https://cookieyes.com
Security
· 13 checks — HTTP headers, CSP, TLS handshake, and cookie hygiene rolled into one auditable list.SCORE
79
GRADE
C
FIX
3
REVIEW
4
PASS
6
INFO
0
Checks
136 PASS 4 REVIEW 3 FIX
DContent Security PolicyAction5 of 10 CSP checks passedFIX
Content Security Policy
Action5 of 10 CSP checks passed
5 of 10 CSP checks passed
Info::
Raw CSP policy
Got: default-src 'self' data: https://*.gstatic.com https://*.tawk.to https://*.cloudflare.com https://js.intercomcdn.com https://fonts.intercomcdn.com https://fonts.bunny.net https://*.googlesyndication.com https://*.segment.com https://*.lottiefiles.com https://*.hotjar.com https://www.google.com https://api.segment.io https://*.clarity.ms https://c.bing.com ; img-src 'self' data: https://*.hotjar.com https://*.googleadservices.com https://*.gstatic.com https://scatec.io https://*.bing.com https://static.intercomassets.com https://js.intercomcdn.com https://downloads.intercomcdn.com https://www.google.ie https://www.google.com https://*.google.es https://*.google.pl https://*.google.co.uk https://*.google.it https://*.google.de https://*.google.fr https://*.google.ca https://*.doubleclick.net https://*.twitter.com https://t.co https://embed.tawk.to https://cdn.jsdelivr.net https://www.googletagmanager.com https://www.google.co.in https://*.linkedin.com https://*.clarity.ms https://c.bing.com https://*.cloudflare.com https://cookieyes.com https://*.googleusercontent.com https://*.cookieserve.com https://*.gravatar.com https://www.facebook.com https://i.ytimg.com https://cdn-cookieyes.com https://*.google-analytics.com;object-src 'none'; child-src 'self' https://*.google.com https://js.stripe.com https://www.googletagmanager.com https://*.cloudflare.com https://form.typeform.com https://*.reddit.com https://*.googlesyndication.com https://platform.twitter.com https://*.doubleclick.net https://calendly.com https://embed.reddit.com https://www.youtube.com https://www.facebook.com; frame-ancestors 'self' https://responsivetesttool.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://static.cloudflareinsights.com https://js.stripe.com https://scatec.io https://cdn-cookieyes.com https://analytics.ahrefs.com https://widget.intercom.io https://*.bing.com https://embed.reddit.com https://js.intercomcdn.com https://www.googleadservices.com https://embed.typeform.com https://*.cloudflare.com https://*.googlesyndication.com https://*.ads-twitter.com https://*.tawk.to https://*.doubleclick.net https://cdnjs.cloudflare.com https://*.calendly.com https://snap.licdn.com https://*.cookieyes.com https://unpkg.com https://cdn.jsdelivr.net https://script.tapfiliate.com https://connect.facebook.net https://cdn.segment.com https://www.google.com https://www.gstatic.com https://*.getresponse.com https://*.clarity.ms https://*.gr-cdn.com https://*.googletagmanager.com https://*.hotjar.com https://*.googleoptimize.com https://*.google-analytics.com;style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://*.googletagmanager.com https://cdn.jsdelivr.net https://embed.typeform.com https://*.tawk.to https://cdnjs.cloudflare.com https://www.gstatic.com https://fonts.bunny.net ;connect-src 'self' https://scatec.io https://www.google.co.in https://frstre.com wss://*.intercom-messenger.com https://*.intercom-messenger.com wss://nexus-websocket-b.intercom.io https://analytics.ahrefs.com https://google.com https://googleads.g.doubleclick.net https://api-iam.intercom.io https://www.googleadservices.com https://uploads.intercomcdn.com wss://nexus-websocket-a.intercom.io https://api.typeform.com https://*.linkedin.com https://*.google.com https://*.tawk.to wss://*.tawk.to https://lottie.host https://*.googlesyndication.com https://*.lottiefiles.com https://*.googletagmanager.com https://*.google-analytics.com https://cdn.linkedin.oribi.io https://*.clarity.ms https://stats.g.doubleclick.net https://api.segment.io https://*.segment.com https://*.cookieserve.com https://*.cookielawinfo.com https://*.getresponse.com https://cdn-cookieyes.com https://log.cookieyes.com https://*.cookieyes.com https://*.hotjar.com https://*.hotjar.io wss://ws.hotjar.com; upgrade-insecure-requests; block-all-mixed-content
Info::
default-src directive is set
Got: default-src 'self' data: https://*.gstatic.com https://*.tawk.to https://*.cloudflare.com https://js.intercomcdn.com https://fonts.intercomcdn.com https://fonts.bunny.net https://*.googlesyndication.com https://*.segment.com https://*.lottiefiles.com https://*.hotjar.com https://www.google.com https://api.segment.io https://*.clarity.ms https://c.bing.com
Critical::
'unsafe-inline' found in script source
'unsafe-inline' allows inline <script> tags, defeating CSP against XSS. Remove it and use nonces or hashes instead.
