Deutsch | English

WebForensik

Results for https://www.horsch.com/us/home

Scan time: 2026-03-28 01:45:18

75

Overall Score

GDPR Summary

⚠ This website needs improvement regarding data protection.

GDPR Issues Detected (1):

⚠ No Content Security Policy — increased risk of cross-site scripting (XSS) and data theft.

Note: This automated analysis does not replace legal advice. For a complete GDPR assessment, consult a data protection officer.

↓ See detailed results for each category below.

100 HTTPS / Encryption

The website uses an encrypted connection (HTTPS).

Latest encryption active (TLS 1.3 — TLSv1.3).

The security certificate is valid (expires 2026-07-21).

Strong encryption method (TLS_AES_256_GCM_SHA384, 256 bit).

100 Enforced Encryption (HSTS)

HSTS is enabled — the browser is instructed to always use the encrypted connection.

HSTS duration: 31536000 seconds (at least 1 year) — very good.

HSTS also applies to all subdomains (includeSubDomains).

HSTS preload is enabled — browsers know about the encryption before the first visit.

0 Content Security Policy (CSP)

No Content Security Policy (CSP) found. The website has no protection against injected malicious code.

☛ Action needed: Set up a Content Security Policy. This protects your visitors from injected malicious code (Cross-Site Scripting/XSS). Start with a simple policy: Content-Security-Policy: default-src 'self'. Your web developer or hosting provider can help.
100 Referrer Policy

Referrer-Policy: same-origin (via HTTP-Header).

100 MIME Type Protection

MIME type protection active (nosniff) — browsers will not misinterpret files.

100 Clickjacking Protection

Clickjacking protection active: X-Frame-Options = SAMEORIGIN.

0 Permissions (Camera, Microphone, etc.)

No Permissions-Policy set. Third-party scripts could access camera, microphone, or location.

☛ Action needed: Set a Permissions-Policy to control access to camera, microphone, and location. GDPR-relevant: Without this setting, third-party scripts could silently access sensitive device features. Example: Permissions-Policy: camera=(), microphone=(), geolocation=()
75 Cookies

2 first-party and 0 third-party cookie(s).

2 of 2 cookie(s) without Secure flag — sent over unencrypted connections too.

☛ Action needed: Set the Secure flag for all cookies. Without it, cookies are also sent over unencrypted HTTP connections and can be intercepted. Your web developer can change this in the cookie configuration.

2 of 2 cookie(s) without HttpOnly flag — could be read by malicious code.

☛ Action needed: Set the HttpOnly flag for all cookies that are not needed by JavaScript. This protects against session data theft through malicious code.

1 of 2 cookie(s) without SameSite protection — sent with requests from other websites.

☛ Action needed: Set the SameSite attribute (Lax or Strict) for all cookies. This prevents cookies from being sent with requests from other websites (CSRF protection).

First-party cookies (from the website itself)

Name Domain Encrypted Server only SameSite
preferedLanguage www.horsch.com No No None
mtm_consent_removed www.horsch.com No No Lax
100 Local Storage (Web Storage)

No local storage (Web Storage) used — no tracking risk.

100 Third-Party Requests

No third-party requests detected — all content comes from the website's own server.

100 Tracker Detection

No known trackers detected.

100 External Resource Integrity (SRI)

No external scripts or stylesheets loaded.

50 DNS Security

No CAA records. Any certificate authority could issue a certificate for this domain.

☛ Action needed: Create CAA DNS records to specify which certificate authorities may issue certificates for your domain. This prevents unauthorized certificates from being issued.

No IPv6 support (no AAAA record).

☛ Action needed: Enable IPv6 support (AAAA records) for your domain. More and more users are using IPv6.

No SPF record. Emails can be forged in the name of this domain.

☛ Action needed: Create an SPF DNS record (TXT) to specify which servers may send emails on behalf of your domain. Example: v=spf1 include:_spf.google.com ~all

No DMARC record. The domain is vulnerable to email phishing.

☛ Action needed: Create a DMARC DNS record at _dmarc.yourdomain.com. DMARC protects against phishing and email spoofing. Example: v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com
0 Security Contact (security.txt)

No security.txt file found (RFC 9116). Security researchers don't know how to report vulnerabilities.

☛ Action needed: Create a security.txt file at /.well-known/security.txt. This allows security researchers to responsibly report vulnerabilities. Required fields: Contact (email or URL) and Expires (expiration date).
100 External Reporting Endpoints

No external reporting endpoints detected.

80 Cookie Consent

No consent banner needed — no trackers or third-party cookies detected.

100 Privacy Policy & Legal Notice

Privacy policy linked: "Privacy Policy & Statement" (/us/privacy-policy-statement).

Legal notice linked: "Imprint" (/us/imprint).

Privacy policy page is accessible (HTTP 200).

HTTP Response Headers
HeaderValue
cache-control max-age=0
content-encoding gzip
content-language en
content-length 20207
content-type text/html; charset=utf-8
date Sat, 28 Mar 2026 00:44:39 GMT
expires Sat, 28 Mar 2026 00:44:39 GMT
referrer-policy same-origin
server Apache
set-cookie preferedLanguage=us; path=/
strict-transport-security max-age=31536000; includeSubDomains; preload
vary User-Agent,Accept-Encoding
x-content-type-options nosniff
x-frame-options SAMEORIGIN
x-ua-compatible IE=edge
x-xss-protection 1; mode=block

New Scan · Compare