Results for https://www.who.int/ | Webbkoll

HTTPS by default

www.who.int uses HTTPS by default.

Chromium reports the following:

Title	Summary	Description
Certificate	valid and trusted	The connection to this site is using a valid, trusted server certificate issued by E1.
Connection	secure connection settings	The connection to this site is encrypted and authenticated using TLS 1.3, X25519, and AES_128_GCM.
Resources	all served securely	All resources on this page are served securely.

More information about the site's TLS/SSL configuration:

How to implement

To enable HTTPS on a website, a certificate for the domain needs to be installed on the web server. To get a certificate that browsers will trust, you need one issued by a trusted certificate authority (otherwise a visitor's browser will show a warning).

Let's Encrypt is a non-profit certificate authority (sponsored by Mozilla, EFF, Cisco, Facebook and others) providing free certificates through an easy, automated process. You can set it up yourself, or use one of the many hosting providers who have built-in support for Let's Encrypt.

Get started with Let's Encrypt
Mozilla SSL/TLS Configuration Generator [for advanced users]
For checking the configuration of a server, try SSL Labs SSL Server Test (web), testssl.sh (CLI tool), Mozilla TLS Observatory (CLI tool) or Observatory by Mozilla (web).

HTTPS encrypts nearly all information sent between a client and a web service. Properly configured, it guarantees three things:

Confidentiality. The visitor's connection is encrypted, obscuring URLs, cookies, and other sensitive metadata.
Authenticity. The visitor is talking to the "real" website, and not to an impersonator or through a "man-in-the-middle".
Integrity. The data sent between the visitor and the website has not been tampered with or modified.

A plain HTTP connection can be easily monitored, modified, and impersonated. Every unencrypted HTTP request reveals information about a userâs behavior, and the interception and tracking of unencrypted browsing has become commonplace.

The goal of the Internet community is to establish encryption as the norm, and to phase out unencrypted connections.

GDPR: Rec. 83, Art. 5.1.f, Art. 25, Art. 32.1
By GDPR Art. 25, a controller is responsible for implementing state of the art data protection by design and by default. Encrypted connections are a well-established technology to protect the privacy of web visitors against eavesdroppers on the wire.

HTTP Strict Transport Security (HSTS)

HSTS policy for https://www.who.int:
max-age=31536000; preload

Pass	Test
	`max-age` set to at least 6 months
	`includeSubDomains` — policy also applies to subdomains
	`preload` — requests inclusion in preload lists [only relevant for base domain]

HSTS policy for https://who.int:
max-age=31536000; preload

Pass	Test
	`max-age` set to at least 6 months
	`includeSubDomains` — policy also applies to subdomains
	`preload` — requests inclusion in preload lists

How to implement

HSTS is just an HTTP header. In its simplest form, the policy tells a browser to enable HSTS for that exact domain or subdomain, and to remember it for a given number of seconds (the policy is refreshed every time browser sees the header again):

Strict-Transport-Security: max-age=31536000;

In its strongest and recommended form, the HSTS policy includes all subdomains, and indicates a willingness to be "preloaded" into browsers:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Note that includeSubDomains should be deployed at the base domain, i.e., https://example.com, not https://www.example.com. While we recommend the use of includeSubDomains, be very careful, as it means that all subdomains associated with the parent domain must support HTTPS. (They do not have to each have their own HSTS policy.)

For a user to take advantage of HSTS, their browser does have to see the HSTS header at least once. This means that users are not protected until after their first successful secure connection to a given domain.

To solve this problem, the Chrome security team created an "HSTS preload list": a list of domains baked into Chrome that get Strict Transport Security enabled automatically, even for the first visit.

Firefox, Safari, Opera, and Edge also incorporate Chromeâs HSTS preload list, making this feature shared across major browsers.

The Chrome security team allows anyone to submit their domain to the list, provided it meets a few requirements.

HTTP Strict Transport Security [cio.gov]
HSTS Preload List Submission [hstspreload.org]
Strict-Transport-Security [mozilla.org]

Text adapted from the CIO Council's The HTTPS-Only Standard (public domain).

