Security Headers Checker

HTTP 403 · https://www.asda.com/

[ STRONG ]

// Forces HTTPS for all connections. Prevents downgrade attacks.

max-age=15552000; includeSubDomains; preload

[ WEAK ]

// Defines which sources of scripts/styles/images are allowed. Prevents XSS.

connect-src 'self' *.cdn.content.amplience.net *.staging.bigcontent.io *.algolia.net direct-collect.dy-api.eu direct.dy-api.eu *.algolianet.com *.worldline-solutions.com *.ingenico.com *.ideal-postcodes.co.uk *.criteo.com www.bing.com dev.virtualearth.net t.ssl.ak.dynamic.tiles.virtualearth.net insights.algolia.io *.scoota.co *.criteo.net adobedc.demdex.net edge.adobedc.net ns.adobe.com *.onetrust.com *.accdab.net apps.bazaarvoice.com display.ugc.bazaarvoice.com static.cloudflareinsights.com staging-uk.cdn-net.com uk.cdn-net.com six.cdn-net.com https://api-eu.jdadelivers.com collection.decibelinsight.net cdn.decibelinsight.net *.decibel.com wss://collection.decibelinsight.net wss://cdn.decibelinsight.net *.digital-cloud.medallia.eu bam.nr-data.net ingressteam.cloudflareaccess.com *.google-analytics.com analytics.tiktok.com sghs.asda.com www.mczbf.com *.dotomi.com connect.facebook.net www.facebook.com bat.bing.com www.sc-static.net tr.snapchat.com www.redditstatic.com analytics.twitter.com ads-api.twitter.com www.ads-twitter.com *.doubleclick.net *.googlesyndication.com www.googleadservices.com www.googletagmanager.com googletagmanager.com *.googletagmanager.com www.google.com google.com api2.asda.com ghs-mm.asda.com api.bazaarvoice.com bat.bing.net api.onsleek.ai *.api.onsleek.ai *.reddit.com *.google.com www.google.co.uk *.www.google.co.uk www.google.com/* network-eu-a.bazaarvoice.com www.asda.com *.www.asda.com www.asda.com/* dynamicyield.com *.dynamicyield.com https://www.asda.com/api/ghs/token-manager/get-tokens www.gstatic.com; default-src 'self'; font-src 'self' fonts.gstatic.com r2cdn.perplexity.ai/*; frame-src 'self' *; frame-ancestors 'self' www.asda.com asda.app.amplience.net; img-src 'self' *.commercecloud.salesforce.com *.media.amplience.net data: asda.a.bigcontent.io *.assets-asda.com *.dynamicyield.com *.criteo.com retailmedia-static.azureedge.net staticassets-creator-design.criteo.net t.ssl.ak.dynamic.tiles.virtualearth.net www.bing.com *.scoota.co adobedc.demdex.net edge.adobedc.net ns.adobe.com *.onetrust.com analytics.tiktok.com www.google.co.uk fonts.gstatic.com sghs.asda.com www.mczbf.com *.dotomi.com connect.facebook.net www.facebook.com bat.bing.com www.sc-static.net tr.snapchat.com www.redditstatic.com analytics.twitter.com ads-api.twitter.com www.ads-twitter.com *.doubleclick.net *.googlesyndication.com www.googleadservices.com adservice.google.com www.googletagmanager.com googletagmanager.com *.googletagmanager.com ssl.gstatic.com www.gstatic.com *.google-analytics.com www.google.com d3dh5c7rwzliwm.cloudfront.net d32106rlhdcogo.cloudfront.net dgf0rw7orw6vf.cloudfront.net gum.criteo.com x.bidswitch.net r.casalemedia.com cm.g.doubleclick.net secure.adnxs.com simage2.pubmatic.com pixel.rubiconproject.com sync-criteo.ads.yieldmo.com hb.yahoo.net sync-t1.taboola.com haq81g6w.micpn.com *.bazaarvoice.com d1fd8aj8bhyfe9.cloudfront.net synchroscript.deliveryengine.adswizz.com us-u.openx.net cms.analytics.yahoo.com *.reddit.com bat.bing.net google.com *.google.com client-side-metrics.nl3.eu.criteo.net analytics.google.com *.scene7.com content.etilize.com rtb-csync.smartadserver.com