Results for

Check again2017-11-18 10:58:23 Etc/UTC

Input URL:

Final URL:

The server ( appears to have been located in Germany during our test.

Please note that some sites use CDNs – content delivery networks – in which case the server location might vary depending on the location of the visitor. This tool, Webbkoll, is currently on a server in France.

Insecure connection does not use HTTPS by default.

HTTPS encrypts nearly all information sent between a client and a web service. Properly configured, it guarantees three things:

  • Confidentiality. The visitor's connection is encrypted, obscuring URLs, cookies, and other sensitive metadata.
  • Authenticity. The visitor is talking to the "real" website, and not to an impersonator or through a "man-in-the-middle".
  • Integrity. The data sent between the visitor and the website has not been tampered with or modified.

A plain HTTP connection can be easily monitored, modified, and impersonated. Every unencrypted HTTP request reveals information about a user’s behavior, and the interception and tracking of unencrypted browsing has become commonplace.

The goal of the Internet community is to establish encryption as the norm, and to phase out unencrypted connections. See W3C, IETF, IAB. Also:

  • Browsers support HTTP/2 — which improves page loading speeds — only over encrypted connections.
  • Google Chrome (1, 2) and Mozilla Firefox (1) will mark plain HTTP as affirmatively non-secure and make powerful features impossible to use on non-secure sites.
  • Google has begun to favor HTTPS websites in search rankings.

To enable HTTPS on a website, a certificate for the domain needs to be installed on the web server. To get a certificate that browsers will trust, you need one issued by a trusted certificate authority (otherwise a visitor's browser will show a warning).

Let's Encrypt is a non-profit certificate authority (sponsored by Mozilla, EFF, Cisco, Facebook and others) providing free domain-validated (DV) certificates through an easy, automated process.

To get a DV certificate, you only need to prove that you control the domain. To get an Extended Validation (EV) certificate, you must pass a more thorough identity verification process.

There is no difference in encryption between DV and EV certificates, but they are typically displayed differently in browsers. EV certificates generally result in the domain owner's name appearing in the browser URL bar that visitors see.

DV certificates are the most common. Let's Encrypt only issues DV certificates.

Referrers leaked

When you click a link, your browser will typically send the HTTP referer [sic] header to the webserver where the destination webpage is at. The header contains the full URL of the page you came from. This lets sites see where traffic comes from. The header is also sent when external resources (such as images, fonts, JS and CSS) are loaded.

The referrer header is privacy nightmare as it allows websites and services to track you across the web and learn about your browsing habits (and thus possibly private, sensitive information), particularly when combined with cookies.

Let's say you're logged in on Facebook. You visit a page with the URL On that page, you click a link to their Facebook page. Your browser then sends Referer: to, along with your Facebook cookies, allowing Facebook to associate your identity with that particular page.

The problem is made worse by the fact that many websites load resources like images and scripts from dozens of third-parties, sending referrer information to all of them, with the typical visitor having no idea that this is happening.

Thanks to a fairly recent development, Referrer Policy, it's finally possible for websites to tell browsers to not leak referrers. It lets you specify a policy that's applied to all links clicked, as well as all other requests generated by the page (images, JS, etc.).

A few different policies are offered, such as origin (strips everything except the origin) and origin-when-cross-origin (sends full URL with same-origin requests, otherwise stripped). We recommend no-referrer, which kills the referrer header entirely for all requests, no matter the destination; or same-origin, which kills the referrer for third-party requests but not for requests to the same origin.

A referrer policy can easily be set with a <meta> element in your HTML. Simply include this inside the <head> section:

<meta name="referrer" content="no-referrer">

While still a work in progress, Referrer Policy is now supported by all major browsers (except Internet Explorer, although it is supported by Edge, the new browser in Windows 10).

Third-party services

The site is loading libraries from one or more CDN:s.

Self-host the files.

The site is using Google Analytics. While this is a powerful tool, we think you should respect your users' privacy and not tell Google about them — at least not without your users' consent.

Piwik is an excellent alternative. It's free software (PHP & MySQL) and you run it on your own server, meaning you are in control of the data. It offers various privacy settings and, unlike Google Analytics, it can be used without cookies. (While analytics might be considered essential by some websites, another alternative is don't track people just because you can. Visitors do not, in fact, have an implicit obligation to help you optimize things.)

