Security Report Summary
A
Site: https://www.biu.ac.il/
IP Address: 176.100.170.218
Report Time: 07 Jul 2026 16:51:30 UTC
Headers:
  • Strict-Transport-Security
  • X-Content-Type-Options
  • X-Frame-Options
  • Content-Security-Policy
  • Referrer-Policy
  • Permissions-Policy
Warning: Grade capped at A, please see warnings below.
Advanced:
Great grade! Perform a deeper security analysis of your website and APIs:
Missing Headers
Referrer-PolicyReferrer Policy is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.
Permissions-PolicyPermissions Policy is a new header that allows a site to control which features and APIs can be used in the browser.
Warnings
Content-Security-PolicyThis policy contains 'unsafe-inline' which is dangerous in the script-src directive. This policy contains 'unsafe-eval' which is dangerous in the script-src directive. This policy contains 'unsafe-eval' which is dangerous in the style-src directive.
Raw Headers
HTTP/2200
content-typetext/html; charset=UTF-8
set-cookie__uzma=eacf143e-9548-42fa-95e8-9c0e9ff6de11; HttpOnly; path=/; Expires=Tue, 05-Jan-27 16:51:29 GMT; Max-Age=15724800; SameSite=Lax
set-cookie__uzmb=1783443089; HttpOnly; path=/; Expires=Tue, 05-Jan-27 16:51:29 GMT; Max-Age=15724800; SameSite=Lax
set-cookie__uzme=2894; HttpOnly; path=/; Expires=Tue, 05-Jan-27 16:51:29 GMT; Max-Age=15724800; SameSite=Lax
set-cookie__uzmc=971001086576; HttpOnly; path=/; Expires=Tue, 05-Jan-27 16:51:29 GMT; Max-Age=15724800; SameSite=Lax
set-cookie__uzmd=1783443089; HttpOnly; path=/; Expires=Tue, 05-Jan-27 16:51:29 GMT; Max-Age=15724800; SameSite=Lax
set-cookie__uzmf=7f9000eacf143e-9548-42fa-95e8-9c0e9ff6de111-17834430895300-00424c3275ed268f80a10; HttpOnly; path=/; Expires=Tue, 05-Jan-27 16:51:29 GMT; Max-Age=15724800; SameSite=Lax
set-cookieuzmx=7f9000b3287019-78f2-4329-bd97-a57389b3b92b1-17834430895300-e6b207aff421763410; Domain=.biu.ac.il; HttpOnly; path=/; Expires=Tue, 05-Jan-27 16:51:29 GMT; Max-Age=15724800; SameSite=Lax
dateTue, 07 Jul 2026 16:51:29 GMT
set-cookieAWSALB=+LFIJKrwG8GfnzXDJ4iBQ280a/ojyPEnP6cpJFCpEXsTMfWyPMTwcvY1SUx3uayF0vlEBgZBgurHo8Vb7022cFS0tIZXkjg1M7KSCdbkONJIuWTqad9gJDJKiGSJ; Expires=Tue, 14 Jul 2026 16:51:29 GMT; Path=/
set-cookieAWSALBCORS=+LFIJKrwG8GfnzXDJ4iBQ280a/ojyPEnP6cpJFCpEXsTMfWyPMTwcvY1SUx3uayF0vlEBgZBgurHo8Vb7022cFS0tIZXkjg1M7KSCdbkONJIuWTqad9gJDJKiGSJ; Expires=Tue, 14 Jul 2026 16:51:29 GMT; Path=/; SameSite=None; Secure
strict-transport-securitymax-age=31536000; includeSubDomains
cache-controlmust-revalidate, no-cache, private
x-drupal-dynamic-cacheUNCACHEABLE (poor cacheability)
content-languagehe
x-content-type-optionsnosniff
x-frame-optionsSAMEORIGIN
expiresSun, 19 Nov 1978 05:00:00 GMT
x-generatorDrupal 10 (https://www.drupal.org)
content-security-policyscript-src 'self' 'unsafe-inline' 'unsafe-eval' https://static.hotjar.com https://www.googletagmanager.com https://cdn.glassix.com https://js.nagich.co.il https://script.hotjar.com https://www.google-analytics.com https://www.googleadservices.com https://cdn.popt.in https://pagead2.googlesyndication.com https://r.icreate-campaign.com https://center.icreate-campaign.com https://googleads.g.doubleclick.net https://connect.facebook.net https://access.nagich.co.il https://cse.google.com https://www.google.com optimize.google.com https://www.googleoptimize.com https://fonts.googleapis.com https://optimize.google.com/ cdn.popt.in cdnjs.cloudflare.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://unpkg.com https://www.riddle.com unpkg.com; script-src-attr 'self' 'unsafe-inline'; script-src-elem 'self' 'unsafe-inline' https://static.hotjar.com https://www.googletagmanager.com https://cdn.glassix.com https://js.nagich.co.il https://script.hotjar.com https://www.google-analytics.com https://www.googleadservices.com https://cdn.popt.in https://r.icreate-campaign.com https://center.icreate-campaign.com https://googleads.g.doubleclick.net https://connect.facebook.net https://access.nagich.co.il https://cse.google.com https://www.google.com optimize.google.com https://www.googleoptimize.com https://fonts.googleapis.com https://optimize.google.com cdn.popt.in https://www.youtube.com https://bringthemhomenow.net https://pagead2.googlesyndication.com https://dev.visualwebsiteoptimizer.com https://trinitymedia.ai https://vd.trinitymedia.ai https://www.clarity.ms/tag/ https://sdk.getlimy.ai/p/limy-analytics.min.js https://scripts.clarity.ms/ https://analytics.getlimy.ai/array/ https://ep2.adtrafficquality.google/sodar/sodar2.js https://cdn.amplitude.com/libs/ https://sdk.whtvr.ai/ cdnjs.cloudflare.