WebForensik

Results for https://calendly.com/sendproud/30min/

Scan time: 2026-05-03 13:48:12

Overall Score

GDPR Summary

⚠ This website has serious GDPR deficiencies. Immediate action is required.

GDPR Issues Detected (4):

❌ 7 third-party server(s) outside the EU/EEA — data transfers without legal basis may violate Art. 44–49 GDPR.

Affected servers outside the EU:

www.recaptcha.net (United States)
accounts.google.com (United States)
notifier-configs.airbrake.io (United States)
www.gstatic.com (United States)
m.stripe.network (United States)
d3v0px0pttie1i.cloudfront.net (United States)
m.stripe.com (United States)

❌ 2 tracking service(s) detected — without prior consent (opt-in) this violates Art. 6(1) GDPR.

Detected trackers:

Google (Anti-fraud)
Google (Content)

⚠ Third-party cookies are being set — without consent this violates the ePrivacy Directive.

⚠ No Content Security Policy — increased risk of cross-site scripting (XSS) and data theft.

Note: This automated analysis does not replace legal advice. For a complete GDPR assessment, consult a data protection officer.

↓ See detailed results for each category below.

100 HTTPS / Encryption

The website uses an encrypted connection (HTTPS).

Latest encryption active (TLS 1.3 — TLSv1.3).

The security certificate is valid (expires 2026-07-08).

Strong encryption method (TLS_AES_256_GCM_SHA384, 256 bit).

100 Enforced Encryption (HSTS)

HSTS is enabled — the browser is instructed to always use the encrypted connection.

HSTS duration: 31536000 seconds (at least 1 year) — very good.

HSTS also applies to all subdomains (includeSubDomains).

HSTS preload is enabled — browsers know about the encryption before the first visit.

0 Content Security Policy (CSP)

No Content Security Policy (CSP) found. The website has no protection against injected malicious code.

☛ Action needed: Set up a Content Security Policy. This protects your visitors from injected malicious code (Cross-Site Scripting/XSS). Start with a simple policy: Content-Security-Policy: default-src 'self'. Your web developer or hosting provider can help.

▸ How to fix this — step-by-step guide

A Content Security Policy (CSP) is a doorkeeper rule for the browser: "Scripts and styles may only be loaded from these allowed sources." Without CSP, injected malicious code (XSS) can freely fetch anything. Start with a simple, secure baseline.

Apache server (classic hosting at most providers)

File: .htaccess in the web root

<IfModule mod_headers.c>
    Header always set Content-Security-Policy "default-src 'self'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self' https: data:; object-src 'none'; frame-ancestors 'self'; base-uri 'self'"
</IfModule>

⚠ This policy is intentionally pragmatic (allows inline styles since many themes/plugins rely on them). If something breaks after enabling: F12 → Console shows "Refused to load…" — add the affected domain after script-src / img-src.

WordPress Special for WordPress: where to add this

Option 1: via .htaccess (recommended — no theme editing)

File: .htaccess in the WordPress root

# BEGIN WebForensik CSP
<IfModule mod_headers.c>
    Header always set Content-Security-Policy "default-src 'self'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self' https: data:; object-src 'none'; frame-ancestors 'self'; base-uri 'self'"
</IfModule>
# END WebForensik CSP

⚠ WordPress often loads external scripts (Google Fonts, jQuery CDN, analytics pixel) — if CSP blocks them: open the console, see which domain is blocked, append that domain to "script-src 'self'" separated by a space.

Option 2: via functions.php in the child theme (Advanced alternative)

File: functions.php of your CHILD theme

add_action('send_headers', function () {
    header("Content-Security-Policy: default-src 'self'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self' https: data:; object-src 'none'; frame-ancestors 'self'; base-uri 'self'");
});

⚠ If unsure: start with "Content-Security-Policy-Report-Only" (only monitor, don’t block), watch violations in the console, then switch to enforced mode.

✓ How to verify it works: Open page, F12 → Console — no red "Refused to load…" messages. Network tab → first request → Response Header "content-security-policy" visible.

↓ SHOW COMPLETE SOLUTION All missing security headers bundled at the end of the report — ready to copy.

60 Referrer Policy

Referrer-Policy: strict-origin-when-cross-origin (via HTTP-Header).

100 MIME Type Protection

MIME type protection active (nosniff) — browsers will not misinterpret files.

0 Clickjacking Protection

Invalid X-Frame-Options value: ALLOWALL.

☛ Action needed: The X-Frame-Options value is invalid. Use DENY or SAMEORIGIN.

