Security Report Summary
A
Site: https://www.siemens.com/global/en.html
IP Address: 2600:9000:234c:2400:f:1972:5380:93a1
Report Time: 16 May 2024 07:12:27 UTC
Headers:
  • Strict-Transport-Security
  • X-Content-Type-Options
  • Referrer-Policy
  • X-Frame-Options
  • Content-Security-Policy
  • Permissions-Policy
Warning: Grade capped at A, please see warnings below.
Advanced:
Great grade! Perform a deeper security analysis of your website and APIs:
Missing Headers
Permissions-PolicyPermissions Policy is a new header that allows a site to control which features and APIs can be used in the browser.
Warnings
Content-Security-PolicyThis policy contains 'unsafe-inline' which is dangerous in the script-src directive. This policy contains 'unsafe-eval' which is dangerous in the script-src directive.
Raw Headers
HTTP/2200
content-typetext/html
x-amz-id-2IV5O41C4Ge8qvEpYTS0pKXrCXmou08I54dZlsI+jEFOPceICEY0F0mb0lok60cVT7a4ipF4gSUg=
x-amz-request-idHWPMMZ3F31YV48CG
dateThu, 16 May 2024 07:08:16 GMT
last-modifiedThu, 16 May 2024 00:57:54 GMT
x-amz-server-side-encryptionAES256
cache-controlpublic, max-age=600, must-revalidate
x-amz-version-idPMDE2XJkK.xYr9qSXSE8Ej8xEGKXWUql
serverC2 Comms Cloud (065548e1)
x-ab-testno
content-encodinggzip
etagW/"2601bed8fcd2f9a37c83a2219be5422f"
varyAccept-Encoding
strict-transport-securitymax-age=31536000; includeSubDomains; preload
x-xss-protection1; mode=block
x-content-type-optionsnosniff
referrer-policystrict-origin-when-cross-origin
x-lae-regionus-west-2
x-frame-optionssameorigin
content-security-policybase-uri 'self'; block-all-mixed-content; child-src 'self' blob:; connect-src 'self' *.force.com *.media.brightcove.com *.salesforce.com *.salesforceliveagent.com siemenscrm.my.salesforce-sites.com siemensint.my.salesforce-sites.com *.tt.omtrdc.net *.eu.auth0.com *.usercentrics.eu adservice.google.com adservice.google.com api.dc.siemens.com assets.new.siemens.com blob: cdn.cookielaw.org cdn.siemens-web.com *.c2comms.cloud cdn.siemens.com cdn.segment.com api.segment.io assets.new.siemens.com cognito-identity.eu-west-1.amazonaws.com data.cdn.siemens.com dataplane.rum.eu-west-1.amazonaws.com dc.oracleinfinity.io dev.api.dc.siemens.com edge.api.brightcove.com geolocation.onetrust.com house-fastly-signed-eu-west-1-prod.brightcovecdn.com manifest.prod.boltdns.net metrics.brightcove.com www.siemens.com *.ingest.sentry.io privacyportal-eu.onetrust.com profiles.siemens.com searchapi.new.siemens.com secure.brightcove.com siemens.demdex.net siemens.sc.omtrdc.net siemensdigitalindustries.nanorep.co sts.eu-west-1.amazonaws.com tools.adlytics.net uat.api.dc.siemens.com visitor-services.nanorep.com w3.siemens.com www.facebook.com www.google.com www.google.com *.brapps.siemens.cloud *.brappsqa.siemens.cloud mktdplp102cdn.azureedge.net 322e30018b7e4846825041773c891f42.svc.dynamics.com e070f2c1c4514ee2b79becebacc0f9b2.svc.dynamics.com *.virtualevent.siemens.com go.cuenect.de partnerinfo.siemens.at hitech.at www.siemens.at resource.finnchat.com api-fra.livechatinc.com ue2gfcryae.execute-api.eu-central-1.amazonaws.com sea-api.siemens.cloud sleeknotestaticcontent.sleeknote.com images.sleeknote.com dvt4t9p29wi8.cloudfront.net *.hotjar.com *.hotjar.io wss://*.hotjar.com www.hqs.sbt.siemens.com www.cdn.botfriendsx.com *.smooch.io wss://*.smooch.io d1p0l0wtisukf7.cloudfront.net author.new.siemens.com cdn.linkedin.oribi.io rs.eu1.fullstory.com cert-portal.siemens.com api.demandbase.com www.yousty.ch survey.adlytics.net ghsszvtech.execute-api.us-east-1.amazonaws.com participant.connect.us-east-1.amazonaws.com wss://tufsuyburufn.transport.connect.us-east-1.amazonaws.com gbs-emobility-chat.s3.us-east-1.amazonaws.com irpages2.eqs.com api.maze.co prompts.maze.co fairtouch.siemens.com cdn.fairtouch.siemens.com author.new.siemens.com community.siemens.com directline.botframework.com api.xcelerator.siemens.com api.marketplace.siemens.com