Skip to content
https://le.ac.uk

Security

· 13 checks — HTTP headers, CSP, TLS handshake, and cookie hygiene rolled into one auditable list.
SCORE
68
GRADE
D
FIX
5
REVIEW
3
PASS
5
INFO
0
Checks
13
5 PASS 3 REVIEW 5 FIX
D
Content Security Policy
Action
4 of 10 CSP checks passed
FIX
4 of 10 CSP checks passed
Info::
Raw CSP policy
Got: default-src 'self'; style-src 'self' 'unsafe-inline' https://*.le.ac.uk https://test-uol.azorus.com https://oc-cdn-public-gbr.azureedge.net/livechatwidget/ https://*.spotify.com https://sketchfab.com https://le.ac.uk https://www.clarity.ms https://cdnjs.cloudflare.com https://cdn.curator.io https://embedsocial.com https://www.findaphd.com https://fonts.googleapis.com https://www.gstatic.com https://meetandengage.com https://*.flockler.com https://*.flockler.app https://tagmanager.google.com https://www.googletagmanager.com https://*.ttl.ai https://bbox.blackbaudhosting.com https://cdn-images.mailchimp.com; img-src 'self' blob: data: https://track.adform.net https://s2.adform.net https://c.bing.com https://pool.adizio.com https://c.clarity.ms https://test-uol.azorus.com https://*.spotify.com https://pool.a872.com https://*.adnxs.com https://cdn.curator.io https://*.cdninstagram.com https://*.doubleclick.net https://connect.facebook.net https://discoveruni.gov.uk https://www.facebook.com https://*.fbcdn.net https://www.findaphd.com https://*.flockler.com https://flockler.com https://*.flockler.app https://*.google.com https://www.google.com https://www.google.co.uk https://googleads.g.doubleclick.net https://*.google-analytics.com https://www.googleapis.com https://www.googletagmanager.com https://*.gstatic.com https://i.ytimg.com https://www.instagram.com https://le.ac.uk https://www.linkedin.com https://livestream.com https://meetandengage.com https://pbs.twimg.com https://px.ads.linkedin.com https://*.rackcdn.com https://*.scdn1.secure.raxcdn.com https://stats.g.doubleclick.net https://t.co https://www.tag4arm.com https://*.twitter.com/ https://ads.brandadvance.co.uk/ https://*.monsido.com https://*.googlesyndication.com https://*.quantserve.com https://*.tiktokcdn.com https://tracking.audio.thisisdax.com https://*.quora.com https://alb.reddit.com https://pixel-config.reddit.com https://www.fundraisingregulator.org.uk https://ade.clmbtech.com/cde/eventTracking.htm https://bbox.blackbaudhosting.com https://*.ads.linkedin.com https://digitalasset.intuit.com; script-src 'self' 'unsafe-eval' 'unsafe-inline' blob: https://*.le.ac.uk https://test-uol.azorus.com https://track.adform.net https://s2.adform.net https://cdn.botframework.com/botframework-webchat/ https://unpkg.com/react@17.0.2/umd/react.production.min.js https://unpkg.com/react-dom@17.0.2/umd/react-dom.production.min.js https://oc-cdn-public-gbr.azureedge.net/livechatwidget/ https://acdn.adnxs.com/dmp/up/ https://*.spotify.com https://sketchfab.com https://le.ac.uk https://libraryhelp.le.ac.uk https://ajax.googleapis.com https://www.clarity.ms https://cdn.curator.io https://cc.cdn.civiccomputing.com https://cdnjs.cloudflare.com https://cdn.oribi.io https://cdn.unibuddy.co https://connect.facebook.net https://discoveruni.gov.uk https://dnn506yrbagrg.cloudfront.net https://embedsocial.com https://fl-cdn.scdn1.secure.raxcdn.com https://www.findaphd.com https://*.flockler.com https://flockler.embed.codes https://*.flockler.app https://googleads.g.doubleclick.net https://tagmanager.google.com https://www.googleadservices.com https://*.google-analytics.com https://www.googleapis.com https://www.googletagmanager.com https://www.gstatic.com https://*.hotjar.com https://*.ibytedtos.com https://www.linkedin.com https://meetandengage.com https://popcard.unibuddy.co https://px.ads.linkedin.com https://s.ytimg.com https://s0.ipstatp.com https://sc-static.net https://snap.licdn.com https://static.ads-twitter.com https://www.tagarm.com https://*.tiktok.com https://*.twitter.com https://widget.discoveruni.gov.uk https://widget.unistats.ac.uk https://www.youtube.com https://*.dotdigital-pages.com https://*.dotdigital-pages.com https://unpkg.com/acs_webchat-chat-adapter@0.0.35-beta.20/dist/chat-adapter.js https://*.monsido.com https://*.ttl.ai https://*.quantserve.com https://*.quantcount.com https://c.amazon-adsystem.com https://tr.snapchat.com https://*.quora.com https://www.redditstatic.com https://bbox.blackbaudhosting.com https://www.google.com/recaptcha/api.js