▸ How to fix this — step-by-step guide

Your X-Frame-Options header has an invalid value. Only "DENY" (no embedding at all) or "SAMEORIGIN" (only your domain) are allowed.

Apache server (classic hosting at most providers)

File: .htaccess in the web root

<IfModule mod_headers.c>
    Header always set X-Frame-Options "SAMEORIGIN"
</IfModule>

⚠ Replace the malformed value. If you want NO embedding at all, use DENY instead of SAMEORIGIN.

WordPress Special for WordPress: where to add this

Option 1: via .htaccess (recommended — no theme editing)

File: .htaccess in the WordPress root

<IfModule mod_headers.c>
    Header always set X-Frame-Options "SAMEORIGIN"
</IfModule>

⚠ Replace the malformed entry.

✓ How to verify it works: F12 → Network → Response Header: value is DENY or SAMEORIGIN.

↓ SHOW COMPLETE SOLUTION All missing security headers bundled at the end of the report — ready to copy.

0 Permissions (Camera, Microphone, etc.)

No Permissions-Policy set. Third-party scripts could access camera, microphone, or location.

☛ Action needed: Set a Permissions-Policy to control access to camera, microphone, and location. GDPR-relevant: Without this setting, third-party scripts could silently access sensitive device features. Example: Permissions-Policy: camera=(), microphone=(), geolocation=()

▸ How to fix this — step-by-step guide

Permissions-Policy controls whether scripts (including third-party) may access camera, microphone, location, motion sensors etc. GDPR-relevant because sensitive device APIs can otherwise be reached unnoticed.

Apache server (classic hosting at most providers)

File: .htaccess in the web root

<IfModule mod_headers.c>
    Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=(), accelerometer=(), gyroscope=(), magnetometer=(), interest-cohort=()"
</IfModule>

⚠ "()" at the end means: no caller (not even your own page) may use this API. If you need geolocation (e.g. a map feature): use geolocation=(self) instead of geolocation=(). "interest-cohort=()" disables Google’s FLoC tracking.

WordPress Special for WordPress: where to add this

Option 1: via .htaccess (recommended — no theme editing)

File: .htaccess in the WordPress root

<IfModule mod_headers.c>
    Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=(), interest-cohort=()"
</IfModule>

⚠ Standard WordPress needs none of these APIs. If you use a plugin that needs the camera (QR scanner, video upload), set that API to "(self)".

Option 2: via functions.php in the child theme (Advanced alternative)

File: functions.php of your CHILD theme

add_action('send_headers', function () {
    header('Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=(), interest-cohort=()');
});

⚠ Back up functions.php before edits.

✓ How to verify it works: F12 → Network → Response Header: "permissions-policy" visible.

↓ SHOW COMPLETE SOLUTION All missing security headers bundled at the end of the report — ready to copy.

65 Cookies

7 first-party and 1 third-party cookie(s).

1 third-party cookie(s) detected. These can be used to track you across different websites.

☛ Action needed: GDPR VIOLATION: Third-party cookies track visitors across multiple websites. This requires explicit consent (opt-in) BEFORE the cookies are set. Solution: (1) Check which external services set the cookies. (2) Remove unnecessary services. (3) For essential services: Implement a cookie consent banner that only loads these cookies after consent.

▸ How to fix this — step-by-step guide

Third-party cookies (e.g. from Google, Facebook) track visitors across websites. Under GDPR Art. 6 and ePrivacy / national implementations, explicit consent is required BEFORE setting them. Three-step fix: (1) identify which external services set the cookies, (2) remove services you don’t strictly need, (3) for essential services, add a consent banner that loads them only after "Accept".

WordPress Special for WordPress: where to add this

WordPress plugin: Cookie-consent plugins for WordPress: "Complianz" (free, GDPR-focused, thorough wizard), "Real Cookie Banner" (free, knows many services), "Borlabs Cookie" (paid, most feature-complete). Critical configuration: set all tracking services to "do NOT load before consent" — most plugins detect standard services (GA, Maps, YouTube) automatically.

✓ How to verify it works: Open the site in incognito mode → F12 → Application → Cookies → your-domain.com. BEFORE clicking "Accept" there must be NO cookies from google.com, facebook.com etc. AFTER consent, yes.

1 of 8 cookie(s) without Secure flag — sent over unencrypted connections too.

☛ Action needed: Set the Secure flag for all cookies. Without it, cookies are also sent over unencrypted HTTP connections and can be intercepted. Your web developer can change this in the cookie configuration.