Got: script-src 'self' 'unsafe-inline' 'unsafe-eval' https://static.cloudflareinsights.com https://js.stripe.com https://scatec.io https://cdn-cookieyes.com https://analytics.ahrefs.com https://widget.intercom.io https://*.bing.com https://embed.reddit.com https://js.intercomcdn.com https://www.googleadservices.com https://embed.typeform.com https://*.cloudflare.com https://*.googlesyndication.com https://*.ads-twitter.com https://*.tawk.to https://*.doubleclick.net https://cdnjs.cloudflare.com https://*.calendly.com https://snap.licdn.com https://*.cookieyes.com https://unpkg.com https://cdn.jsdelivr.net https://script.tapfiliate.com https://connect.facebook.net https://cdn.segment.com https://www.google.com https://www.gstatic.com https://*.getresponse.com https://*.clarity.ms https://*.gr-cdn.com https://*.googletagmanager.com https://*.hotjar.com https://*.googleoptimize.com https://*.google-analytics.com
Critical::
'unsafe-eval' found in script source
'unsafe-eval' allows eval() and similar functions, enabling code injection. Remove it.
Got: script-src 'self' 'unsafe-inline' 'unsafe-eval' https://static.cloudflareinsights.com https://js.stripe.com https://scatec.io https://cdn-cookieyes.com https://analytics.ahrefs.com https://widget.intercom.io https://*.bing.com https://embed.reddit.com https://js.intercomcdn.com https://www.googleadservices.com https://embed.typeform.com https://*.cloudflare.com https://*.googlesyndication.com https://*.ads-twitter.com https://*.tawk.to https://*.doubleclick.net https://cdnjs.cloudflare.com https://*.calendly.com https://snap.licdn.com https://*.cookieyes.com https://unpkg.com https://cdn.jsdelivr.net https://script.tapfiliate.com https://connect.facebook.net https://cdn.segment.com https://www.google.com https://www.gstatic.com https://*.getresponse.com https://*.clarity.ms https://*.gr-cdn.com https://*.googletagmanager.com https://*.hotjar.com https://*.googleoptimize.com https://*.google-analytics.com
Info::
No wildcard in script source
Info::
object-src is set to 'none'
Got: object-src 'none'
Warning::
base-uri directive is missing
Without base-uri, attackers can inject a <base> tag to hijack relative URLs. Set it to 'self' or 'none'.
Expected: base-uri 'self'
Info::
frame-ancestors directive is set
Got: frame-ancestors 'self' https://responsivetesttool.com
Warning::
form-action directive is missing
form-action restricts where forms can submit data, preventing form hijacking.
Expected: form-action 'self'
Info::
upgrade-insecure-requests is enabled
'unsafe-inline' allows inline <script> tags, defeating CSP against XSS. Remove it and use nonces or hashes instead.
Why this matters
Unsafe value (unsafe-inline, unsafe-eval) in script-src defeats CSP's main protection — XSS injections can execute again.
Learn more ▾ ▴
unsafe-inline allows inline <script> tags; unsafe-eval allows eval() and similar. Both are necessary for some legacy code but explicitly dangerous. Migrate to nonces (per-page random tokens) or hashes (per-script SHA-256) instead.
Source: OWASP CSP / MDN
'unsafe-eval' allows eval() and similar functions, enabling code injection. Remove it.