https://widget.surveymonkey.com; frame-src 'self' https://*.le.ac.uk https://test-uol.azorus.com https://oc-cdn-public-gbr.azureedge.net https://*.spotify.com https://iframe.dacast.com https://sketchfab.com https://embedsocial.com https://www.facebook.com https://*.flipsnack.com https://*.doubleclick.net https://forms.office.com https://www.google.com https://www.googleapis.com https://www97.lamp.le.ac.uk https://libservices.le.ac.uk https://leicester.cloud.panopto.eu https://livestream.com https://www.linkedin.com https://www.le.ac.uk https://meetandengage.com https://myleicester.le.ac.uk https://podcasts.le.ac.uk https://popcard.unibuddy.co https://w.soundcloud.com https://static.ads-twitter.com https://staticxx.facebook.com https://www.tag4arm.com https://tourmkr.com https://platform.twitter.com https://tr.snapchat.com https://unibuddy.co https://*.hotjar.com https://www.viewmake.com https://widget.unistats.ac.uk https://www.youtube.com https://www.youtube-nocookie.com https://momento360.com https://*.dotdigital-pages.com https://comms.omnichannelengagementhub.com https://analytics.tiktok.com https://www.googletagmanager.com https://www.tiktok.com https://aax-eu.amazon-adsystem.com https://vimeo.com https://player.vimeo.com https://c.amazon-adsystem.com/aat/amzn.js https://cdn2.yoshki.com https://bbox.blackbaudhosting.com https://widget.surveymonkey.com; frame-ancestors 'self'; connect-src 'self' blob: https://azfa-sitecorebotdv.azurewebsites.net/ https://azfa-sitecorebotapite.azurewebsites.net/ https://directline.botframework.com wss://directline.botframework.com https://*.microsoft.com https://*.omnichannelengagementhub.com https://*.clarity.ms https://*.le.ac.uk https://*.spotify.com https://apikeys.civiccomputing.com https://api.curator.io https://*.g.doubleclick.net https://*.googlesyndication.com https://www.facebook.com https://*.flockler.com https://*.flockler.app https://*.google.com https://*.google-analytics.com https://www.googleapis.com https://*.hotjar.com https://*.hotjar.io wss://*.hotjar.com https://www9.lamp.le.ac.uk https://gw.oribi.io https://prod-discoveruni.azure-api.net https://widgetapiv2.azurewebsites.net https://tr.snapchat.com https://www.tag4arm.com https://analytics.tiktok.com https://tourmkr.com https://ekr.zdassets.com https://*.dotdigital-pages.com https://*.trouter.skype.com wss://*.trouter.skype.com https://edge.skype.com https://*.communication.azure.com https://ib.adnxs.com https://acdn.adnxs.com https://*.monsido.com https://*.ttl.ai https://*.snapchat.com https://aax-eu.amazon-adsystem.com https://ara.paa-reporting-advertising.amazon https://px.ads.linkedin.com https://ddlnk.net https://*.quora.com https://pixel-config.reddit.com https://www.redditstatic.com https://conversions-config.reddit.com https://ad.doubleclick.net https://pixel.quantserve.com https://c.amazon-adsystem.com/aat/amzn.js https://mpc-prod-11-s6uit34pua-uc.a.run.app https://demo-1.conversionsapigateway.com wss://pub-ent-euno-13-t.trouter.teams.microsoft.com https://analytics-ipv6.tiktokw.us https://mpc-prod-24-s6uit34pua-uw.a.run.app https://www.googletagmanager.com https://www.googleadservices.com https://www.google.co.uk; font-src 'self' data: https://maxcdn.bootstrapcdn.com https://cdn.curator.io https://fonts.gstatic.com https://le.ac.uk https://meetandengage.com https://*.hotjar.com; object-src 'self' https://*.spotify.com https://forms.office.com; media-src 'self' https://le.ac.uk https://*.le.ac.uk https://*.spotify.com https://pool.a8723.com https://*.fbcdn.net https://*.xx.fbcdn.net https://*.flockler.com https://*.flockler.app https://*.cdninstagram.com https://video.twimg.com https://videos.dailymail.co.uk; upgrade-insecure-requests
Info::
default-src directive is set
Got: default-src 'self'
Critical::
'unsafe-inline' found in script source
'unsafe-inline' allows inline <script> tags, defeating CSP against XSS. Remove it and use nonces or hashes instead.