Content Security Policy

Content Security Policy set in HTTP header: default-src 'self' *.analysis.windows.net *.clarity.ms *.nativechat.com *.tts.speech.microsoft.com *.who.int *.who.cloud.sitefinity.com answers.yext-pixel.com app.powerbi.com assets.sitescdn.net content.powerapps.com covidfunding.eiu.com dc.services.visualstudio.com gis.azureedge.net js.arcgis.com liveapi.yext.com liveapi-cached.yext.com pbi.azureedge.net pbipdfapp.azurewebsites.net player.4am.ch player.clevercast.com polyfill.io services.arcgis.com staging-dot-eiu-wellcome-7664.nw.r.appspot.com tiles.arcgis.com utility.arcgisonline.com visuals.azureedge.net wabi-north-europe-redirect.analysis.windows.net westeurope.tts.speech.microsoft.com who.cloudflareaccess.com who-answers.pagescdn.com who-covid-answers.int.pagescdn.com whotest.appiancloud.com www.arcgis.com www.googleadservices.com iris.who.int; script-src 'self' *.googleapis.com *.gstatic.com www.google.com apis.google.com connect.facebook.net ajax.aspnetcdn.com https://www.youtube.com platform.twitter.com https://syndication.twitter.com/ https://s.ytimg.com https://publish.twitter.com *.twimg.com platform.linkedin.com http://platform.stumbleupon.com/1/widgets.js https://*.googletagmanager.com https://app-script.monsido.com/v2/monsido-script.js https://heatmaps.monsido.com/ https://tracking.monsido.com/ https://pagecorrect.monsido.com/v1/page-correct.js https://cdn.monsido.com/ 'unsafe-eval' 'unsafe-inline' data: apps.who.int/gho/athena/data/ *.clarity.ms *.doubleclick.net *.eloqua.com *.en25.com *.google-analytics.com *.googletagmanager.com *.jwpcdn.com *.msecnd.net *.nativechat.com *.pingdom.net *.sharethis.com assets.pinterest.com assets.sitescdn.net cdn.ampproject.org cdn.insight.sitefinity.com cdn.jsdelivr.net cdnjs.cloudflare.com covidfunding.eiu.com https://dec.azureedge.net/ https://www.youtube.com/iframe_api js.arcgis.com js.hs-analytics.net js.hs-scripts.com kendo.cdn.telerik.com munchkin.marketo.net npmcdn.com polyfill.io public.tableau.com services.arcgis.com staging-dot-eiu-wellcome-7664.nw.r.appspot.com storage.googleapis.com tagmanager.google.com tiles.arcgis.com utility.arcgisonline.com who-answers.pagescdn.com who-covid-answers.int.pagescdn.com whosearch.searchblox.com www.arcgis.com www.clarity.ms www.googletagmanager.com www.who.int www.youtube.com youtu.be app-script.monsido.com https://cdn.insight.sitefinity.com https://dec.azureedge.net js.hs-banner.com js.hsleadflows.net forms.hubspot.com js.hscollectedforms.net web-chat.nativechat.com; style-src 'self' *.googleapis.com *.gstatic.com netdna.bootstrapcdn.com kendo.cdn.telerik.com www.google.com platform.twitter.com/css/ *.twimg.com 'unsafe-inline' tiles.arcgis.com www.arcgis.com services.arcgis.com utility.arcgisonline.com js.arcgis.com *.nativechat.com *.sharethis.com cdn.insight.sitefinity.com cdnjs.cloudflare.com https://dec.azureedge.net use.fontawesome.com www.who.int player.4am.ch player.clevercast.com whosearch.searchblox.com tagmanager.google.com blob: https://cdn.insight.sitefinity.com web-chat.nativechat.com; img-src 'self' *.gstatic.com *.googleapis.com platform.tumblr.com web.facebook.com www.facebook.com www.redditstatic.com www.linkedin.com i.ytimg.com https://syndication.twitter.com https://static.licdn.com/scds/common/u/images/apps/connect/sprites/sprite_connect_v14.png pbs.twimg.com platform.twitter.com/css/ *.twimg.com data: blob: https://*.googletagmanager.com tracking.monsido.com iris.who.int tiles.arcgis.com www.arcgis.com services.arcgis.com utility.arcgisonline.com cdn.insight.sitefinity.com js.arcgis.com *.nativechat.com *.sharethis.com *.google-analytics.com *.clarity.ms https://delicious.com https://dec.azureedge.net https://apps.who.int https://*.dec.sitefinity.com *.eloqua.com track.hubspot.com stats.g.doubleclick.net *.who.int *.who.cloud.sitefinity.com yt3.ggpht.com addthis.com *.googleusercontent.com *.googletagmanager.com script.hotjar.com www.addthis.com log.pinterest.com whosearch.searchblox.com app.powerbi.com pbi.azureedge.net kendo.cdn.telerik.com img.youtube.com *.analytics.google.com *.g.doubleclick.net *.google.com https://cdn.insight.sitefinity.com js.hsleadflows.net forms.hsforms.com web-chat.nativechat.com; font-src 'self' fonts.gstatic.com kendo.cdn.telerik.com netdna.bootstrapcdn.com data: tiles.arcgis.com www.arcgis.com services.arcgis.com utility.arcgisonline.com js.arcgis.com *.nativechat.com *.sharethis.com use.fontawesome.com www.who.int player.4am.ch player.clevercast.com whosearch.searchblox.com script.hotjar.com app.powerbi.com pbi.azureedge.net *.clarity.ms cdn.jsdelivr.net; frame-src 'self' *.kunstmatrix.com *.doubleclick.net *.nativechat.com *.sitefinity.cloud *.who.int *.who.cloud.sitefinity.com app.powerbi.com app.sli.do apps.who.int assets.pinterest.com covidfunding.eiu.com creativecommons.org experience.arcgis.com html5-player.libsyn.com js.arcgis.com pbi.azureedge.net platform.twitter.com player.4am.ch player.clevercast.com player.vimeo.com vimeo.com public.tableau.com services.arcgis.com staging-dot-eiu-wellcome-7664.nw.r.appspot.com syndication.twitter.com tiles.arcgis.com utility.arcgisonline.com wabi-north-europe-g-primary-redirect.analysis.windows.net who.maps.arcgis.com who-answers.pagescdn.com who-covid-answers.int.pagescdn.com whotest.appiancloud.com www.arcgis.com www.facebook.com www.youtube.com www.youtube-nocookie.com youtube-nocookie.com https://app.powerbi.com/ appianportals.com forms.hsforms.com web-chat.nativechat.com; connect-src 'self' data: accounts.google.com *.gstatic.com https://*.googletagmanager.com heatmaps.monsido.com tracking.monsido.com frontdoor-l4uikgap6gz3m.azurefd.net whotest.appiancloud.com geocode.arcgis.com tiles.arcgis.com www.arcgis.com services.arcgis.com static.arcgis.com utility.arcgisonline.com js.arcgis.com cdn.jsdelivr.net stats.g.doubleclick.net https://*.dec.sitefinity.com *.nativechat.com *.mktoresp.com *.who.int *.who.cloud.sitefinity.com *.clarity.ms dc.services.visualstudio.com whosearch.searchblox.com *.google-analytics.com smartsuggest.searchblox.com m.addthis.com liveapi-cached.yext.com liveapi.yext.com answers.yext-pixel.com wss://westeurope.tts.speech.microsoft.com in.hotjar.com wss://*.hotjar.com *.hotjar.com vc.hotjar.io app.powerbi.com pbi.azureedge.net pbipdfapp.azurewebsites.net wabi-north-europe-redirect.analysis.windows.net *.analytics.google.com *.googletagmanager.com *.g.doubleclick.net *.google.com https://*.insight.sitefinity.com forms.hubspot.com *.hsforms.com; media-src 'self' data: blob: tiles.arcgis.com www.arcgis.com services.arcgis.com utility.arcgisonline.com js.arcgis.com terrance.who.int *.who.int *.who.cloud.sitefinity.com; child-src 'self' https://platform.twitter.com/ https://syndication.twitter.com/ https://www.youtube.com/ https://www.youtube-nocookie.com https://player.vimeo.com/ https://w.soundcloud.com/ apis.google.com accounts.google.com staticxx.facebook.com www.facebook.com web.facebook.com badge.stumbleupon.com blob: tiles.arcgis.com www.arcgis.com apps.who.int/gho/athena/data/ services.arcgis.com utility.arcgisonline.com js.arcgis.com *.nativechat.com https://vimeo.com www.who.int web-chat.nativechat.com; frame-ancestors tiles.arcgis.com www.arcgis.com services.arcgis.com utility.arcgisonline.com js.arcgis.com app.powerbi.com pbi.azureedge.net *.who.int *.who.cloud.sitefinity.com appianportals.com 'self'; object-src tiles.arcgis.com www.arcgis.com services.arcgis.com utility.arcgisonline.com js.arcgis.com app.powerbi.com pbi.azureedge.net pbipdfapp.azurewebsites.net wabi-north-europe-redirect.analysis.windows.net 'self'