Why this matters
Unsafe value (unsafe-inline, unsafe-eval) in script-src defeats CSP's main protection — XSS injections can execute again.
Learn more ▾ ▴
unsafe-inline allows inline <script> tags; unsafe-eval allows eval() and similar. Both are necessary for some legacy code but explicitly dangerous. Migrate to nonces (per-page random tokens) or hashes (per-script SHA-256) instead.
Source: OWASP CSP / MDN
Without base-uri, attackers can inject a <base> tag to hijack relative URLs. Set it to 'self' or 'none'.
Expected:
base-uri 'self'Why this matters
Missing base-uri in CSP leaves a base-tag injection attack path open even on otherwise strict policies.
Learn more ▾ ▴
A common omission: developers add CSP for script-src and frame-ancestors but forget base-uri. The result is a CSP that looks strict but lets an attacker rewrite every URL on the page via <base href>. Add `base-uri 'self'` to close the gap.
Source: MDN CSP
form-action restricts where forms can submit data, preventing form hijacking.
Expected:
form-action 'self'Why this matters
Security gaps expose your site and users to attacks, eroding trust.
Parsed Policy
default-src 'self'data:https://*.gstatic.comhttps://*.tawk.tohttps://*.cloudflare.comhttps://js.intercomcdn.comhttps://fonts.intercomcdn.comhttps://fonts.bunny.nethttps://*.googlesyndication.comhttps://*.segment.comhttps://*.lottiefiles.comhttps://*.hotjar.comhttps://www.google.comhttps://api.segment.iohttps://*.clarity.mshttps://c.bing.com
img-src 'self'data:https://*.hotjar.comhttps://*.googleadservices.comhttps://*.gstatic.comhttps://scatec.iohttps://*.bing.comhttps://static.intercomassets.comhttps://js.intercomcdn.comhttps://downloads.intercomcdn.comhttps://www.google.iehttps://www.google.comhttps://*.google.eshttps://*.google.plhttps://*.google.co.ukhttps://*.google.ithttps://*.google.dehttps://*.google.frhttps://*.google.cahttps://*.doubleclick.nethttps://*.twitter.comhttps://t.cohttps://embed.tawk.tohttps://cdn.jsdelivr.nethttps://www.googletagmanager.comhttps://www.google.co.inhttps://*.linkedin.comhttps://*.clarity.mshttps://c.bing.comhttps://*.cloudflare.comhttps://cookieyes.comhttps://*.googleusercontent.comhttps://*.cookieserve.comhttps://*.gravatar.comhttps://www.facebook.comhttps://i.ytimg.comhttps://cdn-cookieyes.comhttps://*.google-analytics.com
object-src 'none'
child-src 'self'https://*.google.comhttps://js.stripe.comhttps://www.googletagmanager.comhttps://*.cloudflare.comhttps://form.typeform.comhttps://*.reddit.comhttps://*.googlesyndication.comhttps://platform.twitter.comhttps://*.doubleclick.nethttps://calendly.comhttps://embed.reddit.comhttps://www.youtube.comhttps://www.facebook.com
frame-ancestors 'self'https://responsivetesttool.com
script-src 'self''unsafe-inline''unsafe-eval'https://static.cloudflareinsights.comhttps://js.stripe.comhttps://scatec.iohttps://cdn-cookieyes.comhttps://analytics.ahrefs.comhttps://widget.intercom.iohttps://*.bing.comhttps://embed.reddit.comhttps://js.intercomcdn.comhttps://www.googleadservices.comhttps://embed.typeform.comhttps://*.cloudflare.comhttps://*.googlesyndication.comhttps://*.ads-twitter.comhttps://*.tawk.tohttps://*.doubleclick.nethttps://cdnjs.cloudflare.comhttps://*.calendly.comhttps://snap.licdn.comhttps://*.cookieyes.comhttps://unpkg.comhttps://cdn.jsdelivr.nethttps://script.tapfiliate.comhttps://connect.facebook.nethttps://cdn.segment.comhttps://www.google.comhttps://www.gstatic.comhttps://*.getresponse.comhttps://*.clarity.mshttps://*.gr-cdn.comhttps://*.googletagmanager.comhttps://*.hotjar.comhttps://*.googleoptimize.comhttps://*.google-analytics.com
style-src 'self''unsafe-inline'https://fonts.googleapis.comhttps://*.googletagmanager.comhttps://cdn.jsdelivr.nethttps://embed.typeform.comhttps://*.tawk.tohttps://cdnjs.cloudflare.comhttps://www.gstatic.comhttps://fonts.bunny.net