Got: script-src 'self' 'unsafe-eval' 'unsafe-inline' blob: https://*.le.ac.uk https://test-uol.azorus.com https://track.adform.net https://s2.adform.net https://cdn.botframework.com/botframework-webchat/ https://unpkg.com/react@17.0.2/umd/react.production.min.js https://unpkg.com/react-dom@17.0.2/umd/react-dom.production.min.js https://oc-cdn-public-gbr.azureedge.net/livechatwidget/ https://acdn.adnxs.com/dmp/up/ https://*.spotify.com https://sketchfab.com https://le.ac.uk https://libraryhelp.le.ac.uk https://ajax.googleapis.com https://www.clarity.ms https://cdn.curator.io https://cc.cdn.civiccomputing.com https://cdnjs.cloudflare.com https://cdn.oribi.io https://cdn.unibuddy.co https://connect.facebook.net https://discoveruni.gov.uk https://dnn506yrbagrg.cloudfront.net https://embedsocial.com https://fl-cdn.scdn1.secure.raxcdn.com https://www.findaphd.com https://*.flockler.com https://flockler.embed.codes https://*.flockler.app https://googleads.g.doubleclick.net https://tagmanager.google.com https://www.googleadservices.com https://*.google-analytics.com https://www.googleapis.com https://www.googletagmanager.com https://www.gstatic.com https://*.hotjar.com https://*.ibytedtos.com https://www.linkedin.com https://meetandengage.com https://popcard.unibuddy.co https://px.ads.linkedin.com https://s.ytimg.com https://s0.ipstatp.com https://sc-static.net https://snap.licdn.com https://static.ads-twitter.com https://www.tagarm.com https://*.tiktok.com https://*.twitter.com https://widget.discoveruni.gov.uk https://widget.unistats.ac.uk https://www.youtube.com https://*.dotdigital-pages.com https://*.dotdigital-pages.com https://unpkg.com/acs_webchat-chat-adapter@0.0.35-beta.20/dist/chat-adapter.js https://*.monsido.com https://*.ttl.ai https://*.quantserve.com https://*.quantcount.com https://c.amazon-adsystem.com https://tr.snapchat.com https://*.quora.com https://www.redditstatic.com https://bbox.blackbaudhosting.com https://www.google.com/recaptcha/api.js https://widget.surveymonkey.com
Critical::
'unsafe-eval' found in script source
'unsafe-eval' allows eval() and similar functions, enabling code injection. Remove it.
Got: script-src 'self' 'unsafe-eval' 'unsafe-inline' blob: https://*.le.ac.uk https://test-uol.azorus.com https://track.adform.net https://s2.adform.net https://cdn.botframework.com/botframework-webchat/ https://unpkg.com/react@17.0.2/umd/react.production.min.js https://unpkg.com/react-dom@17.0.2/umd/react-dom.production.min.js https://oc-cdn-public-gbr.azureedge.net/livechatwidget/ https://acdn.adnxs.com/dmp/up/ https://*.spotify.com https://sketchfab.com https://le.ac.uk https://libraryhelp.le.ac.uk https://ajax.googleapis.com https://www.clarity.ms https://cdn.curator.io https://cc.cdn.civiccomputing.com https://cdnjs.cloudflare.com https://cdn.oribi.io https://cdn.unibuddy.co https://connect.facebook.net https://discoveruni.gov.uk https://dnn506yrbagrg.cloudfront.net https://embedsocial.com https://fl-cdn.scdn1.secure.raxcdn.com https://www.findaphd.com https://*.flockler.com https://flockler.embed.codes https://*.flockler.app https://googleads.g.doubleclick.net https://tagmanager.google.com https://www.googleadservices.com https://*.google-analytics.com https://www.googleapis.com https://www.googletagmanager.com https://www.gstatic.com https://*.hotjar.com https://*.ibytedtos.com https://www.linkedin.com https://meetandengage.com https://popcard.unibuddy.co https://px.ads.linkedin.com https://s.ytimg.com https://s0.ipstatp.com https://sc-static.net https://snap.licdn.com https://static.ads-twitter.com https://www.tagarm.com https://*.tiktok.com https://*.twitter.com https://widget.discoveruni.gov.uk https://widget.unistats.ac.uk https://www.youtube.com https://*.dotdigital-pages.com https://*.dotdigital-pages.com https://unpkg.com/acs_webchat-chat-adapter@0.0.35-beta.20/dist/chat-adapter.js https://*.monsido.com https://*.ttl.ai https://*.quantserve.com https://*.quantcount.com https://c.amazon-adsystem.com https://tr.snapchat.com https://*.quora.com https://www.redditstatic.com https://bbox.blackbaudhosting.com https://www.google.com/recaptcha/api.js https://widget.surveymonkey.com
Info::
No wildcard in script source
Warning::
object-src allows plugin content
Set object-src to 'none' to prevent Flash/Java plugin exploits.
Got: object-src 'self' https://*.spotify.com https://forms.office.com Expected: object-src 'none'
Warning::
base-uri directive is missing
Without base-uri, attackers can inject a <base> tag to hijack relative URLs. Set it to 'self' or 'none'.
Expected: base-uri 'self'
Info::
frame-ancestors directive is set
Got: frame-ancestors 'self'
Warning::
form-action directive is missing
form-action restricts where forms can submit data, preventing form hijacking.
Expected: form-action 'self'
Info::
upgrade-insecure-requests is enabled