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://unpkg.com https://www.riddle.com unpkg.com; style-src 'self' 'unsafe-inline' 'unsafe-eval' https://cse.google.com https://www.google.com https://center.icreate-campaign.com https://fonts.googleapis.com https://optimize.google.com cdnjs.cloudflare.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://unpkg.com unpkg.com; style-src-attr 'self' 'unsafe-inline'; style-src-elem 'self' 'unsafe-inline' https://center.icreate-campaign.com www.google.com https://cse.google.com https://fonts.googleapis.com https://optimize.google.com cdn.popt.in https://cdn.glassix.com https://access.nagich.co.il cdnjs.cloudflare.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://unpkg.com unpkg.com; worker-src 'self' blob:; frame-ancestors 'self' acad-sec.lndo.site acad-sec9.lndo.site bible.lndo.site bible9.lndo.site ch.lndo.site ch9.lndo.site comlit.lndo.site comlit9.lndo.site communication.lndo.site communication9.lndo.site d2021.lndo.site d20219.lndo.site econ.lndo.site econ9.lndo.site education.lndo.site education9.lndo.site engineering.lndo.site engineering9.lndo.site french.lndo.site french9.lndo.site geoenv.lndo.site geoenv9.lndo.site gondabrain.lndo.site gondabrain9.lndo.site ict.lndo.site ict9.lndo.site imba.lndo.site imba9.lndo.site is.lndo.site is9.lndo.site law.lndo.site law9.lndo.site life-sciences.lndo.site life-sciences9.lndo.site lisa.lndo.site lisa9.lndo.site management.lndo.site management9.lndo.site math.lndo.site math9.lndo.site mba.lndo.site mba9.lndo.site medicine.lndo.site medicine9.lndo.site multi-judaic.lndo.site multi-judaic9.lndo.site nano.lndo.site nano9.lndo.site physics.lndo.site physics9.lndo.site politics.lndo.site politics9.lndo.site psychology.lndo.site psychology9.lndo.site social-work.lndo.site social-work9.lndo.site sociology.lndo.site sociology9.lndo.site talmud.lndo.site talmud9.lndo.site translation.lndo.site translation9.lndo.site culture.lndo.site culture9.lndo.site gender.lndo.site gender9.lndo.site jewish-history.lndo.site jewish-history9.lndo.site mgl.lndo.site mgl9.lndo.site pconfl.lndo.site pconfl9.lndo.site jewish-faculty.lndo.site jewish-faculty9.lndo.site jart.lndo.site jart9.lndo.site yesod.lndo.site yesod9.lndo.site optometrics.lndo.site optometrics9.lndo.site middle-east.lndo.site middle-east9.lndo.site hebrew.lndo.site hebrew9.lndo.site social-health.lndo.site social-health9.lndo.site classics.lndo.site classics9.lndo.site graduate-school.lndo.site graduate-school9.lndo.site desigprog.lndo.site desigprog9.lndo.site criminology.lndo.site criminology9.lndo.site demo2.lndo.site demo29.lndo.site demo.lndo.site demo9.lndo.site dean.lndo.site dean9.lndo.site arabic.lndo.site arabic9.lndo.site philosophy.lndo.site philosophy9.lndo.site learning-and-teaching.lndo.site learning-and-teaching9.lndo.site jphilosophy.lndo.site jphilosophy9.lndo.site dangoor-medicine.lndo.site dangoor-medicine9.lndo.site lib.lndo.site lib9.lndo.site hebrew-literature.lndo.site hebrew-literature9.lndo.site cs.lndo.site cs9.lndo.site music.lndo.site music9.lndo.site stuad.lndo.site stuad9.lndo.site history.lndo.site history9.lndo.site efl.lndo.site efl9.lndo.site barav.lndo.site barav9.lndo.site english.lndo.site english9.lndo.site tiful.lndo.site tiful9.lndo.site mechina-kda.lndo.site mechina-kda9.lndo.site social-sciences.lndo.site social-sciences9.lndo.site superconductivity.lndo.site superconductivity9.lndo.site interdis.lndo.site interdis9.lndo.site mali.lndo.site mali9.lndo.site humanities.lndo.site humanities9.lndo.site esc.lndo.site esc9.lndo.site law-clinics.lndo.site law-clinics9.lndo.site midrasha.lndo.site midrasha9.lndo.site mzb.lndo.site mzb9.lndo.site lp.biu.ac.il *.biu.ac.il; report-uri https://www.biu.ac.il/report-uri/enforce
x-drupal-cacheHIT
varyOrigin,Accept-Encoding
rdwr_responseallowed
content-encodinggzip
Upcoming Headers
Cross-Origin-Embedder-PolicyCross-Origin Embedder Policy allows a site to prevent assets being loaded that do not grant permission to load them via CORS or CORP.
Cross-Origin-Opener-PolicyCross-Origin Opener Policy allows a site to opt-in to Cross-Origin Isolation in the browser.
Cross-Origin-Resource-PolicyCross-Origin Resource Policy allows a resource owner to specify who can load the resource.
Additional Information
strict-transport-securityHTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.
x-content-type-optionsX-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is "X-Content-Type-Options: nosniff".
x-frame-optionsX-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking.
content-security-policyContent Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets. Analyse this policy in more detail. You can sign up for a free account on Report URI to collect reports about problems on your site.