▸ How to fix this — step-by-step guide

Cookies without the "Secure" flag are also sent over unencrypted HTTP — and can be intercepted by anyone on the same WLAN. There’s no reason to omit Secure on HTTPS-only sites.

Apache server (classic hosting at most providers)

File: .htaccess in the web root

<IfModule mod_headers.c>
    Header always edit Set-Cookie "^(.*)$" "$1; Secure" "expr=!(resp('Set-Cookie') -strmatch '*Secure*')"
</IfModule>

⚠ This header appends "; Secure" to cookies that don’t have it yet. Requires Apache 2.4+. The cleaner fix is to correct the code that sets the cookie (PHP: session.cookie_secure=1 in php.ini, or setcookie() with "secure" => true).

WordPress Special for WordPress: where to add this

Option 2: via functions.php in the child theme (Advanced alternative)

File: functions.php of your CHILD theme

add_filter('secure_logged_in_cookie', '__return_true');
add_action('init', function () {
    if (!headers_sent()) {
        @ini_set('session.cookie_secure', '1');
        @ini_set('session.cookie_httponly', '1');
        @ini_set('session.cookie_samesite', 'Lax');
    }
});

⚠ Sets the Secure flag for WordPress login cookies and PHP session cookies. Plugins that set their own cookies must be configured separately (check plugin settings).

WordPress plugin: Plugins that set cookies (cache, anti-spam, A/B testing) often have toggles like "Secure cookies" or "HTTPS only" in their settings.

✓ How to verify it works: F12 → Application → Cookies → your-domain.com. The "Secure" column should show a checkmark for every cookie.

4 of 8 cookie(s) without HttpOnly flag — could be read by malicious code.

☛ Action needed: Set the HttpOnly flag for all cookies that are not needed by JavaScript. This protects against session data theft through malicious code.

▸ How to fix this — step-by-step guide

Cookies without the "HttpOnly" flag can be read by JavaScript — an XSS attacker can steal session cookies and impersonate the logged-in user. Set HttpOnly for all cookies JavaScript doesn’t actively need.

Apache server (classic hosting at most providers)

File: .htaccess in the web root

<IfModule mod_headers.c>
    Header always edit Set-Cookie "^(.*)$" "$1; HttpOnly" "expr=!(resp('Set-Cookie') -strmatch '*HttpOnly*')"
</IfModule>

⚠ Cleaner: set cookies with HttpOnly directly (PHP: setcookie(..., [..., 'httponly'=>true])). Exception: cookies that JS actively reads (e.g. some consent cookies).

WordPress Special for WordPress: where to add this

Option 2: via functions.php in the child theme (Advanced alternative)

File: functions.php of your CHILD theme (or better wp-config.php)

@ini_set('session.cookie_httponly', '1');
@ini_set('session.cookie_secure', '1');

⚠ WordPress login cookies have been HttpOnly since 2.x. If you use a plugin that sets session cookies (e.g. WooCommerce cart pre-login), check its settings.

✓ How to verify it works: F12 → Application → Cookies → "HttpOnly" column shows checkmarks everywhere (except for deliberately JS-readable cookies like the consent cookie).

4 of 8 cookie(s) without SameSite protection — sent with requests from other websites.

☛ Action needed: Set the SameSite attribute (Lax or Strict) for all cookies. This prevents cookies from being sent with requests from other websites (CSRF protection).

▸ How to fix this — step-by-step guide

Without "SameSite" cookies are sent on requests from foreign sites — the basis of CSRF attacks (a foreign page silently triggers actions in your name because the login cookie travels along). Set SameSite=Lax as a minimum.

Apache server (classic hosting at most providers)

File: .htaccess in the web root

<IfModule mod_headers.c>
    Header always edit Set-Cookie "^(.*)$" "$1; SameSite=Lax" "expr=!(resp('Set-Cookie') -strmatch '*SameSite*')"
</IfModule>

⚠ SameSite=Lax is a good default. Strict is safer but breaks external links (user clicks from Google to your site — cookies are NOT sent, login is lost). None allows cross-site but requires "; Secure".

WordPress Special for WordPress: where to add this

Option 2: via functions.php in the child theme (Advanced alternative)

File: wp-config.php (above "/* That’s all, stop editing! */")

@ini_set('session.cookie_samesite', 'Lax');
@ini_set('session.cookie_secure', '1');
@ini_set('session.cookie_httponly', '1');

⚠ Sets SameSite/Secure/HttpOnly for PHP session cookies. WordPress login cookies have been SameSite=Lax since WP 6.2. Update older versions!

