- Scan ID:
- 1d533599-1166-49b6-adf2-a7d583a0474fFinished
- Submitted URL:
- https://www.bbc.co.uk/bitesize/topics/zvsc7ty/watch/z9tpsbk
- Report Finished:
Risks · 0 found
Copy linkPractices that may pose security risks
Security Headers · 8 found
Copy linkHTTP response headers that can harden the security of a web application
Learn more...| Name | Value | Support | Info |
|---|---|---|---|
| Strict-Transport-Security | max-age=31536000; preload | Good | Declare that a website is only accessible over a secure connection (HTTPS). Click to learn more... |
| X-Frame-Options | DENY | Good | Indicate whether a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Click to learn more... |
| X-Content-Type-Options | nosniff | Good | Indicate that the MIME types advertised in the Content-Type headers should be followed and not be changed. Click to learn more... |
| Content-Security-Policy | default-src 'none'; script-src 'strict-dynamic' 'nonce-m6ACwms6WloBJ7AxYqNaGvjKEcEtHWD7NnJsYOdkAbaKoir7YY' 'self' 'report-sample' 'unsafe-inline' assets.wearehearken.eu cdn.syndication.twimg.com connect.facebook.net c.files.bbci.co.uk emp.bbci.co.uk ems.wearehearken.eu modules.wearehearken.eu mybbc-analytics.files.bbci.co.uk nav.files.bbci.co.uk news.files.bbci.co.uk platform.twitter.com public.flourish.studio static.bbc.co.uk static.bbci.co.uk static.chartbeat.com static2.chartbeat.com www.bbc.co.uk www.instagram.com www.ons.gov.uk gn-web-assets.api.bbc.com www.google-analytics.com bitesize.files.bbci.co.uk www.tiktok.com lf16-tiktok-web.ttwstatic.com static.files.bbci.co.uk; img-src 'self' https: data:; font-src c.files.bbci.co.uk gel.files.bbci.co.uk static.files.bbci.co.uk static.bbci.co.uk news.files.bbci.co.uk ws-downloads.files.bbci.co.uk bitesize.files.bbci.co.uk; style-src branding.files.bbci.co.uk cdn.riddle.com flo.uri.sh news.files.bbci.co.uk platform.twitter.com static.bbc.co.uk static.bbci.co.uk static.files.bbci.co.uk ton.twimg.com www.riddle.com 'unsafe-inline' lf16-tiktok-web.ttwstatic.com; frame-src 'self' bbc001.carto.com bbc003.carto.com bbc-maps.carto.com cdn.riddle.com chartbeat.com emp.bbc.co.uk emp.bbc.com flo.uri.sh graphics.reuters.com www.reuters.com graphics.thomsonreuters.com dynamic.mc-cdn.io vapi.mc-cdn.io vapi.beta.mc-cdn.io elections.mapcreator.io elections.beta.mapcreator.io cdn.mapcreator.io m.facebook.com news.files.bbci.co.uk personaltaxcalculator2.deloittecloud.co.uk platform.twitter.com public.flourish.studio static2.chartbeat.com syndication.twitter.com web.facebook.com www.bbc.co.uk www.facebook.com www.instagram.com www.tiktok.com www.ons.gov.uk www.riddle.com bbc-squares-dev.low6.com bbc-squares-prod.low6.com www.youtube.com www.youtube-nocookie.com uk-script.dotmetrics.net ssp-app-uk.votenow.tv ssp-app-uktest.votenow.tv ssp-app-ukbench.votenow.tv session.test.bbc.co.uk session.bbc.co.uk session.stage.bbc.co.uk bitesize.files.bbci.co.uk; object-src 'none'; manifest-src static.files.bbci.co.uk bitesize.files.bbci.co.uk; media-src 'self' blob: https:; connect-src 'self' https:; child-src blob:; base-uri 'none'; form-action 'self' platform.twitter.com syndication.twitter.com uk-script.dotmetrics.net/DeviceInfo.dotmetrics; frame-ancestors 'none'; upgrade-insecure-requests; report-to default; report-uri https://webcore.bbc-reporting-api.app/report-endpoint; | Good | Control resources the user agent is allowed to load for a given page. Click to learn more... |