First-party cookies

12 first-party cookies.

DomainNameValueExpires on
.spiegel.de_parsely_visitor{%22id%22:%22e51c9a3...2019-11-18 10:58:20Z
.spiegel.de_parsely_session{%22sid%22:1%2C%22su...2017-11-18 11:28:20Z
.spiegel.de_gat12017-11-18 10:59:09Z
.spiegel.demx_nam_id15c6ca4e-03e5-433d-8...2017-12-18 10:58:08Z
.spiegel.de_gidGA1.2.78388850.15110...2017-11-19 10:58:08Z
.spiegel.de_gaGA1.2.1723248507.151...2019-11-18 10:58:08Z
.spiegel.de__gadsID=1e9dd58931950e67:...2019-11-18 10:58:05Z
.spiegel.despVcData211-1%3B0-32018-01-17 10:58:03Z
.spiegel.despVcTimeout12017-11-18 11:28:03Z 10:58:02Z

Third-party cookies

30 third-party cookies.

DomainNameValueExpires on
.ligadx.comLIG_U11d864f040-dba2-417b-9...2017-12-18 10:58:11Z
.ligadx.comLIG_ULTc5b59aee-4c80-4929-9...2018-12-13 10:58:11Z
.impdesk.comidbWhASQ6FeegAPD9DJWhAS...2018-12-13 10:58:11Z
.ligadx.comLIG_U1645787276392702917742017-12-18 10:58:11Z
.ligadx.comLIG_U20d6c8230e-85b4-4d69-a...2017-12-18 10:58:11Z
.ligadx.comLIG_U2264897071076622995042017-12-18 10:58:11Z
.adsrvr.orgTDCPMCAESFgoHa3Z3MXVwbRIL...2018-11-18 10:58:11Z
.adsrvr.orgTDIDd6c8230e-85b4-4d69-a...2018-11-18 10:58:11Z
.adnxs.comuuid245787276392702917742018-02-16 10:58:13Z
.adnxs.comsess12017-11-19 10:58:13Z
.bidswitch.nettuuid_last_update15110026912018-11-18 10:58:11Z
.bidswitch.nettuuidd864f040-dba2-417b-9...2018-11-18 10:58:11Z
.adfarm1.adition.comUserID164897071076622995042018-05-17 10:58:11Z
.bidswitch.netc15110026912018-11-18 10:58:11Z
.atdmt.comATN1.1511002689.1579915...2019-11-18 10:58:09Z
.demdex.netdemdex00628301726527834162...2018-05-17 10:58:09Z
ad3.adfarm1.adition.comfc4100592018-05-17 11:58:08Z
.config.parsely.comparsely_network_uuide08fd096-53df-46f1-9...2117-10-25 10:58:09Z
.openx.netpdv2|1511002689|8U2017-12-03 10:58:09Z
.openx.neti86a9b6d3-cd97-01dd-2...2018-11-18 10:58:09Z
.s290.meetrics.netid30049255-54BD-3D27-B...2017-12-18 10:58:07Z
.flashtalking.comflashtalkingad1"GUID=36091A91DF5316...2019-11-18 10:58:07Z
.doubleclick.netIDEAHWqTUk4S4LV5CenJLaY...2018-12-13 10:58:05Z
.adfarm1.adition.comlv_2331547w=3836900|t=15110026...2017-11-18 11:28:04Z
ad4.adfarm1.adition.comfc51003c2018-05-17 11:58:04Z
ad8.adfarm1.adition.comfc91016clzNqAAE.EhBaq1l...2018-05-17 11:58:03Z
.ioam.dei000028069b1ad5da6b75a1...2018-08-18 14:42:14Z
.yieldlab.netid2519753a-8fea-4a8a-8...2018-11-18 10:58:02Z

Third-party requests

188 requests (100 secure, 88 insecure) to 62 unique hosts.