connect-src 'self'https://scatec.iohttps://www.google.co.inhttps://frstre.comwss://*.intercom-messenger.comhttps://*.intercom-messenger.comwss://nexus-websocket-b.intercom.iohttps://analytics.ahrefs.comhttps://google.comhttps://googleads.g.doubleclick.nethttps://api-iam.intercom.iohttps://www.googleadservices.comhttps://uploads.intercomcdn.comwss://nexus-websocket-a.intercom.iohttps://api.typeform.comhttps://*.linkedin.comhttps://*.google.comhttps://*.tawk.towss://*.tawk.tohttps://lottie.hosthttps://*.googlesyndication.comhttps://*.lottiefiles.comhttps://*.googletagmanager.comhttps://*.google-analytics.comhttps://cdn.linkedin.oribi.iohttps://*.clarity.mshttps://stats.g.doubleclick.nethttps://api.segment.iohttps://*.segment.comhttps://*.cookieserve.comhttps://*.cookielawinfo.comhttps://*.getresponse.comhttps://cdn-cookieyes.comhttps://log.cookieyes.comhttps://*.cookieyes.comhttps://*.hotjar.comhttps://*.hotjar.iowss://ws.hotjar.com
upgrade-insecure-requests
block-all-mixed-content
DSubresource IntegrityAction1 of 40 external resources have SRIFIX
Subresource Integrity
Action1 of 40 external resources have SRI
1 of 40 external resources have SRI
Warning::
External script from www.googletagmanager.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.googletagmanager.com/gtag/js?id=AW-722054727&cx=c>m=4e64h1
Warning::
External script from www.googletagmanager.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.googletagmanager.com/gtag/js?id=GT-TQKCLGND&cx=c>m=4e64h1
Warning::
External script from cdn-cookieyes.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn-cookieyes.com/client_data/e5ee5d26e0341217ffb7eccd/script.js
Info::
script from www.gstatic.com has SRI protection
Warning::
External script from www.googletagmanager.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.googletagmanager.com/gtm.js?id=GTM-PL4TPCV
Warning::
External link from www.cookieyes.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.cookieyes.com/wp-includes/css/dist/block-library/style.css?ver=6.9.4
Warning::
External link from www.cookieyes.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.cookieyes.com/wp-content/plugins/sitepress-multilingual-cms/templates/language-switchers/legacy-dropdown/style.min.css?ver=1
Warning::
External link from www.cookieyes.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.cookieyes.com/wp-content/themes/cookieyes-new/style.css?v=1.0.9&ver=6.9.4
Warning::
External link from www.cookieyes.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.cookieyes.com/wp-content/themes/cookieyes-new/assets/css/guideline/cy-mega-menu.css?v=1.1.1&ver=6.9.4
Warning::
External link from www.cookieyes.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.cookieyes.com/wp-content/themes/cookieyes-new/assets/css/guideline/cy-footer.css?ver=6.9.4
Warning::
External link from www.cookieyes.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.cookieyes.com/wp-content/themes/cookieyes-new/assets/bootstrap/css/bootstrap.min.css?ver=6.9.4
Warning::
External link from www.cookieyes.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.cookieyes.com/wp-content/themes/cookieyes-new/assets/css/owl-carousel.css?ver=6.9.4
Warning::
External link from www.cookieyes.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.cookieyes.com/wp-content/themes/cookieyes-new/assets/css/guideline/cy-colors.css?ver=6.9.4
Warning::
External link from www.cookieyes.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.cookieyes.com/wp-content/themes/cookieyes-new/assets/css/guideline/cy-common.css?ver=6.9.4
Warning::
External link from www.cookieyes.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.cookieyes.com/wp-content/plugins/enlighter/cache/enlighterjs.min.css?ver=STnt0VyWZEifsAH
Warning::
External link from www.cookieyes.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.cookieyes.com/wp-content/plugins/mailin/css/mailin-front.css?ver=6.9.4
Warning::
External script from script.tapfiliate.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://script.tapfiliate.com/tapfiliate.js?ver=6.9.4
Warning::