✓ How to verify it works: F12 → Application → Cookies → "SameSite" column should show "Lax" or "Strict" everywhere, not empty.

First-party cookies (from the website itself)

Name	Domain	Encrypted	Server only	SameSite
__cf_bm	.calendly.com	Yes	Yes	None
_cfuvid	.calendly.com	Yes	Yes	None
__stripe_mid	.calendly.com	Yes	No	Strict
__stripe_sid	.calendly.com	Yes	No	Strict
OptanonConsent	.calendly.com	Yes	No	None
_calendly_session	calendly.com	Yes	Yes	Lax
_dd_s	calendly.com	No	No	Strict

Third-party cookies (from external services)

Name	Domain	Encrypted	Server only	SameSite
m	m.stripe.com	Yes	Yes	None

↓ SHOW COMPLETE SOLUTION All missing security headers bundled at the end of the report — ready to copy.

70 Local Storage (Web Storage)

1 localStorage and 0 sessionStorage item(s) found.

localStorage

Name	Value
_cache	xnEcbQkcIdZXLaJp5sSTMgHHjXXTJLNRLazV/mbZTZw=

10 Third-Party Requests

29 request(s) to 10 different third-party servers.

7 third-party server(s) outside the EU/EEA — potentially problematic for GDPR compliance.

☛ Action needed: POSSIBLE GDPR VIOLATION: Your visitors' data is being transferred to servers outside the EU/EEA. Since the Schrems II ruling, this is only permitted with special safeguards. Solutions: (1) Switch to EU-based alternatives (e.g., Matomo instead of Google Analytics, Bunny Fonts instead of Google Fonts). (2) If not possible: Ensure Standard Contractual Clauses (SCC) and additional technical measures are in place. (3) Obtain explicit visitor consent BEFORE data is transferred.

▸ How to fix this — step-by-step guide

GDPR-relevant: visitor data (at least IP + User-Agent) is transmitted to servers outside the EU/EEA. Since the Schrems-II ruling (2020) this requires Standard Contractual Clauses + supplementary technical measures AND prior consent. Best fix: replace with EU alternatives where possible.

WordPress Special for WordPress: where to add this

WordPress plugin: Common culprits and EU alternatives: Google Fonts → Bunny Fonts or self-host (plugin "OMGF — Host Google Fonts Locally"). Google Analytics → Matomo (self-hosted) or Plausible (EU servers). Google reCAPTCHA → hCaptcha (EU) or Friendly Captcha. Google Maps → OpenStreetMap. YouTube embeds → plugin "WP YouTube Lyte" loads only after click. CDN: Cloudflare → BunnyCDN (EU) or KeyCDN.

✓ How to verify it works: Load in incognito mode, F12 → Network → list all requests → check "Domain" column for non-EU servers. After migration no unrequested US domains should load.

3 third-party server(s) within the EU/EEA.

cdn.cookielaw.org 10 Requests · Canada (CA) · EU/EEA

Requested URLs:

https://cdn.cookielaw.org/scripttemplates/otSDKStub.js

https://cdn.cookielaw.org/consent/a838c8e4-e3ce-442e-8f96-c88d0af98990/a838c8e4-e3ce-442e-8f96-c88d0af98990.json

https://cdn.cookielaw.org/scripttemplates/202508.2.0/otBannerSdk.js

https://cdn.cookielaw.org/consent/a838c8e4-e3ce-442e-8f96-c88d0af98990/0194ae47-f287-77e4-973a-308fa3153bfd/en.json

https://cdn.cookielaw.org/scripttemplates/202508.2.0/assets/v2/otPcPanel.json

https://cdn.cookielaw.org/scripttemplates/202508.2.0/assets/otFloatingRounded.json

https://cdn.cookielaw.org/scripttemplates/202508.2.0/assets/otCommonStyles.css

https://cdn.cookielaw.org/logos/static/ot_guard_logo.svg

https://cdn.cookielaw.org/logos/static/powered_by_logo.svg

https://cdn.cookielaw.org/logos/122ecfc3-4694-42f1-863f-2db42d1b1e68/0e69414e-286b-4e49-b24b-84b4ed6d6ec9/c05bbdff-e7a2-4d14-a37f-28e2f63112d5/logo.png

www.gstatic.com 4 Requests · United States (US) · Non-EU

⚠ GDPR Issue: This server is located outside the EU/EEA. Transferring personal data (e.g. your visitors' IP addresses) to this server may violate Art. 44-49 GDPR. Without a valid legal basis (e.g. consent, Standard Contractual Clauses) this data transfer is unlawful.