public-apim.siemens.com reporting-hub.ryze-digital.de rqtchqd8nd.execute-api.eu-west-1.amazonaws.com wss://directline.botframework.com fkodf56x5k.execute-api.eu-west-1.amazonaws.com *.adyen.com *.xcelerator.siemens.com; default-src 'self' blob:; font-src 'self' cdn.siemens-web.com *.c2comms.cloud cdn.siemens.com cdn.segment.com api.segment.io assets.new.siemens.com data: tools.adlytics.net script.hotjar.com www.cdn.botfriendsx.com reporting-hub.ryze-digital.de; frame-ancestors 'self' *.c2comms.cloud contentpath.siemens.com mc.contentpath.siemens.com resources.dc.siemens.com siemensfactoryautomation.pathfactory.com myaccount.lingotek.com; frame-src 'self' *.force.com *.salesforce.com *.salesforceliveagent.com siemenscrm.my.salesforce-sites.com siemensint.my.salesforce-sites.com *.usercentrics.eu bid.g.doubleclick.net td.doubleclick.net cdn.siemens-web.com *.c2comms.cloud cdn.siemens.com cdn.segment.com api.segment.io assets.new.siemens.com jobs.siemens-info.com pages.siemens-info.com playout.3qsdn.com sites.siemens-info.com tpc.googlesyndication.com www.facebook.com 322e30018b7e4846825041773c891f42.svc.dynamics.com e070f2c1c4514ee2b79becebacc0f9b2.svc.dynamics.com secure-fra.livechatinc.com vars.hotjar.com *.c2comms.cloud *.siemens.com maestrobot.it-app.biz dvt4t9p29wi8.cloudfront.net *.adyen.com; img-src 'self' *.prod.boltdns.net *.siemens.com *.tt.omtrdc.net *.usercentrics.eu 825113843.privacysandbox.googleadservices.com ad.doubleclick.net adservice.google.com adservice.google.com android-webview-video-poster: blob: brightcove04pmdo-a.akamaihd.net cdn.cookielaw.org cdn.siemens-web.com *.c2comms.cloud cdn.siemens.com cdn.segment.com api.segment.io assets.new.siemens.com data: dc.ads.linkedin.com dc.oracleinfinity.io googleads.g.doubleclick.net metrics.brightcove.com px.ads.linkedin.com px4.ads.linkedin.com secure.adnxs.com siemens.mindsphere.io siemens.sc.omtrdc.net stats.adlytics.net t.co tr.outbrain.com trc.taboola.com www.facebook.com www.google.com www.google.com www.googletagmanager.com www.linkedin.com 322e30018b7e4846825041773c891f42.svc.dynamics.com e070f2c1c4514ee2b79becebacc0f9b2.svc.dynamics.com cdn.go.cuenect.net siemenscrm--c.vf.force.com siemenscrm.lightning.force.com siemenscrm.my.salesforce.com partnerinfo.siemens.at hitech.at baudoku.1000eyes.de cdn.livechatinc.com cdn.livechat-files.com analytics.sleeknote.com static.hotjar.com script.hotjar.com botbuilder.siemens.cloud *.smooch.io ib.adnxs.com maestrobot.it-app.biz www.blids.de analytics.twitter.com *.prescreen.io dvt4t9p29wi8.cloudfront.net reporting-hub.ryze-digital.de universe.send.microad.jp insight.adsrvr.org dq3yfnoirppqu.cloudfront.net *.adyen.com pixel.quantserve.com; manifest-src 'self' *.c2comms.cloud; media-src 'self' *.cf.brightcove.com *.media.brightcove.com assets.new.siemens.com blob: data: house-fastly-signed-eu-west-1-prod.brightcovecdn.com manifest.prod.boltdns.net secure.brightcove.com dvt4t9p29wi8.cloudfront.net; object-src players.brightcove.net w3.siemens.com; script-src 'report-sample' 'self' 'unsafe-eval' 'unsafe-inline' *.force.com *.salesforce.com *.salesforceliveagent.com siemenscrm.my.salesforce-sites.com siemensint.my.salesforce-sites.com *.ste.dc.siemens.com *.usercentrics.eu ajax.googleapis.com analytics.twitter.com assets.adobedtm.com cdn.cookielaw.org cdn.siemens-web.com *.c2comms.cloud cdn.siemens.com cdn.segment.com api.segment.io assets.new.siemens.com client.rum.us-east-1.amazonaws.com connect.facebook.net cookies.siemens.com d.oracleinfinity.io data.cdn.siemens.com dataplane.rum.eu-central-1.amazonaws.com geolocation.onetrust.com googleads.g.doubleclick.net img.en25.com jsd-widget.atlassian.com my.nanorep.com www.siemens.com players.brightcove.net profiles.siemens.com scripts.demandbase.com siemensdigitalindustries.nanorep.co snap.licdn.com static.ads-twitter.com tools.adlytics.net tpc.googlesyndication.com vjs.zencdn.net