External script from www.cookieyes.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.cookieyes.com/wp-content/plugins/sitepress-multilingual-cms/templates/language-switchers/legacy-dropdown/script.min.js?ver=1
Warning::
External script from www.cookieyes.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.cookieyes.com/wp-includes/js/jquery/jquery.js?ver=3.7.1
Warning::
External script from www.cookieyes.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.cookieyes.com/wp-includes/js/jquery/jquery-migrate.js?ver=3.4.1
Warning::
External script from www.cookieyes.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.cookieyes.com/wp-content/themes/cookieyes-new/scan-page/scan.js?ver=6.9.4
Warning::
External script from www.cookieyes.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.cookieyes.com/wp-content/plugins/mailin/js/mailin-front.js?ver=1775846706
Warning::
External script from cdn.by.wonderpush.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.by.wonderpush.com/sdk/1.1/wonderpush-loader.min.js
Warning::
External script from www.gstatic.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.gstatic.com/charts/loader.js
Warning::
External script from cdnjs.cloudflare.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdnjs.cloudflare.com/ajax/libs/Chart.js/2.9.4/Chart.js
Warning::
External script from analytics.ahrefs.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://analytics.ahrefs.com/analytics.js
Warning::
External link from www.cookieyes.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.cookieyes.com/wp-content/themes/cookieyes-new/assets/css/guideline/cy-typography.css?ver=6.9.4
Warning::
External link from www.cookieyes.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.cookieyes.com/wp-content/themes/cookieyes-new/assets/css/company-logos.css?ver=6.9.4
Warning::
External script from cdn-cookieyes.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn-cookieyes.com/client_data/e5ee5d26e0341217ffb7eccd/banner.js
Warning::
External script from www.cookieyes.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.cookieyes.com/wp-content/themes/cookieyes-new/assets/bootstrap/js/bootstrap.bundle.min.js
Warning::
External script from www.cookieyes.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.cookieyes.com/wp-content/themes/cookieyes-new/assets/js/popper.min.js
Warning::
External script from www.cookieyes.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.cookieyes.com/wp-content/themes/cookieyes-new/assets/js/custom-js.js?v=2.0.7
Warning::
External script from www.cookieyes.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.cookieyes.com/wp-content/themes/cookieyes-new/assets/js/menu-script.js?v=4.0.6
Warning::
External script from www.cookieyes.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.cookieyes.com/wp-content/themes/cookieyes-new/assets/js/scanner-adlp.js?v=1.0.1
Warning::
External script from www.cookieyes.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.cookieyes.com/wp-content/themes/cookieyes-new/assets/js/jquery.cookie.min.js
Warning::
External script from www.google.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.google.com/recaptcha/api.js?render=6LfaajQqAAAAALq5rxb3JwYLiV-U1KfT8_BxA5bd&ver=3.0
Warning::
External script from www.cookieyes.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.cookieyes.com/wp-includes/js/dist/vendor/wp-polyfill.js?ver=3.15.0
Warning::
External script from www.cookieyes.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.cookieyes.com/wp-content/plugins/contact-form-7/modules/recaptcha/index.js?ver=6.1.5
Warning::
External script from www.cookieyes.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.cookieyes.com/wp-content/plugins/enlighter/cache/enlighterjs.min.js?ver=STnt0VyWZEifsAH
Warning::
External script from www.cookieyes.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.cookieyes.com/wp-content/plugins/add-search-to-menu/public/js/ivory-search.min.js?ver=5.5.14
SRI Coverage 1 / 40 of external resources have integrity hashes