'unsafe-inline' allows inline <script> tags, defeating CSP against XSS. Remove it and use nonces or hashes instead.

Why this matters

Unsafe value (unsafe-inline, unsafe-eval) in script-src defeats CSP's main protection — XSS injections can execute again.

Learn more

unsafe-inline allows inline <script> tags; unsafe-eval allows eval() and similar. Both are necessary for some legacy code but explicitly dangerous. Migrate to nonces (per-page random tokens) or hashes (per-script SHA-256) instead.

Source: OWASP CSP / MDN

'unsafe-eval' allows eval() and similar functions, enabling code injection. Remove it.

Why this matters

Unsafe value (unsafe-inline, unsafe-eval) in script-src defeats CSP's main protection — XSS injections can execute again.

Learn more

unsafe-inline allows inline <script> tags; unsafe-eval allows eval() and similar. Both are necessary for some legacy code but explicitly dangerous. Migrate to nonces (per-page random tokens) or hashes (per-script SHA-256) instead.

Source: OWASP CSP / MDN

Set object-src to 'none' to prevent Flash/Java plugin exploits.

Expected: object-src 'none'
Why this matters

object-src open in CSP allows Flash/PDF/plugin embedding — a now-deprecated attack vector that should be explicitly blocked.

Learn more

object-src controls <object>, <embed>, and <applet> elements. Modern sites have no need for plugins; setting `object-src 'none'` blocks an entire class of legacy XSS vectors at zero cost. If your CSP missed it, add the directive.

Source: MDN CSP

Without base-uri, attackers can inject a <base> tag to hijack relative URLs. Set it to 'self' or 'none'.

Expected: base-uri 'self'
Why this matters

Missing base-uri in CSP leaves a base-tag injection attack path open even on otherwise strict policies.

Learn more

A common omission: developers add CSP for script-src and frame-ancestors but forget base-uri. The result is a CSP that looks strict but lets an attacker rewrite every URL on the page via <base href>. Add `base-uri 'self'` to close the gap.

Source: MDN CSP

form-action restricts where forms can submit data, preventing form hijacking.

Expected: form-action 'self'
Why this matters

Security gaps expose your site and users to attacks, eroding trust.

