio hamburg.netzwerk-iq.de; script-src 'self' blob: .stage.bio app.cituro.com www.youtube.com .hamburg.de eyeable.hamburg.de www.eye-able-cdn.com code.etracker.com www.etracker.de .contentflow.net iason.hamburg.de .dataport.de www.captcha.eu hamburg.netzwerk-iq.de 'unsafe-inline'; style-src 'self' .hamburg.de code.etracker.com www.etracker.de eyeable.hamburg.de www.eye-able-cdn.com .contentflow.net iason.hamburg.de app.cituro.com hamburg.netzwerk-iq.de 'unsafe-inline'; img-src 'self' code.etracker.com www.etracker.de eyeable.hamburg.de static.hamburg.de www.eye-able-cdn.com .contentflow.net iason.hamburg.de .stage.bio hamburg.netzwerk-iq.de www.captcha.eu data:; font-src 'self' code.etracker.com www.etracker.de eyeable.hamburg.de www.eye-able-cdn.com .contentflow.net iason.hamburg.de cdn.cituro.com; frame-src ; frame-ancestors .hamburg.de; media-src 'self' blob: contentflow: .stage.bio
content-language	de
x-cae	cae-live-1-0
cache-control	max-age=300
vary	Origin, Access-Control-Request-Method, Access-Control-Request-Headers, Accept-Encoding
age	32
accept-ranges	bytes
grace
x-cache	HIT
x-cache-hits	27

Transport

Check name	Status	Actual	Expected	Detail	Severity	Recommendation
Strict-Transport-Security	✅ OK	max-age=31536000; includeSubDomains; max-age=31536000	max-age>=15768000; includeSubDomains; preload	HSTS policy robust	Critical	Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Expect-CT	⚠️ Attention		enforce; max-age>=86400	Expect-CT missing	Medium	Expect-CT: enforce, max-age=86400, report-uri="https://report.example.com"

Content Security

Check name	Status	Actual	Expected	Detail	Severity	Recommendation
Content-Security-Policy	✅ OK	default-src 'self'; connect-src 'self' .hamburg.de .contentflow.net www.etracker.de .dataport.de sgx.geodatenzentrum.de sg.geodatenzentrum.de www.captcha.eu .stage.bio hamburg.netzwerk-iq.de; script-src 'self' blob: .stage.bio app.cituro.com www.youtube.com .hamburg.de eyeable.hamburg.de www.eye-able-cdn.com code.etracker.com www.etracker.de .contentflow.net iason.hamburg.de .dataport.de www.captcha.eu hamburg.netzwerk-iq.de 'unsafe-inline'; style-src 'self' .hamburg.de code.etracker.com www.etracker.de eyeable.hamburg.de www.eye-able-cdn.com .contentflow.net iason.hamburg.de app.cituro.com hamburg.netzwerk-iq.de 'unsafe-inline'; img-src 'self' code.etracker.com www.etracker.de eyeable.hamburg.de static.hamburg.de www.eye-able-cdn.com .contentflow.net iason.hamburg.de .stage.bio hamburg.netzwerk-iq.de www.captcha.eu data:; font-src 'self' code.etracker.com www.etracker.de eyeable.hamburg.de www.eye-able-cdn.com .contentflow.net iason.hamburg.de cdn.cituro.com; frame-src ; frame-ancestors .hamburg.de; media-src 'self' blob: contentflow: .stage.bio	default-src 'self'; frame-ancestors 'none'	default-src 'self'; frame-ancestors 'none'	Critical	Content-Security-Policy: default-src 'self'; frame-ancestors 'none'

MIME

Check name	Status	Actual	Expected	Detail	Severity	Recommendation
X-Content-Type-Options	✅ OK	nosniff	nosniff	Value matches recommendation	High	X-Content-Type-Options: nosniff

Framing

Check name	Status	Actual	Expected	Detail	Severity	Recommendation
X-Frame-Options	✅ OK	DENY	DENY or SAMEORIGIN	Value accepted	High	X-Frame-Options: DENY

Privacy

Check name	Status	Actual	Expected	Detail	Severity	Recommendation
Referrer-Policy	⚠️ Attention		strict-origin-when-cross-origin / same-origin	Header missing	Medium	Referrer-Policy: strict-origin-when-cross-origin