Content Security Policy (CSP) implemented unsafely. This includes 'unsafe-inline' or data: inside script-src, overly broad sources such as https: inside object-src or script-src, or not restricting the sources for object-src or script-src.

Pass	Test	Info
	Clickjacking protection, using `frame-ancestors` The use of CSP's `frame-ancestors` directive offers fine-grained control over who can frame your site.	Show
	Deny by default, using `default-src 'none'` Denying by default using `default-src 'none'` can ensure that your Content Security Policy doesn't allow the loading of resources you didn't intend to allow.	Show
	Restricts use of the `<base>` tag by using `base-uri 'none'`, `base-uri 'self'`, or specific origins The `base` tag can be used to trick your site into loading scripts from untrusted origins.	Show
	Restricts where `<form>` contents may be submitted by using `form-action 'none'`, `form-action 'self'`, or specific URIs Malicious JavaScript or content injection could modify where sensitive form data is submitted to or create additional forms for data exfiltration.	Show
	Blocks loading of active content over HTTP or FTP Loading JavaScript or plugins can allow a man-in-the-middle to execute arbitrary code on your website. Restricting your policy and changing links to HTTPS can help prevent this.	Show
	Blocks loading of passive content over HTTP or FTP This site's Content Security Policy allows the loading of passive content such as images or videos over insecure protocols such as HTTP or FTP. Consider changing them to load them over HTTPS.	Show
	Uses CSP3's `'strict-dynamic'` directive to allow dynamic script loading (optional) `'strict-dynamic'` lets you use a JavaScript shim loader to load all your site's JavaScript dynamically, without having to track `script-src` origins.	Show
	Blocks execution of JavaScript's `eval()` function by not allowing `'unsafe-eval'` inside `script-src` Blocking the use of JavaScript's `eval()` function can help prevent the execution of untrusted code.	Show
	Blocks execution of inline JavaScript by not allowing `'unsafe-inline'` inside `script-src` Blocking the execution of inline JavaScript provides CSP's strongest protection against cross-site scripting attacks. Moving JavaScript to external files can also help make your site more maintainable.	Show
	Blocks inline styles by not allowing `'unsafe-inline'` inside `style-src` Blocking inline styles can help prevent attackers from modifying the contents or appearance of your page. Moving styles to external stylesheets can also help make your site more maintainable.	Show
	Blocks execution of plug-ins, using `object-src` restrictions Blocking the execution of plug-ins via `object-src 'none'` or as inherited from `default-src` can prevent attackers from loading Flash or Java in the context of your page.	Show

How to implement

The recommended way to enable Content Security Policy is with the Content-Security-Policy HTTP header, e.g.:

Content-Security-Policy: default-src 'self'

It can also be enabled with an HTML <meta> element:

<meta http-equiv="Content-Security-Policy" content="script-src 'self'">

CSP is a powerful mechanism that we strongly recommend. It allows for very fine-grained control. However, creating a good policy (or adjusting your site to work with a good policy) can take some time and effort. To make this easier, it's possible to use CSP in report-only mode.

See the following pages for more information:

Content Security Policy (CSP) [developer.mozilla.org]
Google Web Fundamentals: Content Security Policy [developers.google.com]
CSP Cheat Sheet [scotthelme.co.uk]
Report URI: Tools (CSP analyser, CSP builder) [report-uri.com]
CSP Evaluator [csp-evaluator.withgoogle.com]
CSP Level 2 specification [w3.org]
CSP Level 3 specification [w3.org]
Browser support [caniuse.com]

The Content Security Policy tests are based on the ones from the Mozilla HTTP Observatory scanner/grader project (Mozilla Public License 2.0) by April King, reimplemented by us for Webbkoll. The explanatory texts are from the Observatory by Mozilla website, CC-BY-SA 3.0. Any mistake or inaccuracy in the results is our fault.

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware.

A primary goal of CSP is to mitigate and report XSS attacks. XSS attacks exploit the browser's trust of the content received from the server. Malicious scripts are executed by the victim's browser because the browser trusts the source of the content, even when it's not coming from where it seems to be coming from.

CSP makes it possible for server administrators to reduce or eliminate the vectors by which XSS can occur by specifying the domains that the browser should consider to be valid sources of executable scripts. A CSP compatible browser will then only execute scripts loaded in source files received from those whitelisted domains, ignoring all other script (including inline scripts and event-handling HTML attributes).

— MDN: Content Security Policy (CSP), Mozilla Contributors, CC BY-SA 2.5

GDPR: Rec. 83, Art. 5.1.f, Art. 25, Art. 32.2
GDPR Art. 32.2 makes clear that measures should be taken against unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. CSP is a relatively simple way of ensuring that your web visitors do not end up being put in contact with someone that either they - or you - did not anticipate for them to contact.

Reporting (CSP, Certificate Transparency, Network Error Logging)

Reports are not sent to a third-party.

The Content Security Policy (CSP) directive report-uri, or report-to in combination with a Report-To header, instructs the user's browser to send a violation report to specified URI(s) if the CSP is violated. Each report is a JSON object containing information about the violation, including, among other things, the URL of the document where it occurred, and referrer information. While reporting is useful for developers to find and fix bugs, it can also be used for tracking purposes.

The Expect-CT header can be used to enforce Certificate Transparency requirements, and/or optionally send reports of Certificate Transparency violations to a specified URI.

The NEL (Network Error Logging) header instructs the user's browser to send reports about network errors (e.g. DNS resolution error, TCP or TLS connection failure, 4xx or 5xx HTTP responses) to a specified URI. It can also be configured to send reports about successful network requests. See [1], [2] for privacy considerations.

Referrer Policy

Referrer Policy set to no-referrer-when-downgrade in Referrer-Policy HTTP header.