Parsed Policy

default-src 'self'
style-src 'self''unsafe-inline'https://*.le.ac.ukhttps://test-uol.azorus.comhttps://oc-cdn-public-gbr.azureedge.net/livechatwidget/https://*.spotify.comhttps://sketchfab.comhttps://le.ac.ukhttps://www.clarity.mshttps://cdnjs.cloudflare.comhttps://cdn.curator.iohttps://embedsocial.comhttps://www.findaphd.comhttps://fonts.googleapis.comhttps://www.gstatic.comhttps://meetandengage.comhttps://*.flockler.comhttps://*.flockler.apphttps://tagmanager.google.comhttps://www.googletagmanager.comhttps://*.ttl.aihttps://bbox.blackbaudhosting.comhttps://cdn-images.mailchimp.com
img-src 'self'blob:data:https://track.adform.nethttps://s2.adform.nethttps://c.bing.comhttps://pool.adizio.comhttps://c.clarity.mshttps://test-uol.azorus.comhttps://*.spotify.comhttps://pool.a872.comhttps://*.adnxs.comhttps://cdn.curator.iohttps://*.cdninstagram.comhttps://*.doubleclick.nethttps://connect.facebook.nethttps://discoveruni.gov.ukhttps://www.facebook.comhttps://*.fbcdn.nethttps://www.findaphd.comhttps://*.flockler.comhttps://flockler.comhttps://*.flockler.apphttps://*.google.comhttps://www.google.comhttps://www.google.co.ukhttps://googleads.g.doubleclick.nethttps://*.google-analytics.comhttps://www.googleapis.comhttps://www.googletagmanager.comhttps://*.gstatic.comhttps://i.ytimg.comhttps://www.instagram.comhttps://le.ac.ukhttps://www.linkedin.comhttps://livestream.comhttps://meetandengage.comhttps://pbs.twimg.comhttps://px.ads.linkedin.comhttps://*.rackcdn.comhttps://*.scdn1.secure.raxcdn.comhttps://stats.g.doubleclick.nethttps://t.cohttps://www.tag4arm.comhttps://*.twitter.com/https://ads.brandadvance.co.uk/https://*.monsido.comhttps://*.googlesyndication.comhttps://*.quantserve.comhttps://*.tiktokcdn.comhttps://tracking.audio.thisisdax.comhttps://*.quora.comhttps://alb.reddit.comhttps://pixel-config.reddit.comhttps://www.fundraisingregulator.org.ukhttps://ade.clmbtech.com/cde/eventTracking.htmhttps://bbox.blackbaudhosting.comhttps://*.ads.linkedin.comhttps://digitalasset.intuit.com
script-src 'self''unsafe-eval''unsafe-inline'blob:https://*.le.ac.ukhttps://test-uol.azorus.comhttps://track.adform.nethttps://s2.adform.nethttps://cdn.botframework.com/botframework-webchat/https://unpkg.com/react@17.0.2/umd/react.production.min.jshttps://unpkg.com/react-dom@17.0.2/umd/react-dom.production.min.jshttps://oc-cdn-public-gbr.azureedge.net/livechatwidget/https://acdn.adnxs.com/dmp/up/https://*.spotify.comhttps://sketchfab.comhttps://le.ac.ukhttps://libraryhelp.le.ac.ukhttps://ajax.googleapis.comhttps://www.clarity.mshttps://cdn.curator.iohttps://cc.cdn.civiccomputing.comhttps://cdnjs.cloudflare.comhttps://cdn.oribi.iohttps://cdn.unibuddy.cohttps://connect.facebook.nethttps://discoveruni.gov.ukhttps://dnn506yrbagrg.cloudfront.nethttps://embedsocial.comhttps://fl-cdn.scdn1.secure.raxcdn.comhttps://www.findaphd.comhttps://*.flockler.comhttps://flockler.embed.codeshttps://*.flockler.apphttps://googleads.g.doubleclick.nethttps://tagmanager.google.comhttps://www.googleadservices.comhttps://*.google-analytics.comhttps://www.googleapis.comhttps://www.googletagmanager.comhttps://www.gstatic.comhttps://*.hotjar.comhttps://*.ibytedtos.comhttps://www.linkedin.comhttps://meetandengage.comhttps://popcard.unibuddy.cohttps://px.ads.linkedin.comhttps://s.ytimg.comhttps://s0.ipstatp.comhttps://sc-static.nethttps://snap.licdn.comhttps://static.ads-twitter.comhttps://www.tagarm.comhttps://*.tiktok.comhttps://*.twitter.comhttps://widget.discoveruni.gov.ukhttps://widget.unistats.ac.ukhttps://www.youtube.comhttps://*.dotdigital-pages.comhttps://*.dotdigital-pages.comhttps://unpkg.com/acs_webchat-chat-adapter@0.0.35-beta.20/dist/chat-adapter.jshttps://*.monsido.comhttps://*.ttl.aihttps://*.quantserve.comhttps://*.quantcount.comhttps://c.amazon-adsystem.comhttps://tr.snapchat.comhttps://*.quora.comhttps://www.redditstatic.comhttps://bbox.blackbaudhosting.comhttps://www.google.com/recaptcha/api.jshttps://widget.surveymonkey.com
frame-src 'self'https://*.le.ac.ukhttps://test-uol.azorus.comhttps://oc-cdn-public-gbr.azureedge.nethttps://*.spotify.comhttps://iframe.dacast.comhttps://sketchfab.comhttps://embedsocial.comhttps://www.facebook.comhttps://*.flipsnack.comhttps://*.doubleclick.nethttps://forms.office.comhttps://www.google.comhttps://www.googleapis.comhttps://www97.lamp.le.ac.ukhttps://libservices.le.ac.ukhttps://leicester.cloud.panopto.euhttps://livestream.comhttps://www.linkedin.comhttps://www.le.ac.ukhttps://meetandengage.comhttps://myleicester.le.ac.ukhttps://podcasts.le.ac.ukhttps://popcard.unibuddy.cohttps://w.soundcloud.comhttps://static.ads-twitter.comhttps://staticxx.facebook.comhttps://www.tag4arm.comhttps://tourmkr.comhttps://platform.twitter.comhttps://tr.snapchat.comhttps://unibuddy.cohttps://*.hotjar.comhttps://www.viewmake.comhttps://widget.unistats.ac.ukhttps://www.youtube.comhttps://www.youtube-nocookie.comhttps://momento360.comhttps://*.dotdigital-pages.comhttps://comms.omnichannelengagementhub.comhttps://analytics.tiktok.comhttps://www.googletagmanager.comhttps://www.tiktok.comhttps://aax-eu.amazon-adsystem.comhttps://vimeo.comhttps://player.vimeo.comhttps://c.amazon-adsystem.com/aat/amzn.jshttps://cdn2.yoshki.comhttps://bbox.blackbaudhosting.comhttps://widget.surveymonkey.com