Requested URLs:

https://www.gstatic.com/recaptcha/releases/gTpTIWhbKpxADzTzkcabhXN4/recaptcha__en.js

https://www.gstatic.com/recaptcha/releases/gTpTIWhbKpxADzTzkcabhXN4/styles__ltr.css

... and 2 more request(s)

js.stripe.com 3 Requests · Germany (DE) · EU/EEA

Requested URLs:

https://js.stripe.com/v3

https://js.stripe.com/v3/m-outer-3437aaddcdf6922d623e172c2d6f9278.html#url=https%3A%2F%2Fcalendly.com%2Fsendproud%2F30min%2F&title=Calendly&referrer=&muid=NA&sid=NA&version=6&preview=false&__shared_pa

https://js.stripe.com/v3/fingerprinted/js/m-outer-15a2b40a058ddff1cffdb63779fe3de1.js

www.recaptcha.net 3 Requests · United States (US) · Non-EU

Requested URLs:

https://www.recaptcha.net/recaptcha/enterprise.js?render=6LeAb4QUAAAAAOM9CNYSsvbnzWTByRAgm3GA5D4n

https://www.recaptcha.net/recaptcha/enterprise/anchor?ar=1&k=6LeAb4QUAAAAAOM9CNYSsvbnzWTByRAgm3GA5D4n&co=aHR0cHM6Ly9jYWxlbmRseS5jb206NDQz&hl=en&v=gTpTIWhbKpxADzTzkcabhXN4&size=invisible&anchor-ms=2000

https://www.recaptcha.net/recaptcha/enterprise/webworker.js?hl=en&v=gTpTIWhbKpxADzTzkcabhXN4

notifier-configs.airbrake.io 2 Requests · United States (US) · Non-EU

Requested URLs:

https://notifier-configs.airbrake.io/2020-06-18/config/648967/config.json?&notifier_name=airbrake-js%2Fbrowser&notifier_version=2.1.9&os=Mozilla%2F5.0%20(Windows%20NT%2010.0%3B%20Win64%3B%20x64)%20App

... and 1 more request(s)

m.stripe.network 2 Requests · United States (US) · Non-EU

Requested URLs:

https://m.stripe.network/inner.html#url=https%3A%2F%2Fcalendly.com%2Fsendproud%2F30min%2F&title=Calendly&referrer=&muid=NA&sid=NA&version=6&preview=false&__shared_params__[version]=v3

https://m.stripe.network/out-4.5.45.js

m.stripe.com 2 Requests · United States (US) · Non-EU

Requested URLs:

https://m.stripe.com/6

... and 1 more request(s)

accounts.google.com 1 Requests · United States (US) · Non-EU

Requested URLs:

https://accounts.google.com/gsi/client

d3v0px0pttie1i.cloudfront.net 1 Requests · United States (US) · Non-EU

Requested URLs:

https://d3v0px0pttie1i.cloudfront.net/uploads/user/avatar/50613436/99cfe3f3.jpeg

geolocation.onetrust.com 1 Requests · Canada (CA) · EU/EEA

Requested URLs:

https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location

60 Tracker Detection

2 known tracker(s) detected! These track visitors across different websites.

☛ Action needed: GDPR VIOLATION: Trackers follow your visitors across different websites. This requires explicit consent BEFORE loading the trackers. Solutions: (1) Remove all unnecessary trackers. (2) Switch to privacy-friendly alternatives (e.g., Matomo, Plausible, Fathom instead of Google Analytics). (3) For essential trackers: Implement a consent banner that only loads trackers AFTER consent.

▸ How to fix this — step-by-step guide

Trackers (Google Analytics, Facebook Pixel, …) capture visitors and follow them across multiple sites. Under GDPR Art. 6 and ePrivacy / national implementations, explicit consent is required BEFORE loading the tracker. "Continued scrolling = consent" is NOT acceptable.

WordPress Special for WordPress: where to add this

WordPress plugin: Consent plugins that properly block trackers until consent: "Complianz" (free, very good), "Real Cookie Banner", "Borlabs Cookie" (paid, most thorough). Principle after setup: do NOT embed the tracker snippet (e.g. GA script) directly in your theme — register it with the consent plugin, which only releases it after "Accept". Privacy-friendly tracker alternatives: Matomo (cookieless mode → may need no consent), Plausible (EU, anonymous, vendor claims no consent needed — legal advice recommended).