How to implement

A referrer policy can easily be set with a <meta> element in your HTML. Simply include this inside the <head> section:

<meta name="referrer" content="no-referrer">

Alternatively, set the Referrer-Policy HTTP header, e.g.:

Referrer-Policy: no-referrer

If a referrer policy is delivered via both Referrer-Policy header and meta element, the meta element's policy takes precedence.

If multiple policy values are specified, the browser will use the last one, ignoring unknown values (fallback values should thus appear first). Multiple values should be separated by commas, e.g.:

<meta name="referrer" content="no-referrer, same-origin">

Several policies are offered, such as origin (strips everything except the origin) and origin-when-cross-origin (sends full URL with same-origin requests, otherwise stripped). We recommend no-referrer, which kills the referrer header entirely for all requests, no matter the destination; or same-origin, which kills the referrer for third-party requests but not for requests to the same origin.

Referrer-Policy [developer.mozilla.org]
Referer header: privacy and security concerns [developer.mozilla.org]
Referrer Policy specification [w3.org]
Browser support [caniuse.com]

When you click on a link, your browser will typically send the HTTP referer [sic] header to the webserver where the destination webpage is at. The header contains the full URL of the page you came from. This lets sites see where traffic comes from. The header is also sent when external resources (such as images, fonts, JS and CSS) are loaded.

The referrer header is privacy nightmare as it allows websites and services to track you across the web and learn about your browsing habits (and thus possibly private, sensitive information), particularly when combined with cookies.

By setting a Referrer Policy, it's possible for websites to tell browsers to not leak referrers. Referrer Policy lets you specify a policy that's applied to all links clicked, as well as all other requests generated by the page (images, JS, etc.).

GDPR: Rec. 83, Art. 5.1.c, Art. 25, Art. 32.2
Setting referrer policy is an easy way to do data minimization (Art. 5.1.c) and help ensure that you don't transfer or disclose personal data needlessly (Art. 32.2).

Subresource Integrity (SRI)

Subresource Integrity (SRI) not implemented, and external resources are loaded over HTTP or use protocol-relative URLs via src="//...".

The following third-party resources are not loaded using SRI:

Type	URL
script	`https://app-script.monsido.com/v2/monsido-script.js`
script	`https://cdnjs.cloudflare.com/ajax/libs/gsap/3.11.4/ScrollToPlugin.min.js`
script	`https://cdnjs.cloudflare.com/ajax/libs/gsap/3.11.4/ScrollTrigger.min.js`
script	`https://cdnjs.cloudflare.com/ajax/libs/gsap/3.11.4/gsap.min.js`
script	`https://kendo.cdn.telerik.com/2021.1.119/js/kendo.timezones.min.js`
script	`https://kendo.cdn.telerik.com/2021.1.119/js/kendo.all.min.js`
script	`https://www.googletagmanager.com/gtm.js?id=GTM-5QFSQRT`
script	`https://www.googletagmanager.com/gtag/js?id=G-WKG4M0MSB8&l=dataLayer&cx=c`
script	`https://www.google-analytics.com/analytics.js`
script	`https://www.clarity.ms/tag/ekg7xazin3`
script	`https://www.clarity.ms/s/0.7.32/clarity.js`
script	`//heatmaps.monsido.com/v1/heatmaps.js`
css	`https://use.fontawesome.com/releases/v5.15.4/css/all.css`
css	`https://fonts.googleapis.com/css2?family=Noto+Sans:ital,wght@0,400;0,700;1,400&display=swap`

How to implement

SRI can be used with script and link elements. To enable SRI on an element, you need to add integrity and crossorigin attributes to it.

integrity should contain integrity metadata: a string describing the cryptographic hash function used (currently sha256, sha384, or sha512), followed by a dash, followed by the base64-encoded hash of the file.

crossorigin must be set to anonymous for third-party resources when using SRI. This has to do with CORS.

For example, given the file https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js, we can calculate the SHA384 hash:

$ openssl dgst -sha384 -binary jquery.min.js | openssl base64 -A tsQFqpEReu7ZLhBV2VZlAu7zcOV+rXbYlF2cqB8txI/8aZajjp4Bqd+V6D5IgvKT

The correct HTML code should then be:

<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js" integrity="sha384-tsQFqpEReu7ZLhBV2VZlAu7zcOV+rXbYlF2cqB8txI/8aZajjp4Bqd+V6D5IgvKT" crossorigin="anonymous"></script>

When the browser sees this element, it will download jquery.min.js, calculate the SHA384 hash, compare it to the hash in the integrity attribute, and only run the script if the hashes match. For example, if someone were to modify jquery.min.js on the remote server after we calculcated the original hash, Firefox would refuse to run the script and you'd see this in the browser console:

None of the âsha384â hashes in the integrity attribute match the content of the subresource.