Browser Features

Check name	Status	Actual	Expected	Detail	Severity	Recommendation
Permissions-Policy	⚠️ Attention		camera=(); geolocation=(); microphone=()	Permissions-Policy missing	Medium	Permissions-Policy: camera=(), geolocation=(), microphone=()

Cross-Origin

Check name	Status	Expected	Detail	Severity	Recommendation
Cross-Origin-Opener-Policy	⚠️ Attention	same-origin	Header missing	High	Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy	⚠️ Attention	require-corp	Header missing	High	Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy	⚠️ Attention	same-origin	Header missing	Medium	Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster	⚠️ Attention	?1	Header missing	Low	Origin-Agent-Cluster: ?1

Caching

Check name	Status	Actual	Expected	Detail	Severity	Recommendation
Cache-Control	✅ OK	max-age=300	no-store, private, max-age=0	no-store, private, max-age=0	High	Cache-Control: no-store, private, max-age=0

Legacy

Check name	Status	Actual	Expected	Detail	Severity	Recommendation
X-Permitted-Cross-Domain-Policies	⚠️ Attention		none	Header missing	Low	X-Permitted-Cross-Domain-Policies: none

CORS

Check name	Status	Actual	Expected	Detail	Severity	Recommendation
Access-Control-Allow-Origin	⚠️ Attention		Scoped origin (no wildcard)	Access-Control-Allow-Origin missing	Medium	Access-Control-Allow-Origin: https://app.example.com

Information Disclosure

Check name	Status	Expected	Detail	Severity	Recommendation
Server	✅ OK	Header removed or generic	Header not exposed	High	Remove Server header or set to a generic token
X-Powered-By	✅ OK	Header removed	Header not exposed	High	Remove X-Powered-By header
X-AspNet-Version	✅ OK	Header removed	Header not exposed	Medium	Remove framework version headers

Raw headers

HTTP/2 200 
date: Wed, 15 Oct 2025 20:09:22 GMT
content-type: text/html;charset=UTF-8
content-length: 269657
set-cookie: DELIVERY_SESSIONID=1760558963.623.52.509545|1159ac26c93a51b3b09facab6ec6661e; Path=/; Secure; HttpOnly
x-content-type-options: nosniff
x-xss-protection: 0
strict-transport-security: max-age=31536000; includeSubDomains
x-frame-options: DENY
content-security-policy: default-src 'self'; connect-src 'self' *.hamburg.de *.contentflow.net www.etracker.de *.dataport.de sgx.geodatenzentrum.de sg.geodatenzentrum.de www.captcha.eu *.stage.bio hamburg.netzwerk-iq.de; script-src 'self' blob: *.stage.bio app.cituro.com www.youtube.com *.hamburg.de eyeable.hamburg.de www.eye-able-cdn.com code.etracker.com www.etracker.de *.contentflow.net iason.hamburg.de *.dataport.de www.captcha.eu hamburg.netzwerk-iq.de 'unsafe-inline'; style-src 'self' *.hamburg.de code.etracker.com www.etracker.de eyeable.hamburg.de www.eye-able-cdn.com *.contentflow.net iason.hamburg.de app.cituro.com hamburg.netzwerk-iq.de 'unsafe-inline'; img-src 'self' code.etracker.com www.etracker.de eyeable.hamburg.de static.hamburg.de www.eye-able-cdn.com *.contentflow.net iason.hamburg.de *.stage.bio hamburg.netzwerk-iq.de www.captcha.eu data:; font-src 'self' code.etracker.com www.etracker.de eyeable.hamburg.de www.eye-able-cdn.com *.contentflow.net iason.hamburg.de cdn.cituro.com; frame-src *; frame-ancestors *.hamburg.de; media-src 'self' blob: contentflow: *.stage.bio
content-language: de
x-cae: cae-live-1-0
cache-control: max-age=300
vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers, Accept-Encoding
age: 32
accept-ranges: bytes
grace: 
x-cache: HIT
x-cache-hits: 27
strict-transport-security: max-age=31536000