✓ How to verify it works: Incognito, load page — BEFORE "Accept": F12 → Network → no requests to google-analytics.com, facebook.com/tr etc. AFTER "Accept", yes.

Google (Anti-fraud): www.recaptcha.net

Google (Content): www.gstatic.com

17 External Resource Integrity (SRI)

1 of 6 external resource(s) use integrity verification (SRI).

☛ Action needed: Not all external resources have integrity verification. Add SRI hashes for the missing resources.

▸ How to fix this — step-by-step guide

Only some of your external resources (1 of 6) are protected by SRI. Add integrity attributes to the remaining ones too.

WordPress Special for WordPress: where to add this

WordPress plugin: Approach: view page source → all <script src="https://…"> and <link href="https://…"> without integrity attribute → generate hash at https://www.srihash.org/ → add integrity="sha384-…" crossorigin="anonymous". Plugin "WP-SRI" automates many cases.

✓ How to verify it works: F12 → Console on page load: no "Failed to find a valid digest" messages. Source: all external <script>/<link> have an integrity attribute.

100 DNS Security

CAA records present: comodoca.com, digicert.com; cansignhttpexchanges=yes, godaddy.com, letsencrypt.org, pki.goog; cansignhttpexchanges=yes, sectigo.com, ssl.com, amazon.com, comodoca.com, digicert.com; cansignhttpexchanges=yes, godaddy.com, letsencrypt.org, pki.goog; cansignhttpexchanges=yes, sectigo.com, ssl.com, mailto:platform@calendly.com, amazon.com — only specified certificate authorities may issue certificates.

2 nameservers present — good redundancy.

IPv6 support present (AAAA records).

SPF record present: v=spf1 include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email include:_spf.google.com include:mktomail.com ~all — protects against email spoofing.

DMARC record present: v=DMARC1; p=quarantine; rua=mailto:dmarc_agg@vali.email — email authentication active.

100 Security Contact (security.txt)

security.txt found: https://calendly.com/.well-known/security.txt

Contact field present (required) — security researchers can report vulnerabilities.

Expires field present (required).

100 External Reporting Endpoints

No external reporting endpoints detected.

85 Cookie Consent

Cookie consent system detected: OneTrust, cookielaw.org.

Consent banner is visible to visitors.

Trackers are loaded on page load — possibly BEFORE consent is given.

☛ Action needed: Trackers are loaded on page load, possibly before the visitor has consented. Ensure your consent system only activates trackers AFTER consent (opt-in, not opt-out).

▸ How to fix this — step-by-step guide

Your trackers are loaded BEFORE the user can consent ("pre-consent loading"). Common misconfiguration in cookie plugins — banner appears, but too late: the GA script is already running. Violates ePrivacy.

WordPress Special for WordPress: where to add this

WordPress plugin: Almost always caused by the theme or a tracking plugin that embeds the tracker code directly (e.g. "Google Analytics for WordPress" with auto-insert). Fix: 1) remove tracking code from the theme/plugin. 2) In the consent plugin (Complianz/Real Cookie Banner): register the tracker as a "service", paste the snippet there — the plugin will load it only after consent. 3) ALTERNATIVELY: plugin "PYS PixelYourSite" combined with consent gating. Do NOT rely on "GA anonymized before consent" — legally unsettled and risky.

✓ How to verify it works: Incognito → F12 → Network (clear all, start recording) → load page, do NOT click banner, wait 10 seconds → there must be NO requests to google-analytics.com, googletagmanager.com, facebook.com/tr, doubleclick.net etc.

100 Privacy Policy & Legal Notice

Legal notice linked: "Privacy Policy" (https://calendly.com/legal/privacy-notice).

⚙ Your ready-to-use security .htaccess

All missing security headers combined into one block. Append this block to the end of your .htaccess — done. 6 headers will be set.

⚠ Why this recommendation does NOT give a 100% score — and why that's how it is with WordPress

The Content-Security-Policy above deliberately includes 'unsafe-inline' for both style-src and script-src. This does NOT provide full XSS protection — it's a pragmatic trade-off, not a bug.

Why? A typical WordPress setup (theme + 5-15 plugins) emits 10-50 different inline <script> blocks into the HTML: jQuery init, slider init, cookie banner, tracking, GTM, web vitals, lazy-load, speculation rules and so on. A strict script-src 'self' blocks them all — the site becomes visually and functionally broken (blank slider, broken cookie banner, dead plugins).