w3.siemens.com www.automation.siemens.com www.google.com www.google.com www.googleadservices.com www.googletagmanager.com mktdplp102cdn.azureedge.net wwwstage.siemens.com resource.finnchat.com cdn.livechatinc.com api.livechatinc.com api-fra.livechatinc.com secure-fra.livechatinc.com sleeknotecustomerscripts.sleeknote.com sleeknotestaticcontent.sleeknote.com static.hotjar.com script.hotjar.com botbuilder.siemens.cloud www.cdn.botfriendsx.com *.smooch.io 322e30018b7e4846825041773c891f42.svc.dynamics.com www.sfs.siemens.de *.virtualevent.siemens.com *.c2comms.cloud edge.eu1.fullstory.com snippet.maze.co reporting-hub.ryze-digital.de vi.ml314.com ml314.com secure.quantserve.com rules.quantcount.com; style-src 'self' 'unsafe-inline' *.force.com *.salesforce.com *.salesforceliveagent.com siemenscrm.my.salesforce-sites.com siemensint.my.salesforce-sites.com *.usercentrics.eu cdn.siemens-web.com *.c2comms.cloud cdn.siemens.com cdn.segment.com api.segment.io assets.new.siemens.com www.siemens.com profiles.siemens.com tools.adlytics.net w3.siemens.com static.hotjar.com script.hotjar.com botbuilder.siemens.cloud www.cdn.botfriendsx.com www.sfs.siemens.de reporting-hub.ryze-digital.de; upgrade-insecure-requests; worker-src 'self' 'unsafe-inline' blob:; report-uri https://w3.siemens.com/report?environment=siemenscom-prod&release=065548e1; report-to commscloud
report-to{"group":"commscloud","max_age":3600,"endpoints":[{"url":"https://w3.siemens.com/report?environment=siemenscom-prod&release=065548e1"}],"include_subdomains":true}
nel{"report_to":"commscloud","max_age":3600,"include_subdomains":true,"success_fraction":0.1,"failure_fraction":1}
link<https://assets.adobedtm.com/>; rel=preconnect, <https://w3.siemens.com>; rel=preconnect, <https://assets.new.siemens.com>; rel=preconnect, <https://api.dc.siemens.com/fluidweb>; rel=preconnect, <https://cdn.c2comms.cloud>; rel=preconnect
x-cacheHit from cloudfront
via1.1 fa640a50340d741c579292b495a2218e.cloudfront.net (CloudFront)
x-amz-cf-popSFO5-P1
alt-svch3=":443"; ma=86400
x-amz-cf-idDNyOx0kHmCL8xMB3Uq-e9etL_DBW08b-HZY6XH05yhyx11-cgsptAw==
age252
Upcoming Headers
Cross-Origin-Embedder-PolicyCross-Origin Embedder Policy allows a site to prevent assets being loaded that do not grant permission to load them via CORS or CORP.
Cross-Origin-Opener-PolicyCross-Origin Opener Policy allows a site to opt-in to Cross-Origin Isolation in the browser.
Cross-Origin-Resource-PolicyCross-Origin Resource Policy allows a resource owner to specify who can load the resource.
Additional Information
serverServer value has been changed. Typically you will see values like "Microsoft-IIS/8.0" or "nginx 1.7.2".
strict-transport-securityHTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.
x-xss-protectionX-XSS-Protection sets the configuration for the XSS Auditor built into older browsers. The recommended value was "X-XSS-Protection: 1; mode=block" but you should now look at Content Security Policy instead.
x-content-type-optionsX-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is "X-Content-Type-Options: nosniff".
referrer-policyReferrer Policy is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.
x-frame-optionsX-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking.
content-security-policyContent Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets. Analyse this policy in more detail. You can sign up for a free account on Report URI to collect reports about problems on your site.
report-toReport-To enables the Reporting API. This allows a website to collect reports from the browser about various errors that may occur. You can sign up for a free account on Report URI to collect these reports.
nelNetwork Error Logging is a new header that instructs the browser to send reports during various network or application errors. You can sign up for a free account on Report URI to collect these reports.