A third-party request is a request to a domain that's not or one of its subdomains.

script.ioam.deAnalytics (INFOnline)
imagesrv.adition.comAdvertising (ADITION)
ad.yieldlab.netAdvertising (Yieldlab)
rtax.criteo.comAdvertising (Criteo)
ad8.adfarm1.adition.comAdvertising (ADITION)
static.adfarm1.adition.comAdvertising (ADITION)
de.ioam.deAnalytics (INFOnline)
a-ssl.ligatus.comAdvertising (Gruner + Jahr)
ad4.adfarm1.adition.comAdvertising (ADITION)
www.googletagservices.comDisconnect (Google)
ssl.ligatus.comAdvertising (Gruner + Jahr)
securepubads.g.doubleclick.netDisconnect (Google)
ad.doubleclick.netDisconnect (Google)
tpc.googlesyndication.comDisconnect (Google)
s0.2mdn.netDisconnect (Google)
static.parsely.comContent ( (Google)
servedby.flashtalking.comAdvertising (Flashtalking)
uk-ads.openx.netAdvertising (OpenX)
pagead2.googlesyndication.comDisconnect (Google)
dc57.s290.meetrics.netAnalytics (Meetrics)
cdn.flashtalking.comAdvertising (Flashtalking)
srv-2017-11-18-10.config.parsely.comContent (
ad3.adfarm1.adition.comAdvertising (ADITION)
bmwag.demdex.netAdvertising (Adobe)
z.moatads.comAdvertising (Moat)
eu-u.openx.netAdvertising (OpenX)
ad.atdmt.comAdvertising (Microsoft)
googleads4.g.doubleclick.netDisconnect (Google)
stats.g.doubleclick.netDisconnect (Google)
px.moatads.comAdvertising (Moat)
cm.g.doubleclick.netDisconnect (Google)
srv-2017-11-18-10.pixel.parsely.comContent (
us-u.openx.netAdvertising (OpenX)
geo.moatads.comAdvertising (Moat)
sig.atdmt.comAdvertising (Microsoft)
ib.adnxs.comAdvertising (AppNexus)
match.adsrvr.orgAdvertising (The Trade Desk)
dsp.adfarm1.adition.comAdvertising (ADITION)
ct.ligatus.comAdvertising (Gruner + Jahr) (Google)
i-ssl.ligatus.comAdvertising (Gruner + Jahr)
trk.helios.ligatus.comAdvertising (Gruner + Jahr)
ade.googlesyndication.comDisconnect (Google)

We use Disconnect's open source list of trackers to classify hosts.

Full list of third-party requests:

Content-Security-Policy not enabled

Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets. It can also help prevent information leakage. has excellent (free) tools with which you can build or analyze a Content Security Policy.

HTTP headers


HTTP Public Key Pinning protects your site from MiTM attacks using rogue X.509 certificates. By whitelisting only the identities that the browser should trust, your users are protected in the event a certificate authority is compromised.1


Referrer-Policy is a new header that allows a site to control how much information the browser includes with navigations away from a document (or when loading external resources) and should be set by all sites. (It can also be set using a meta element; see above.)


HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.


X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. This helps to reduce the danger of drive-by downloads. The only valid value for this header is "X-Content-Type-Options: nosniff".


X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking.


X-XSS-Protection sets the configuration for the cross-site scripting filters built into most browsers. The best configuration is "X-XSS-Protection: 1; mode=block".

1. Note that Public-Key-Pins can brick your site if something goes wrong and should only be used with great caution, if at all. See 1, 2, 3.

What this tool checks (and doesn't check)

This tool attempts to simulate what happens when a user visits a specified page with a typical browser. The browser has no addons/extensions installed, and Do Not Track (DNT) is not enabled, since this is the default setting in most browsers.

External files such as images, scripts and CSS are loaded, but the tool performs no interactions with the page — no links are clicked, no forms are submitted.

Disclaimer: The results presented here might not be 100% correct. Bugs happen. This tool is meant to be used by site owners as a starting point for improvements, not as a rigorous analysis.

The HTTP header descriptions are based on the ones from by Scott Helme, CC-BY-SA 4.0. Text about HTTPS partly adapted from the CIO Council's The HTTPS-Only Standard (public domain). MaxMind's GeoLite2 country database (CC-BY-SA 4.0) is used for GeoIP lookups.