Consequence for scoring: Sites running WordPress with plugins can score at most ~75-85 points in the CSP category in this app — the full 100% rating is only achievable when inline code is signed via nonce or hash (technically demanding, breaks on every theme/plugin update).

Paths to full XSS protection (in increasing complexity):

Plugin "WP Content Security Policy & Headers" — automatically adds nonces to inline scripts (medium effort, cleanest WP solution).
Hash-based CSP — whitelist every inline script via SHA-256 in the CSP (fragile, breaks on updates).
Externalize inline scripts — rebuild theme/plugins so no inline JS is emitted (huge effort, often impossible).

Anyone who doesn't take one of these paths lives with 'unsafe-inline' — like about 95% of all production WordPress sites on the web. The other CSP directives still protect: default-src 'self' blocks external resources, object-src 'none' bans Flash/Java, frame-ancestors 'self' prevents clickjacking, base-uri 'self' prevents base-tag hijacking. Not maximum protection, but realistic protection for WP reality.

⚠ Important on Hetzner-Konsoleh webhosting (managed / shared hosting)

On Hetzner-Konsoleh webhosting (and comparable shared hosts like All-Inkl, IONOS, Strato, 1blu, …), Apache throws a 500 Internal Server Error as soon as Header always edit Set-Cookie … expr=… appears in .htaccess. The Apache error log says:

Can't parse envclause/expression: syntax error, unexpected T_OP_STR_EQ, expecting $end

This is not a WebForensik bug and not a typo — the shared host has blocked the mod_headers expr= subset via AllowOverride limits (for security, because Header edit could also manipulate cookies of other tenants).

☛ For Hetzner-Konsoleh users: use the variant below marked with the red "Hetzner / Shared" badge. It consists of two files (.htaccess + wp-config.php) instead of one, but avoids the 500 error reliably. Cookie flags go into wp-config.php instead of .htaccess.

Apache Standard Apache (any host, without WordPress)

Append this block to the end of your .htaccess in the web root — done.

<IfModule mod_headers.c>
    Header always set Content-Security-Policy "default-src 'self'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self' https: data:; object-src 'none'; frame-ancestors 'self'; base-uri 'self'; upgrade-insecure-requests"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=(), accelerometer=(), gyroscope=(), magnetometer=(), interest-cohort=(), browsing-topics=()"

    # Fehlende Cookie-Flags konditional ergänzen (nur wenn nicht schon gesetzt)
    Header always edit Set-Cookie "^(.*)$" "$1; Secure" "expr=!(resp('Set-Cookie') -strmatch '*Secure*')"
    Header always edit Set-Cookie "^(.*)$" "$1; HttpOnly" "expr=!(resp('Set-Cookie') -strmatch '*HttpOnly*')"
    Header always edit Set-Cookie "^(.*)$" "$1; SameSite=Lax" "expr=!(resp('Set-Cookie') -strmatch '*SameSite*')"
</IfModule>

Hetzner / Shared Hetzner-Konsoleh / Managed Hosting (two files)

This variant avoids the 500 Internal Server Error on Hetzner-Konsoleh and similar shared hosts (All-Inkl, IONOS, Strato, 1blu …): the .htaccess only contains the header directives (no "Header edit"), cookie flags move into wp-config.php. Two files to edit instead of one, but guaranteed to run.

1. File: .htaccess in the WordPress root

# BEGIN WebForensik Security
<IfModule mod_headers.c>
    Header always set Content-Security-Policy "default-src 'self'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self' https: data:; object-src 'none'; frame-ancestors 'self'; base-uri 'self'; upgrade-insecure-requests"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=(), accelerometer=(), gyroscope=(), magnetometer=(), interest-cohort=(), browsing-topics=()"
</IfModule>
# END WebForensik Security

2. File: wp-config.php in the WordPress root

Insert ABOVE the line "/* That's all, stop editing! */". Back up wp-config.php first!

// === WebForensik: Cookie-Hardening (Hetzner-Konsoleh-tauglich) ===
// Bitte OBERHALB der Zeile "/* That's all, stop editing! */" einfügen.
// Wirkt auf PHP-Session- und WordPress-Login-Cookies.
// Plugin-eigene Cookies (z.B. WooCommerce, Cookie-Banner) müssen in den
// Plugin-Einstellungen separat auf "Secure" gestellt werden.
@ini_set('session.cookie_secure',   '1');
@ini_set('session.cookie_httponly', '1');
@ini_set('session.cookie_samesite', 'Lax');
if (!defined('FORCE_SSL_ADMIN')) define('FORCE_SSL_ADMIN', true);

WordPress WordPress: .htaccess in WP root

Insert this block ABOVE the "# BEGIN WordPress" line, otherwise WP overwrites it on permalink changes.