frame-ancestors 'self'
connect-src 'self'blob:https://azfa-sitecorebotdv.azurewebsites.net/https://azfa-sitecorebotapite.azurewebsites.net/https://directline.botframework.comwss://directline.botframework.comhttps://*.microsoft.comhttps://*.omnichannelengagementhub.comhttps://*.clarity.mshttps://*.le.ac.ukhttps://*.spotify.comhttps://apikeys.civiccomputing.comhttps://api.curator.iohttps://*.g.doubleclick.nethttps://*.googlesyndication.comhttps://www.facebook.comhttps://*.flockler.comhttps://*.flockler.apphttps://*.google.comhttps://*.google-analytics.comhttps://www.googleapis.comhttps://*.hotjar.comhttps://*.hotjar.iowss://*.hotjar.comhttps://www9.lamp.le.ac.ukhttps://gw.oribi.iohttps://prod-discoveruni.azure-api.nethttps://widgetapiv2.azurewebsites.nethttps://tr.snapchat.comhttps://www.tag4arm.comhttps://analytics.tiktok.comhttps://tourmkr.comhttps://ekr.zdassets.comhttps://*.dotdigital-pages.comhttps://*.trouter.skype.comwss://*.trouter.skype.comhttps://edge.skype.comhttps://*.communication.azure.comhttps://ib.adnxs.comhttps://acdn.adnxs.comhttps://*.monsido.comhttps://*.ttl.aihttps://*.snapchat.comhttps://aax-eu.amazon-adsystem.comhttps://ara.paa-reporting-advertising.amazonhttps://px.ads.linkedin.comhttps://ddlnk.nethttps://*.quora.comhttps://pixel-config.reddit.comhttps://www.redditstatic.comhttps://conversions-config.reddit.comhttps://ad.doubleclick.nethttps://pixel.quantserve.comhttps://c.amazon-adsystem.com/aat/amzn.jshttps://mpc-prod-11-s6uit34pua-uc.a.run.apphttps://demo-1.conversionsapigateway.comwss://pub-ent-euno-13-t.trouter.teams.microsoft.comhttps://analytics-ipv6.tiktokw.ushttps://mpc-prod-24-s6uit34pua-uw.a.run.apphttps://www.googletagmanager.comhttps://www.googleadservices.comhttps://www.google.co.uk
font-src 'self'data:https://maxcdn.bootstrapcdn.comhttps://cdn.curator.iohttps://fonts.gstatic.comhttps://le.ac.ukhttps://meetandengage.comhttps://*.hotjar.com
object-src 'self'https://*.spotify.comhttps://forms.office.com
media-src 'self'https://le.ac.ukhttps://*.le.ac.ukhttps://*.spotify.comhttps://pool.a8723.comhttps://*.fbcdn.nethttps://*.xx.fbcdn.nethttps://*.flockler.comhttps://*.flockler.apphttps://*.cdninstagram.comhttps://video.twimg.comhttps://videos.dailymail.co.uk
upgrade-insecure-requests
F
Subresource Integrity
Action
0 of 13 external resources have SRI
FIX
0 of 13 external resources have SRI
Warning::
External script from heatmaps.monsido.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //heatmaps.monsido.com/v1/heatmaps.js
Warning::
External script from www.youtube.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.youtube.com/s/player/1bb6ee63/www-widgetapi.vflset/www-widgetapi.js
Warning::
External script from www.googletagmanager.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.googletagmanager.com/gtag/js?id=G-W83BQNGGJ6&cx=c&gtm=4e64k0
Warning::
External script from www.googletagmanager.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.googletagmanager.com/gtag/js?id=DC-13730620&cx=c&gtm=4e64k0
Warning::
External script from www.googletagmanager.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.googletagmanager.com/gtag/js?id=DC-8076770&cx=c&gtm=4e64k0
Warning::
External script from www.googletagmanager.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.googletagmanager.com/gtag/js?id=AW-16683890274&cx=c&gtm=4e64k0
Warning::
External script from www.googletagmanager.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.googletagmanager.com/gtag/js?id=DC-14868017&cx=c&gtm=4e64k0
Warning::
External script from www.googletagmanager.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.googletagmanager.com/gtag/js?id=G-3J1ZEVD70P&cx=c&gtm=4e64k0
Warning::
External script from www.googletagmanager.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.googletagmanager.com/gtm.js?id=GTM-ND9NQP
Warning::
External script from cdn.unibuddy.co lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.unibuddy.co/unibuddy-carousel.js
Warning::
External script from cc.cdn.civiccomputing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cc.cdn.civiccomputing.com/9/cookieControl-9.x.min.js
Warning::
External script from app-script.monsido.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://app-script.monsido.com/v2/monsido-script.js
Warning::
External script from www.youtube.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.youtube.com/iframe_api
SRI Coverage 0 / 13 of external resources have integrity hashes
TagDomainIntegrity
<script>heatmaps.monsido.com Missing
<script>www.youtube.com Missing
<script>www.googletagmanager.com Missing
<script>www.googletagmanager.com Missing
<script>www.googletagmanager.com Missing
<script>www.googletagmanager.com Missing
<script>www.googletagmanager.com Missing
<script>www.googletagmanager.com Missing
<script>www.googletagmanager.com Missing
<script>cdn.unibuddy.co Missing
<script>cc.cdn.civiccomputing.com Missing
<script>app-script.monsido.com Missing
<script>www.youtube.com Missing
D
Email Security
Action
DMARC: none
FIX
DMARC: none
Warning::
DMARC policy is none — monitoring only
This only monitors, it doesn't block spoofed emails. Change to p=quarantine or p=reject.
DMARC
Policy none — monitoring only, does not block spoofing Record v=DMARC1; p=none; rua=mailto:dmarc@le.ac.uk

