Deutsch | English

WebForensik

Results for https://hi-reg.de/

Scan time: 2026-04-08 15:16:06

72

Overall Score

GDPR Summary

⚠ This website needs improvement regarding data protection.

GDPR Issues Detected (1):

⚠ Missing or unsafe Referrer-Policy — URLs containing personal data may be leaked to third parties.

Note: This automated analysis does not replace legal advice. For a complete GDPR assessment, consult a data protection officer.

↓ See detailed results for each category below.

100 HTTPS / Encryption

The website uses an encrypted connection (HTTPS).

Latest encryption active (TLS 1.3 — TLSv1.3).

The security certificate is valid (expires 2026-06-27).

Strong encryption method (TLS_CHACHA20_POLY1305_SHA256, 256 bit).

100 Enforced Encryption (HSTS)

HSTS is enabled — the browser is instructed to always use the encrypted connection.

HSTS duration: 63072000 seconds (at least 1 year) — very good.

HSTS also applies to all subdomains (includeSubDomains).

HSTS preload is enabled — browsers know about the encryption before the first visit.

30 Content Security Policy (CSP)

Content Security Policy present (via HTTP-Header).

No restriction for scripts defined (script-src/default-src missing).

☛ Action needed: Add a script-src directive to your Content Security Policy to define where scripts may be loaded from. Example: script-src 'self'
20 Referrer Policy

Referrer-Policy: strict-origin-when-cross-origin strict-origin-when-cross-origin (via HTTP-Header).

The setting "strict-origin-when-cross-origin strict-origin-when-cross-origin" shares too much URL information with other websites.

☛ Action needed: Change the Referrer-Policy to a more privacy-friendly setting like "strict-origin-when-cross-origin" or "no-referrer". The current setting shares too much information with third parties.
0 MIME Type Protection

No MIME type protection (X-Content-Type-Options missing). Browsers may misinterpret files.

☛ Action needed: Add the header X-Content-Type-Options: nosniff. This prevents browsers from misinterpreting files, which can lead to security vulnerabilities. Your hosting provider or web developer can set this up in minutes.
0 Clickjacking Protection

Invalid X-Frame-Options value: SAMEORIGIN SAMEORIGIN.

☛ Action needed: The X-Frame-Options value is invalid. Use DENY or SAMEORIGIN.
100 Permissions (Camera, Microphone, etc.)

Permissions-Policy is configured — access to sensitive device APIs is controlled.

4 of 6 sensitive APIs restricted — very good.

85 Cookies

2 first-party and 0 third-party cookie(s).

2 of 2 cookie(s) without Secure flag — sent over unencrypted connections too.

☛ Action needed: Set the Secure flag for all cookies. Without it, cookies are also sent over unencrypted HTTP connections and can be intercepted. Your web developer can change this in the cookie configuration.

2 of 2 cookie(s) without HttpOnly flag — could be read by malicious code.

☛ Action needed: Set the HttpOnly flag for all cookies that are not needed by JavaScript. This protects against session data theft through malicious code.

First-party cookies (from the website itself)

Name Domain Encrypted Server only SameSite
_pk_id.1.50af hi-reg.de No No Lax
_pk_ses.1.50af hi-reg.de No No Lax
70 Local Storage (Web Storage)

1 localStorage and 0 sessionStorage item(s) found.

localStorage

NameValue
readabler {}
100 Third-Party Requests

No third-party requests detected — all content comes from the website's own server.

100 Tracker Detection

No known trackers detected.

100 External Resource Integrity (SRI)

No external scripts or stylesheets loaded.

65 DNS Security

No CAA records. Any certificate authority could issue a certificate for this domain.

☛ Action needed: Create CAA DNS records to specify which certificate authorities may issue certificates for your domain. This prevents unauthorized certificates from being issued.

3 nameservers present — good redundancy.

No IPv6 support (no AAAA record).

☛ Action needed: Enable IPv6 support (AAAA records) for your domain. More and more users are using IPv6.

SPF record present: v=spf1 redirect=hi-reg.de.spf.hornetdmarc.com — protects against email spoofing.

DMARC record present: v=DMARC1; p=quarantine; pct=100; fo=0:s:d:1; rua=mailto:a.qwm448aq@reports.hornetdmarc.com — email authentication active.

0 Security Contact (security.txt)

No security.txt file found (RFC 9116). Security researchers don't know how to report vulnerabilities.

☛ Action needed: Create a security.txt file at /.well-known/security.txt. This allows security researchers to responsibly report vulnerabilities. Required fields: Contact (email or URL) and Expires (expiration date).
100 External Reporting Endpoints

No external reporting endpoints detected.

70 Cookie Consent

Cookie consent system detected: Borlabs Cookie, borlabs.

Consent system detected, but banner does not appear to be visible.

☛ Action needed: The consent system does not appear to be visible. Ensure the cookie banner is displayed on the first visit and is not hidden by CSS or JavaScript.
80 Privacy Policy & Legal Notice

Privacy policy linked: "DATENSCHUTZ" (/datenschutz/).

Legal notice linked: "IMPRESSUM" (/impressum/).

Privacy policy link is broken: HTTP/1.1 301 Moved Permanently.

☛ Action needed: The privacy policy link leads to an error. Check the URL and ensure the page is accessible.
HTTP Response Headers
HeaderValue
access-control-allow-headers Content-Type, Authorization Content-Type, Authorization
access-control-allow-methods GET,POST GET,POST
content-security-policy upgrade-insecure-requests; upgrade-insecure-requests;
content-type text/html; charset=UTF-8
cross-origin-embedder-policy unsafe-none; report-to='default' unsafe-none; report-to='default'
cross-origin-embedder-policy-report-only unsafe-none; report-to='default' unsafe-none; report-to='default'
cross-origin-opener-policy unsafe-none unsafe-none
cross-origin-opener-policy-report-only unsafe-none; report-to='default' unsafe-none; report-to='default'
cross-origin-resource-policy cross-origin cross-origin
date Wed, 08 Apr 2026 13:15:36 GMT
link <https://hi-reg.de/wp-json/>; rel="https://api.w.org/", <https://hi-reg.de/wp-json/wp/v2/pages/14>; rel="alternate"; title="JSON"; type="application/json", <https://hi-reg.de/>; rel=shortlink
permissions-policy accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), display-capture=(self), encrypted-media=(), fullscreen=*, geolocation=(self), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=*, picture-in-picture=*, publickey-credentials-get=(), screen-wake-lock=()
referrer-policy strict-origin-when-cross-origin strict-origin-when-cross-origin
server Apache
strict-transport-security max-age=63072000; includeSubDomains; preload max-age=63072000; includeSubDomains; preload
x-cache hit
x-content-security-policy default-src 'self'; img-src *; media-src * data:; default-src 'self'; img-src *; media-src * data:;
x-frame-options SAMEORIGIN SAMEORIGIN
x-permitted-cross-domain-policies none none
x-tec-api-origin https://hi-reg.de
x-tec-api-root https://hi-reg.de/wp-json/tribe/events/v1/
x-tec-api-version v1

New Scan · Compare