contextual.media.net eb2.3lift.com dsum-sec.casalemedia.com csync.loopme.me sync.crwdcntrl.net ps.eyeota.net us-east.ads.audio.thisisdax.com e1.emxdgt.com pixel.adsafeprotected.com ups.analytics.yahoo.com exchange-match.mediaplex.com partners.tremorhub.com bh.contextweb.com sync.1rx.io crb.kargo.com cs.openwebmp.com www.emjcd.com wt.rqtrk.eu asdagroceries.scene7.com asdagroceries.scene7.com/* static.nonprod.asda.com googleads.g.doubleclick.net/* www.google.de www.google.fr www.google.ie ms-cookie-sync.presage.io/* www.google.co.in www.google.com/* https://ms-cookie-sync.presage.io/user-sync ms-cookie-sync.presage.io/user-sync googleads.g.doubleclick.net *.googleads.g.doubleclick.net www.google.pl www.google.tn www.google.at www.google.tr; manifest-src 'self' www.asda.com; media-src 'self' asdagroceries.scene7.com s7d2.scene7.com *.scoota.co static.criteo.net; script-src 'self' 'unsafe-eval' 'unsafe-inline' apps.rokt.com storage.googleapis.com *.algolia.net *.worldline-solutions.com *.ingenico.com assets.adobedtm.com www.bing.com r.bing.com dev.virtualearth.net *.scoota.co asdagroceries.scene7.com ui.assets-asda.com d3dh5c7rwzliwm.cloudfront.net d32106rlhdcogo.cloudfront.net dgf0rw7orw6vf.cloudfront.net adobedc.demdex.net edge.adobedc.net ns.adobe.com *.onetrust.com *.accdab.net *.criteo.com *.hlserve.com apps.bazaarvoice.com display.ugc.bazaarvoice.com stg.api.bazaarvoice.com static.cloudflareinsights.com mpsnare.iesnare.com collection.decibelinsight.net cdn.decibelinsight.net *.decibel.com blob: *.digital-cloud.medallia.eu staging-uk.cdn-net.com uk.cdn-net.com six.cdn-net.com js-agent.newrelic.com ingressteam.cloudflareaccess.com www.googletagmanager.com *.google-analytics.com analytics.tiktok.com sghs.asda.com www.mczbf.com *.dotomi.com connect.facebook.net www.facebook.com bat.bing.com www.sc-static.net tr.snapchat.com www.redditstatic.com analytics.twitter.com ads-api.twitter.com www.ads-twitter.com *.doubleclick.net *.googlesyndication.com www.googleadservices.com tagmanager.google.com googletagmanager.com *.googletagmanager.com www.google.com google.com haq81g6w.micpn.com migroceries.asda.com asda-promotions.co.uk api.bazaarvoice.com *.criteo.net *.d3dh5c7rwzliwm.cloudfront.net *.mpsnare.iesnare.com https://analytics-static.ugc.bazaarvoice.com/prod/static/3/bv-analytics.js *.reddit.com *.connect.facebook.net www.mczbf.com/* challenges.cloudflare.com bat.bing.com/* login.dotomi.com/* *.dynamicyield.com cdn-eu.dynamicyield.com *.cdn-eu.dynamicyield.com; style-src 'self' https: 'unsafe-inline' *.bazaarvoice.com ssl.gstatic.com www.gstatic.com tagmanager.google.com fonts.googleapis.com googletagmanager.com *.googletagmanager.com; report-uri https://csp-reporting.cloudflare.com/cdn-cgi/script_monitor/report?m=D.ZGoJvZHBlUW6ukoUdK4mP7T5y7VSn7rJbzS4A4CJk-1777842584.823932-1.0.1.1-pZWs8ijgt0x8OrZrc2oQb6cSaDYOREVD4HY2Fe4X1.9Id_xxLtGOErR5XxPcuKzwEeGCqy7WIfBmPkPUSUZs1QS1KGGE792RyZvNGgi0KrEmOvuzo56V9th6ybjzteOFE63KFE.oUqfDxmkwCy.UrTjz2yVFsxRBHuUN8oxxreiLmX2B2sYA4a4REhmpia_s; report-to cf-fdiyhnuxxdomlote

[ STRONG ]

// Prevents clickjacking by blocking iframe embedding from other origins.

SAMEORIGIN

[ STRONG ]

// Prevents MIME sniffing. Should be 'nosniff'.

nosniff

[ PRESENT ]

// Controls how much referrer info is leaked when navigating away.

same-origin

[ PRESENT ]

// Restricts which browser features (camera, mic, etc.) the page can use.

interest-cohort=()