| Tag | Domain | Integrity |
|---|---|---|
| <script> | www.googletagmanager.com | ✗ Missing |
| <script> | www.googletagmanager.com | ✗ Missing |
| <script> | cdn-cookieyes.com | ✗ Missing |
| <script> | www.gstatic.com | ✓ Protected |
| <script> | www.googletagmanager.com | ✗ Missing |
| <link> | www.cookieyes.com | ✗ Missing |
| <link> | www.cookieyes.com | ✗ Missing |
| <link> | www.cookieyes.com | ✗ Missing |
| <link> | www.cookieyes.com | ✗ Missing |
| <link> | www.cookieyes.com | ✗ Missing |
| <link> | www.cookieyes.com | ✗ Missing |
| <link> | www.cookieyes.com | ✗ Missing |
| <link> | www.cookieyes.com | ✗ Missing |
| <link> | www.cookieyes.com | ✗ Missing |
| <link> | www.cookieyes.com | ✗ Missing |
| <link> | www.cookieyes.com | ✗ Missing |
| <script> | script.tapfiliate.com | ✗ Missing |
| <script> | www.cookieyes.com | ✗ Missing |
| <script> | www.cookieyes.com | ✗ Missing |
| <script> | www.cookieyes.com | ✗ Missing |
| <script> | www.cookieyes.com | ✗ Missing |
| <script> | www.cookieyes.com | ✗ Missing |
| <script> | cdn.by.wonderpush.com | ✗ Missing |
| <script> | www.gstatic.com | ✗ Missing |
| <script> | cdnjs.cloudflare.com | ✗ Missing |
| <script> | analytics.ahrefs.com | ✗ Missing |
| <link> | www.cookieyes.com | ✗ Missing |
| <link> | www.cookieyes.com | ✗ Missing |
| <script> | cdn-cookieyes.com | ✗ Missing |
| <script> | www.cookieyes.com | ✗ Missing |
| <script> | www.cookieyes.com | ✗ Missing |
| <script> | www.cookieyes.com | ✗ Missing |
| <script> | www.cookieyes.com | ✗ Missing |
| <script> | www.cookieyes.com | ✗ Missing |
| <script> | www.cookieyes.com | ✗ Missing |
| <script> | www.google.com | ✗ Missing |
| <script> | www.cookieyes.com | ✗ Missing |
| <script> | www.cookieyes.com | ✗ Missing |
| <script> | www.cookieyes.com | ✗ Missing |
| <script> | www.cookieyes.com | ✗ Missing |
Dsecurity.txtActionNo /.well-known/security.txt publishedFIX
security.txt
ActionNo /.well-known/security.txt published
security.txt
No security.txt found at /.well-known/security.txt
BSecurity Headers6 of 10 headers properly configuredREVIEW
Security Headers
6 of 10 headers properly configured
6 of 10 headers properly configured
Info::
Strict-Transport-Security is properly configured
Got: max-age=31536000; includeSubDomains; preload
Info::
X-Content-Type-Options is properly configured
Got: nosniff
Warning::
X-Frame-Options header is missing
This header prevents clickjacking by controlling who can embed your page in a frame. Set it to DENY or SAMEORIGIN.
Expected: DENY
Warning::
Referrer-Policy has a weak value
Got: no-referrer, strict-origin-when-cross-origin Expected: strict-origin-when-cross-origin
Info::
Permissions-Policy is set
Got: fullscreen=(self), geolocation=*, camera=(),browsing-topics=()
Info::
Content-Security-Policy is present
Got: default-src 'self' data: https://*.gstatic.com https://*.tawk.to https://*.cloud…
Warning::
Cross-Origin-Opener-Policy header is missing
COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.
Expected: same-origin
Warning::
Cross-Origin-Embedder-Policy header is missing
COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.
Expected: require-corp
Info::
X-Powered-By header is not present
Info::
Server header is present without version info
Got: cloudflare
This header prevents clickjacking by controlling who can embed your page in a frame. Set it to DENY or SAMEORIGIN.
Expected:
DENYWhy this matters
Without frame protection, your site can be embedded in a hostile page and used for clickjacking.
Learn more ▾ ▴
Clickjacking overlays your site under a transparent malicious page so users click invisible buttons. Setting X-Frame-Options: DENY (or a modern frame-ancestors CSP directive) blocks the embedding entirely. There's almost never a legitimate reason to allow it.
Source: OWASP / MDN
Expected:
strict-origin-when-cross-originWhy this matters
Weak Referrer-Policy values leak full URLs (with query params, tokens, IDs) to every third-party resource on the page.