To make all this easier, you can use Mozilla's SRI Hash Generator.

Subresource Integrity [developer.mozilla.org]
Protecting your embedded content with subresource integrity (SRI) [troyhunt.com]
Subresource Integrity specification [w3.org]
Browser support [caniuse.com]

The Subresource Integrity test is based on the one from the Mozilla HTTP Observatory scanner/grader project (Mozilla Public License 2.0) by April King, reimplemented by us for Webbkoll.

Subresource Integrity (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match.

Using Content Delivery Networks (CDNs) to host files such as scripts and stylesheets that are shared among multiple sites can improve site performance and conserve bandwidth. However, using CDNs also comes with a risk, in that if an attacker gains control of a CDN, the attacker can inject arbitrary malicious content into files on the CDN (or replace the files completely) and thus can also potentially attack all sites that fetch files from that CDN.

Subresource Integrity enables you to mitigate some risks of attacks such as this, by ensuring that the files your web application or web document fetches (from a CDN or anywhere) have been delivered without a third-party having injected any additional content into those files â and without any other changes of any kind at all having been made to those files.

— MDN, Subresource Integrity, Mozilla Contributors, CC BY-SA 2.5

GDPR: Rec. 83, Art. 5.1.f, Art. 25, Art. 32.2
This is an easy measure to take against unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

HTTP headers

Header	Value	Result
X-Content-Type-Options	nosniff	X-Content-Type-Options header set to "nosniff"
X-Frame-Options	SAMEORIGIN	X-Frame-Options (XFO) implemented via the CSP frame-ancestors directive
X-XSS-Protection	1; mode=block	X-XSS-Protection header set to "1; mode=block"

How to implement

To enable these headers you'll need to add them to your web server configuration. This is a simple change. Exactly how you do it depends on what server you use. This page [developer.mozilla.org] has configuration examples for Apache, Nginx and IIS.

X-Content-Type-Options should be set to nosniff, which is the only valid value.

X-Frame-Options can be set to deny (page can never be loaded in a frame), sameorigin (page can only be loaded in a frame only if the origin is the same), or allow-from <URI> (page can only be loaded in a frame on a page on the specified origin).

The old recommendation was to set X-XSS-Protection to 1 or 1; mode=block. However, OWASP now recommends setting it to 0.

X-Content-Type-Options [developer.mozilla.org]
X-Content-Type-Options HTTP Header [keycdn.com]
X-Frame-Options [developer.mozilla.org]
X-Frame-Options â How to Combat Clickjacking [keycdn.com]
X-XSS-Protection [developer.mozilla.org]
X-XSS-Protection - OWASP Cross Site Scripting Prevention Cheat Sheet [cheatsheetseries.owasp.org]

The header tests are based on the ones from the Mozilla HTTP Observatory scanner/grader project (Mozilla Public License 2.0) by April King, reimplemented by us for Webbkoll. The explanatory texts are from the Observatory by Mozilla website, CC-BY-SA 3.0.

The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. This allows to opt-out of MIME type sniffing, or, in other words, it is a way to say that the webmasters knew what they were doing.

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

— MDN, Content Security Policy (CSP), Mozilla Contributors, CC BY-SA 2.5

The X-XSS-Protection header has been deprecated by modern browsers and its use can introduce additional security issues on the client side. As such, it is recommended to set the header as X-XSS-Protection: 0 in order to disable the XSS Auditor, and not allow it to take the default behavior of the browser handling the response.

— OWASP Cheat Sheet Series, Cross Site Scripting Prevention Cheat Sheet, OWASP CheatSheets Series Team, CC BY 3.0

GDPR: Art. 5.1.c, Art. 5.1.f, Art. 25, Art. 32.1-2.
These headers can help minimize data disclosures.

Cookies

First-party cookies (13)

Domain	Name	Value	Expires on	SameSite
.www.who.int	__cfruid	1949dd66dfa41ea10bb2...	session
.www.who.int	_cfuvid	VEHzje2dAyuL_bczc3Xg...	session
.cdn.who.int	__cfruid	64886796e8f715389ffe...	session	(`None`)
.cdn.who.int	_cfuvid	.0GcI1UQHGCwa4nNGDN7...	session	(`None`)
www.who.int	sf-prs-ss	638503116929650000	session	(`Lax`)
www.who.int	sf-prs-lu	https://www.who.int/	session	(`Lax`)
.who.int	_gcl_au	1.1.65592784.1714714...	2024-08-01 05:41:33Z
.who.int	_gid	GA1.2.1074885861.171...	2024-05-04 05:41:33Z
.who.int	_gat_UA-30222631-2	1	2024-05-03 05:42:33Z
.who.int	_ga_WKG4M0MSB8	GS1.1.1714714893.1.0...	2026-05-03 05:41:33Z
.who.int	_ga	GA1.1.622730712.1714...	2026-05-03 05:41:33Z
.who.int	_clck	17ucsz9%7C2%7Cflg%7C...	2025-05-03 05:41:33Z
.who.int	_clsk	1cna6xh%7C1714714894...	2024-05-04 05:41:34Z