This only monitors, it doesn't block spoofed emails. Change to p=quarantine or p=reject.

Why this matters

DMARC p=none collects reports but doesn't actually block spoofed mail — phishing emails still reach inboxes.

Learn more

DMARC's three policies are p=none (monitor only), p=quarantine (mark as spam), and p=reject (bounce). Most domains start at p=none to gather data, but stay there forever, leaving spoofers unblocked. After 30 days of clean DMARC reports, graduate to p=quarantine, then p=reject.

Source: DMARC.org / NIST

D
Permissions-Policy
Action
No header set
FIX
No header set
Warning::
No Permissions-Policy header
Consider adding a Permissions-Policy header to restrict browser feature access from embedded content.

No Permissions-Policy header set.

Without this header, embedded iframes can request access to sensitive device features.

Suggested header
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=()
D
security.txt
Action
No /.well-known/security.txt published
FIX

security.txt

No security.txt found at /.well-known/security.txt

C
Security Headers
Action
5 of 10 headers properly configured
REVIEW
5 of 10 headers properly configured
Warning::
HSTS is missing includeSubDomains
Without includeSubDomains, subdomains can still be accessed over HTTP.
Got: max-age=31536000 Expected: max-age=31536000; includeSubDomains
Info::
X-Content-Type-Options is properly configured
Got: nosniff
Warning::
X-Frame-Options header is missing
This header prevents clickjacking by controlling who can embed your page in a frame. Set it to DENY or SAMEORIGIN.
Expected: DENY
Info::
Referrer-Policy is properly configured
Got: strict-origin-when-cross-origin
Warning::
Permissions-Policy header is missing
Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.
Expected: geolocation=(), camera=(), microphone=()
Info::
Content-Security-Policy is present
Got: default-src 'self'; style-src 'self' 'unsafe-inline' https://*.le.ac.uk https:/…
Warning::
Cross-Origin-Opener-Policy header is missing
COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.
Expected: same-origin
Warning::
Cross-Origin-Embedder-Policy header is missing
COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.
Expected: require-corp
Info::
X-Powered-By header is not present
Info::
Server header is present without version info
Got: WebServer

Without includeSubDomains, subdomains can still be accessed over HTTP.

Expected: max-age=31536000; includeSubDomains
Why this matters

Without includeSubDomains, a forgotten dev subdomain over HTTP can set malicious cookies that ride to the apex.

Learn more

HSTS without includeSubDomains protects only the exact domain. Cookies set on a non-HSTS subdomain can ride to the apex via cookie-scope attacks. The fix is one directive append. Verify all subdomains support HTTPS first — adding includeSubDomains to a domain with HTTP-only subdomains breaks them.

Source: RFC 6797

This header prevents clickjacking by controlling who can embed your page in a frame. Set it to DENY or SAMEORIGIN.

Expected: DENY
Why this matters

Without frame protection, your site can be embedded in a hostile page and used for clickjacking.

Learn more

Clickjacking overlays your site under a transparent malicious page so users click invisible buttons. Setting X-Frame-Options: DENY (or a modern frame-ancestors CSP directive) blocks the embedding entirely. There's almost never a legitimate reason to allow it.

Source: OWASP / MDN

Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.

Expected: geolocation=(), camera=(), microphone=()
Why this matters

Permissions-Policy locks down browser APIs you don't use — without it, every page can request camera/mic/geolocation if XSS lands.

Learn more

By default every page can request the camera, microphone, geolocation, payment APIs, and dozens more. Permissions-Policy turns off the ones you don't need so a future bug can't quietly start using them. It's a defense-in-depth header — one line, big surface reduction.

Source: MDN / W3C

COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.

Expected: same-origin
Why this matters

COOP isolates your top-level browsing context from cross-origin windows — without it, popup-based side-channel attacks remain possible.

Learn more

Cross-Origin-Opener-Policy: same-origin prevents cross-origin pages from sharing a browsing-context group with yours. This blocks cross-window references that enable Spectre-style timing attacks and tab-nabbing. Required if you want to enable SharedArrayBuffer.

Source: MDN / web.dev

COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.

Expected: require-corp
Why this matters

COEP enforces that all embedded resources opt-in to cross-origin embedding — required for cross-origin isolation features.

Learn more

Cross-Origin-Embedder-Policy: require-corp ensures every embedded resource (script, iframe, image) explicitly allows being loaded cross-origin. Combined with COOP, this enables the cross-origin-isolated context that unlocks SharedArrayBuffer, high-resolution timers, and other powerful APIs.

Source: MDN / web.dev

B
CORS Configuration
No CORS headers
REVIEW
No CORS headers
Info::
No CORS headers present — secure default
CORS Configuration Secure

No CORS headers detected.

Cross-origin requests are blocked by browser same-origin policy.

Origin reflection test

Some servers mirror the request Origin header, which can be exploited. Test manually:

curl -sI -H "Origin: https://evil.com" <url> | grep -i access-control
C
Known vulnerability matches
Action
6 known vulnerability match(es) against detected tech
REVIEW

Known Vulnerabilities

LibraryVersionSeveritySummaryFixed In
jQuery1.12.4mediumparseHTML() executes scripts in event handlers2.2.0
jQuery1.12.4lowjQuery 1.x and 2.x are End-of-Life and no longer receiving security updates2.999.999
jQuery1.12.4medium3rd party CORS request may execute3.0.0-beta1
jQuery1.12.4mediumjQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution3.4.0
jQuery1.12.4mediumpassing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.3.5.0
jQuery1.12.4mediumRegex in its jQuery.htmlPrefilter sometimes may introduce XSS3.5.0
A+
TLS & Certificates
TLS 1.2, 7 checks passed
PASS
TLS 1.2, 7 checks passed
Info::
TLS 1.2 is used
Got: TLS 1.2
Info::
TLS 1.3 is not negotiated
TLS 1.3 offers improved performance and security. Consider enabling it.
Got: TLS 1.2
Info::
Strong cipher suite is used
Got: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Info::
HTTP/2 is not negotiated
HTTP/2 provides multiplexing and header compression for better performance.
Got: http/1.1
Info::
Certificate is valid (expires in 63 days)
Got: 2026-06-25T17:37:57Z
Info::
Certificate chain has 2 certificates
Info::
Certificate uses modern signature algorithm
Got: SHA256-RSA
Info::
Certificate covers 1 domain(s)
Got: le.ac.uk
Info::
Certificate is issued by a trusted CA
Got: CN=R12,O=Let's Encrypt,C=US

TLS 1.3 offers improved performance and security. Consider enabling it.