# BEGIN WebForensik Security
<IfModule mod_headers.c>
    Header always set Content-Security-Policy "default-src 'self'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self' https: data:; object-src 'none'; frame-ancestors 'self'; base-uri 'self'; upgrade-insecure-requests"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=(), accelerometer=(), gyroscope=(), magnetometer=(), interest-cohort=(), browsing-topics=()"

    # Fehlende Cookie-Flags konditional ergänzen
    Header always edit Set-Cookie "^(.*)$" "$1; Secure" "expr=!(resp('Set-Cookie') -strmatch '*Secure*')"
    Header always edit Set-Cookie "^(.*)$" "$1; HttpOnly" "expr=!(resp('Set-Cookie') -strmatch '*HttpOnly*')"
    Header always edit Set-Cookie "^(.*)$" "$1; SameSite=Lax" "expr=!(resp('Set-Cookie') -strmatch '*SameSite*')"
</IfModule>
# END WebForensik Security

WordPress Alternative for WordPress: functions.php in child theme

If your host disallows .htaccess changes: append this PHP snippet to the end of your CHILD theme's functions.php. Back up first — NEVER edit the parent theme, it gets overwritten on updates.

add_action('send_headers', function () {
    header("Content-Security-Policy: default-src 'self'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self' https: data:; object-src 'none'; frame-ancestors 'self'; base-uri 'self'; upgrade-insecure-requests");
    header("X-Frame-Options: SAMEORIGIN");
    header("Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=(), accelerometer=(), gyroscope=(), magnetometer=(), interest-cohort=(), browsing-topics=()");
});

// Cookie-Flags für PHP-Session-Cookies — wirkt nur auf $_SESSION,
// NICHT auf von Plugins/Themes per setcookie() gesetzte Cookies.
// Für umfassende Cookie-Absicherung die .htaccess-Variante oben verwenden.
add_action('init', function () {
    if (headers_sent()) return;
    @ini_set('session.cookie_secure', '1');
    @ini_set('session.cookie_httponly', '1');
    @ini_set('session.cookie_samesite', 'Lax');
}, 1);

Dry-run — we re-load your site with the proposed headers and show which resources would be blocked. Takes about 30 seconds.

HTTP Response Headers

Header	Value
cache-control	max-age=0, private, must-revalidate
cf-cache-status	DYNAMIC
cf-ray	9f5f083d3adb913a-FRA
content-encoding	br
content-type	text/html; charset=utf-8
date	Sun, 03 May 2026 11:47:40 GMT
link	<https://assets.calendly.com/assets/booking/css/booking-a8fe825cd.css>; rel=preload; as=style; nopush
referrer-policy	strict-origin-when-cross-origin
server	cloudflare
set-cookie	_calendly_session=br9N1zMXTmHkWG5smAZ6D%2Bpp5Kdjq5CRjN1dHLnhr6KfULn2%2BkSMudfQF%2FVcKkWKyaUeegL%2BN9Yr3n3TBn%2BImlZ5hVg9iM3O4v64EdXUigXviq1VDp8MoVoPTE7MuTxPyWzyc51Kzh%2Fn2Mn0vc%2Fmf%2F8fh8bdPFhHPq%2FVUKU%2FHhZ9KlphO4Q9e7O4U990cr%2FWtVb4sQeGS0LK9Gjr6yyLdlI7%2F7WBZfpiW5sJnJTlAByGXexNHcuOf%2B6Wu9zITKUb
strict-transport-security	max-age=31536000; includeSubDomains; preload
x-booking-bff-response	true
x-content-type-options	nosniff
x-frame-options	ALLOWALL
x-request-id	be77b8162b3998ed43743fd12887c59c
x-runtime	0.224223

New Scan · Compare

Embed your score on your website

Show your WebForensik score publicly. The badge is a lightweight SVG, loads fast, and respects your visitors' privacy (no tracking).

HTML code to embed (this specific scan)

<a href="https://webforensik.de/results.php?id=76" target="_blank" rel="noopener">
  <img src="https://webforensik.de/badge.php?id=76" alt="WebForensik Score" width="174" height="28">
</a>

Or dynamically — always shows the latest scan of this domain

<a href="https://webforensik.de/?url=https://calendly.com" target="_blank" rel="noopener">
  <img src="https://webforensik.de/badge.php?domain=calendly.com" alt="WebForensik Score" width="174" height="28">
</a>