Third-party cookies (3)

Domain	Name	Value	Expires on	SameSite
www.clarity.ms	CLID	1f086dc2de8c4961a786...	2025-05-03 05:41:33Z	(`None`)
.c.clarity.ms	SM	T	session	(`None`)
.clarity.ms	MUID	35BEEE5788196044290E...	2025-05-28 05:41:34Z	(`None`)

HttpOnly means that the cookie can only be read by the server, and not by JavaScript on the client. This can mitigate XSS (cross-site scripting) attacks.

Secure means that the cookie will only be sent over a secure channel (HTTPS). This can mitigate MITM (man-in-the-middle) attacks.

SameSite can be used to instruct the browser to only send the cookie when the request is originating from the same site. This can mitigate CSRF (cross-site request forgery) attacks.

GDPR: Rec. 60, Rec. 61, Rec. 69, Rec. 70, Rec. 75, Rec. 78, Art. 5.1.a, Art. 5.1.c, Art. 5.1.e, Art. 21, Art. 22, Art. 32.

e-PD (2002/58/EC). Rec. 24, 25, Art. 5.2.

e-PD revised (2009/136/EC). Rec. 65, 66.

More information

First-party cookies are placed by the web site owner in some register on their visitors' device in order to be able to re-identify the visitor on subsequent page loads. First-party cookies can be related to technical features on a web site (such as remembering language settings or the contents of a shopping basket), or related to commercial features of the web site owners' activities (such as being able to trace a visitors' behaviour over the duration of their visit, or over much longer time periods, often for years, in order to be able to serve advertisements to the users or to get usage statistics to guide later changes to the web site that are envisaged to make the web site more attractive to recurring users). First-party cookies may come from services provided by the web site owner (language settings in a Content Management System) or from services used by the web site owner (analytics tools).

Third-party cookies are placed by a service affiliated with the web site owner on the devices of visitors to the web site in order to be able to re-identity the visitor on subsequent page loads, or across different web sites. Third-party cookies are typically related to commercial features of a web site owners' activities, usually advertising, but may also relate to technical features in scripts used by a web site (such as language settings).

Storing information or gaining access to information stored in the visitors' devices, for instance in the form of cookies, has been subject to sui generis legislation in the European Union (ePD, Art. 5.3). These sui generis laws have tried to make a distinction between information stored to support technical features and information stored to support commercial features. In practice, poor enforcement of these rules has made the legal landscape unclear. Because there exists no legal duty for citizens to receive better targeted advertisement, nor a legal duty for citizens to assist web developers in improving web sites, it's doubtful that a legal basis exists for storing information to support commercial features without the consent of the web visitor (GDPR Art. 7). It is argued that the legitimate interests of a web site owner (Art. 6.1.f, Art. 6.4) may nevertheless enable them to subject a visitor to targeted ads or cause a visitor to assist the web developers. Then there must exist relevant and appropriate relationship between the web visitor and the web site owner in situations (GDPR Rec. 47), which calls into question the use of third-party service first-party cookies. In either case, if the legitimate interest legal basis for processing is invoked, adequate security measures must be undertaken (GDPR Art. 32).

Particular care must be taken with regards to the period of storage (GDPR Art. 5.1.e). While it is technically easy for a web site owner to set the duration of a information stored in the form of cookies to a long period time, the principle of storage limitation implies a balancing act between the interest of tracking a visitors' behaviour and the interest of the visitor to keep their behaviour private. It's been established that a reasonable storage period does not exceed one year.

localStorage

localStorage not used.

Third-party requests

27 requests (27 secure, 0 insecure) to 13 unique hosts.

A third-party request is a request to a domain that's not who.int or one of its subdomains.