| Referrer-Policy | strict-origin-when-cross-origin | Good | Control how much referrer information should be included with requests. Click to learn more... |
| Clear-Site-Data | — | Good | Control the data stored by a client browser for their origins. Click to learn more... |
| X-Permitted-Cross-Domain-Policies | — | Good | Control whether a web client such as Adobe Flash Player or Adobe Acrobat has permission to handle data across domains. Click to learn more... |
| Permissions-Policy | accelerometer=(); autoplay=(self "https://emp.bbc.com" "https://emp.bbc.co.uk" "http://emp.bbc.com" "http://emp.bbc.co.uk"); camera=(); document-domain=(self "https://emp.bbc.com" "https://emp.bbc.co.uk" "http://emp.bbc.com" "http://emp.bbc.co.uk"); encrypted-media=(); fullscreen=(self "https://emp.bbc.com" "https://emp.bbc.co.uk" "http://emp.bbc.com" "http://emp.bbc.co.uk"); geolocation=(); gyroscope=(); magnetometer=(); microphone=(); midi=(); payment=(); picture-in-picture=(self "https://emp.bbc.com" "https://emp.bbc.co.uk" "http://emp.bbc.com" "http://emp.bbc.co.uk"); screen-wake-lock=(); sync-xhr=(self); usb=(); xr-spatial-tracking=(); join-ad-interest-group=(); run-ad-auction=() | New | Allow and deny the use of browser features in a document or iframe. Click to learn more... |
| Cross-Origin-Embedder-Policy | — | New | Configure embedding cross-origin resources into the document. Click to learn more... |
| Cross-Origin-Opener-Policy | — | New | Ensure a top-level document does not share a browsing context group with cross-origin documents. Click to learn more... |
| Cross-Origin-Resource-Policy | — | New | Request that the browser blocks no-cors cross-origin/cross-site requests to the given resource. Click to learn more... |
| X-XSS-Protection | 1; mode=block | Deprecated | Deprecated. Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Click to learn more... |
| Feature-Policy | accelerometer 'none'; autoplay 'self' https://emp.bbc.com https://emp.bbc.co.uk http://emp.bbc.com http://emp.bbc.co.uk; camera 'none'; document-domain 'self' https://emp.bbc.com https://emp.bbc.co.uk http://emp.bbc.com http://emp.bbc.co.uk; encrypted-media 'none'; fullscreen 'self' https://emp.bbc.com https://emp.bbc.co.uk http://emp.bbc.com http://emp.bbc.co.uk; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'self' https://emp.bbc.com https://emp.bbc.co.uk http://emp.bbc.com http://emp.bbc.co.uk; screen-wake-lock 'none'; sync-xhr 'self'; usb 'none'; xr-spatial-tracking 'none' | Deprecated | Deprecated. Replaced by the Permissions-Policy header. Click to learn more... |
| Expect-CT | — | Deprecated | Deprecated. Opt in to reporting and/or enforcement of Certificate Transparency requirements. Click to learn more... |
| Public-Key-Pins | — | Deprecated | Deprecated. Allows HTTPS websites to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates. Click to learn more... |
Security Violations · 0 found
Copy linkRequests or resources offending security policies
Certificates · 8 found
Copy linkSSL/TLS Certificates enable websites to encrypt transactions between the client and the server and provide server identity verification
| Subject | Issue date | Expiry date |
|---|---|---|
| www.bbc.com | ||
| www.bbc.co.uk | ||
| cdn.optimizely.com | ||
| *.dotmetrics.net | ||
| *.chartbeat.com | ||
| *.api.bbc.co.uk | ||
| a1.api.bbc.co.uk | ||
| *.chartbeat.net |