Why this matters

TLS 1.3 not in use — connection falls back to 1.2 and pays the extra round-trip.

Learn more

Most clients prefer TLS 1.3 if both sides support it. If your server has TLS 1.3 enabled but it's not being negotiated, check for a downgrade-attack mitigation issue or a misconfigured cipher list. nginx ≥ 1.13.0 and OpenSSL ≥ 1.1.1 support TLS 1.3.

Source: RFC 8446 / Mozilla SSL Config

HTTP/2 provides multiplexing and header compression for better performance.

Why this matters

HTTP/1.1 forces the browser to make sequential requests, multiplying latency on every page.

Learn more

HTTP/2 (and HTTP/3) multiplex many requests over a single connection, eliminating head-of-line blocking. HTTP/1.1 forces the browser to either queue requests or open many parallel connections — both worse. Most modern web servers support HTTP/2 with one config line.

Source: MDN Web Docs

Connection
Protocol
TLS 1.2
Cipher Suite
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
HTTP Version
HTTP/1.1

Certificate Chain

Leaf Certificate
Subject CN=le.ac.ukIssuer CN=R12,O=Let's Encrypt,C=USValid 2026-03-27T17:37:58Z → 2026-06-25T17:37:57ZExpires in 63 days SANs le.ac.ukSignature SHA256-RSASerial 6c89b53e147e83b620f4372ffd3115ed22e
Intermediate (CA Certificate)
Subject CN=R12,O=Let's Encrypt,C=USIssuer CN=ISRG Root X1,O=Internet Security Research Group,C=USValid 2024-03-13T00:00:00Z → 2027-03-12T23:59:59ZExpires in 324 days Signature SHA256-RSASerial c212324b70a9b49171dc40f7e285263c
A+
Cookie Security
3 cookies analyzed, 8 checks passed
PASS
3 cookies analyzed, 8 checks passed
Info::
Cookie 'shell#lang' has the Secure flag
Warning::
Cookie 'shell#lang' is missing the HttpOnly flag
Without HttpOnly, this cookie can be accessed by JavaScript, making it vulnerable to XSS-based theft.
Info::
Cookie 'shell#lang' has SameSite=None
Info::
Cookie 'ASP.NET_SessionId' has the Secure flag
Info::
Cookie 'ASP.NET_SessionId' has the HttpOnly flag
Info::
Cookie 'ASP.NET_SessionId' has SameSite=Lax
Info::
Cookie 'SC_ANALYTICS_GLOBAL_COOKIE' has the Secure flag
Info::
Cookie 'SC_ANALYTICS_GLOBAL_COOKIE' has the HttpOnly flag
Info::
Cookie 'SC_ANALYTICS_GLOBAL_COOKIE' has SameSite=None
3 cookies analyzed 1 warnings
NameSecureHttpOnlySameSiteSizeIssues
shell#langNone12 B1
ASP.NET_SessionIdLax41 B
SC_ANALYTICS_GLOBAL_COOKIENone64 B
A+
JS Library Vulnerabilities
No known vulnerabilities
PASS
No known vulnerabilities
Info::
No known JavaScript library vulnerabilities detected

No known JavaScript library vulnerabilities detected.

A+
Information Leakage
No exposures
PASS
No exposures
Info::
No security.txt found
Consider adding a security.txt at /.well-known/security.txt.
Info::
No sensitive files exposed

No sensitive files exposed — all paths returned 404.

PathStatusCategoryRisk
/.git/HEAD Not foundVersion Control
/.git/config Not foundVersion Control
/.svn/entries Not foundVersion Control
/.env Not foundConfiguration
/.env.local Not foundConfiguration
/.env.production Not foundConfiguration
/wp-config.php Not foundConfiguration
/.htaccess Not foundConfiguration
/phpinfo.php Not foundDebug
/server-status Not foundDebug
/server-info Not foundDebug
/.well-known/security.txt Not foundSecurity Policy
A
Transport Security
HTTP/3, HSTS, and TLS version analysis
PASS
HTTP/3, HSTS, and TLS version analysis
Info::
HTTP/3 (QUIC) not advertised
HTTP/3 eliminates head-of-line blocking. If your CDN supports it, consider enabling it.
Info::
HSTS enabled (base policy)
Info::
HSTS missing includeSubDomains
Without includeSubDomains, HSTS only protects the exact domain.
All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.

Send Feedback