Learn more ▾ ▴
Default referrer behavior shares the full referring URL with images, scripts, and other resources from third-party origins. If your URLs contain tokens, session IDs, or user emails (in query strings or paths), every third-party tracker gets them. Set `Referrer-Policy: strict-origin-when-cross-origin` (or stricter).
Source: MDN Referrer-Policy / W3C
COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.
Expected:
same-originWhy this matters
COOP isolates your top-level browsing context from cross-origin windows — without it, popup-based side-channel attacks remain possible.
Learn more ▾ ▴
Cross-Origin-Opener-Policy: same-origin prevents cross-origin pages from sharing a browsing-context group with yours. This blocks cross-window references that enable Spectre-style timing attacks and tab-nabbing. Required if you want to enable SharedArrayBuffer.
Source: MDN / web.dev
COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.
Expected:
require-corpWhy this matters
COEP enforces that all embedded resources opt-in to cross-origin embedding — required for cross-origin isolation features.
Learn more ▾ ▴
Cross-Origin-Embedder-Policy: require-corp ensures every embedded resource (script, iframe, image) explicitly allows being loaded cross-origin. Combined with COOP, this enables the cross-origin-isolated context that unlocks SharedArrayBuffer, high-resolution timers, and other powerful APIs.
Source: MDN / web.dev
BPermissions-Policy4 directives, 3 missingREVIEW
Permissions-Policy
4 directives, 3 missing
4 directives, 3 missing
Info::
fullscreen=(self)
Info::
geolocation=*
Info::
camera=() — blocked for all origins
Info::
browsing-topics=() — blocked for all origins
Info::
microphone not restricted
Consider adding microphone=() to block microphone access from embedded content.
Info::
payment not restricted
Consider adding payment=() to block payment access from embedded content.
Info::
usb not restricted
Consider adding usb=() to block usb access from embedded content.
Raw Header
fullscreen=(self) geolocation=* camera=() browsing-topics=()
Feature Permissions
Blocked Self Only Unrestricted Not Set
fullscreen Self Only
geolocation Unrestricted
camera Blocked
browsing-topics Blocked
microphone Not Set
payment Not Set
usb Not Set
BCORS ConfigurationNo CORS headersREVIEW
CORS Configuration
No CORS headers
No CORS headers
Info::
No CORS headers present — secure default
CORS Configuration ✓ Secure
No CORS headers detected.
Cross-origin requests are blocked by browser same-origin policy.
Origin reflection test
Some servers mirror the request Origin header, which can be exploited. Test manually:
curl -sI -H "Origin: https://evil.com" <url> | grep -i access-control
CKnown vulnerability matchesAction4 known vulnerability match(es) against detected techREVIEW
Known vulnerability matches
Action4 known vulnerability match(es) against detected tech
Known Vulnerabilities
| Library | Version | Severity | Summary | Fixed In |
|---|---|---|---|---|
| Bootstrap | 4.0.0 | medium | XSS in collapse data-parent attribute | 4.1.2 |
| Bootstrap | 4.0.0 | medium | XSS in data-container property of tooltip | 4.1.2 |
| Bootstrap | 4.0.0 | medium | XSS in data-target property of scrollspy | 4.1.2 |
| Bootstrap | 4.0.0 | medium | XSS in data-template, data-content and data-title properties of tooltip/popover | 4.3.1 |
A+TLS & CertificatesTLS 1.3, 7 checks passedPASS
TLS & Certificates
TLS 1.3, 7 checks passed
TLS 1.3, 7 checks passed
Info::
TLS 1.3 is used
Got: TLS 1.3
Info::
Strong cipher suite is used
Got: TLS_CHACHA20_POLY1305_SHA256
Info::
HTTP/2 is not negotiated
HTTP/2 provides multiplexing and header compression for better performance.
Got: http/1.1
Info::
Certificate is valid (expires in 39 days)
Got: 2026-05-31T09:02:44Z
Info::
Certificate chain has 3 certificates
Info::
Certificate uses modern signature algorithm
Got: ECDSA-SHA256
Info::
Certificate covers 2 domain(s)
Got: cookieyes.com, *.cookieyes.com
Info::
Certificate is issued by a trusted CA
Got: CN=WE1,O=Google Trust Services,C=US
HTTP/2 provides multiplexing and header compression for better performance.
Why this matters
HTTP/1.1 forces the browser to make sequential requests, multiplying latency on every page.
Learn more ▾ ▴
HTTP/2 (and HTTP/3) multiplex many requests over a single connection, eliminating head-of-line blocking. HTTP/1.1 forces the browser to either queue requests or open many parallel connections — both worse. Most modern web servers support HTTP/2 with one config line.
Source: MDN Web Docs
Connection
Protocol
TLS 1.3
Cipher Suite
TLS_CHACHA20_POLY1305_SHA256
HTTP Version
HTTP/1.1
Certificate Chain
Leaf Certificate
Subject CN=cookieyes.comIssuer CN=WE1,O=Google Trust Services,C=USValid 2026-03-02T08:02:51Z → 2026-05-31T09:02:44ZExpires in 39 days SANs cookieyes.com, *.cookieyes.comSignature ECDSA-SHA256Serial 83ae9dd3d866cff513bf98a446277798
Intermediate (CA Certificate)
Subject CN=WE1,O=Google Trust Services,C=USIssuer CN=GTS Root R4,O=Google Trust Services LLC,C=USValid 2023-12-13T09:00:00Z → 2029-02-20T14:00:00ZExpires in 1035 days Signature ECDSA-SHA384Serial 7ff31977972c224a76155d13b6d685e3
Intermediate (CA Certificate)
Subject CN=GTS Root R4,O=Google Trust Services LLC,C=USIssuer CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BEValid 2023-11-15T03:43:21Z → 2028-01-28T00:00:42ZExpires in 646 days Signature SHA256-RSASerial 7fe530bf331343bedd821610493d8a1b
A+JS Library VulnerabilitiesNo known vulnerabilitiesPASS
JS Library Vulnerabilities
No known vulnerabilities
No known vulnerabilities
Info::
No known JavaScript library vulnerabilities detected
No known JavaScript library vulnerabilities detected.
A+Information LeakageNo exposuresPASS
Information Leakage
No exposures
No exposures
Info::
No security.txt found
Consider adding a security.txt at /.well-known/security.txt.
Info::
No sensitive files exposed
No sensitive files exposed — all paths returned 404.
| Path | Status | Category | Risk |
|---|---|---|---|
| /.git/HEAD | ✓ Not found | Version Control | — |
| /.git/config | ✓ Not found | Version Control | — |
| /.svn/entries | ✓ Not found | Version Control | — |
| /.env | ✓ Not found | Configuration | — |
| /.env.local | ✓ Not found | Configuration | — |
| /.env.production | ✓ Not found | Configuration | — |
| /wp-config.php | ✓ Not found | Configuration | — |
| /.htaccess | ✓ Not found | Configuration | — |
| /phpinfo.php | ✓ Not found | Debug | — |
| /server-status | ✓ Not found | Debug | — |
| /server-info | ✓ Not found | Debug | — |
| /.well-known/security.txt | ✓ Not found | Security Policy | — |
A+Email SecurityDMARC: rejectPASS
Email Security
DMARC: reject
DMARC: reject
Info::
DMARC policy is reject — strongest protection
DMARC
Policy reject — strongest protection Record v=DMARC1; p=reject; rua=mailto:d2c5ebc54d624ff291a42dfeada0e143@dmarc-reports.cloudflare.net,mailto:dmarc-reports@cookieyes.com; ruf=mailto:dmarc-reports@cookieyes.com; rf=afrf; pct=100; ri=86400; fo=1; sp=none; aspf=r
A+Transport SecurityHTTP/3, HSTS, and TLS version analysisPASS
Transport Security
HTTP/3, HSTS, and TLS version analysis
HTTP/3, HSTS, and TLS version analysis
Info::
HTTP/3 (QUIC) supported
The server advertises HTTP/3 via Alt-Svc for faster connections on mobile networks.
Info::
HSTS enabled (includeSubDomains, preload)
Info::
HSTS preload enabled
Info::
TLS 1.3 in use (fastest handshake, 1-RTT)
All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.