Host	IP	Classification	URLs
app-script.monsido.com https://app-script.monsido.com/v2/monsido-script.js	34.98.105.146		Show (1)
cdnjs.cloudflare.com https://cdnjs.cloudflare.com/ajax/libs/gsap/3.11.4/ScrollTrigger.min.j... https://cdnjs.cloudflare.com/ajax/libs/gsap/3.11.4/ScrollToPlugin.min.... https://cdnjs.cloudflare.com/ajax/libs/gsap/3.11.4/gsap.min.js	104.17.24.14		Show (3)
fonts.googleapis.com https://fonts.googleapis.com/css?family=Noto+Serif+JP https://fonts.googleapis.com/css?family=Noto+Sans+JP https://fonts.googleapis.com/css2?family=Source+Sans+Pro:ital,wght@0,3... https://fonts.googleapis.com/css?family=Roboto https://fonts.googleapis.com/css2?family=Noto+Sans:ital,wght@0,400;0,7...	142.250.74.170	Content (Google)	Show (5)
fonts.gstatic.com https://fonts.gstatic.com/s/notosans/v36/o-0mIpQlx3QUlC5A4PNB6Ryti20_6... https://fonts.gstatic.com/s/notosans/v36/o-0mIpQlx3QUlC5A4PNB6Ryti20_6... https://fonts.gstatic.com/s/notosans/v36/o-0mIpQlx3QUlC5A4PNB6Ryti20_6...	216.58.207.227	Content (Google)	Show (3)
heatmaps.monsido.com https://heatmaps.monsido.com/v1/settings/KXrCxamCowqmhCDxsvBllw.json https://heatmaps.monsido.com/v1/heatmaps.js	34.98.91.45		Show (2)
kendo.cdn.telerik.com https://kendo.cdn.telerik.com/2021.1.119/js/kendo.timezones.min.js https://kendo.cdn.telerik.com/2021.1.119/js/kendo.all.min.js	13.33.141.35		Show (2)
r.clarity.ms https://r.clarity.ms/collect	20.119.174.243	Analytics (Microsoft)	Show (1)
region1.google-analytics.com https://region1.google-analytics.com/g/collect?v=2&tid=G-WKG4M0MSB8&gt...	216.239.32.36	FingerprintingGeneral, Analytics (Google)	Show (1)
tracking.monsido.com https://tracking.monsido.com/?a=KXrCxamCowqmhCDxsvBllw&b=https%3A%2F%2...	35.190.93.146		Show (1)
use.fontawesome.com https://use.fontawesome.com/releases/v5.15.4/webfonts/fa-solid-900.wof... https://use.fontawesome.com/releases/v5.15.4/css/all.css	172.67.142.245		Show (2)
www.clarity.ms https://www.clarity.ms/s/0.7.32/clarity.js https://www.clarity.ms/tag/ekg7xazin3	13.107.213.44	Analytics (Microsoft)	Show (2)
www.google-analytics.com https://www.google-analytics.com/j/collect?v=1&_v=j101&a=805511850&t=p... https://www.google-analytics.com/analytics.js	142.250.74.110	FingerprintingGeneral, Analytics (Google)	Show (2)
www.googletagmanager.com https://www.googletagmanager.com/gtag/js?id=G-WKG4M0MSB8&l=dataLayer&c... https://www.googletagmanager.com/gtm.js?id=GTM-5QFSQRT	142.250.74.136		Show (2)

We use Mozilla's version of Disconnect's open source list of trackers to classify hosts.

GDPR: Rec. 69, Rec. 70, Art. 5.1.b-c, Art. 25.

Server location

Server location for www.who.int (192.133.11.1) could not be determined.

See more information (e.g., provider) about this IP address using KeyCDN's tool.

Some sites use CDNs – content delivery networks – in which case the server location might vary depending on the location of the visitor. This tool, Webbkoll, is currently on a server in Finland.

Under the GDPR, all EU/EEA countries are considered equally trustworthy, so there is no particular reason under the GDPR to consider any EU country more or less reliable or desirable than any other. The importance of the location of a server comes into play only under GDPR Art. 23, Restrictions, where member states may invoke a number of reasons, notably national security, that enable them to void protections for visitors or web service providers.

For non-EU/EEA territories, it depends (GDPR Art. 44). For a website, transfers will probably have to rely on adequacy decisions (Art. 45) made by the European Commission when a third territory has been deemed to have appropriate data protection safe guards in its legislation. However, adequacy decisions cannot always be trusted, as demonstrated in the EU Court of Justice 2015 (C-362/14). Binding corporate rules (Art. 47) or standard clauses (Art. 46) may also be used to transfer data, but in the absence of rulings by courts and data protection authorities this is still legally uncertain territory.

Raw headers

Header	Value
access-control-allow-origin	*
access-control-expose-headers	Request-Context
age	13758
alt-svc	h3=":443"; ma=86400
cache-control	public, max-age=0, s-maxage=43200
cf-cache-status	HIT
cf-ray	87ddec2a3daf92d4-CPH
content-encoding	gzip
content-security-policy	default-src 'self' .analysis.windows.net .clarity.ms .nativechat.com .tts.speech.microsoft.com .who.int .who.cloud.sitefinity.com answers.yext-pixel.com app.powerbi.com assets.sitescdn.net content.powerapps.com covidfunding.eiu.com dc.services.visualstudio.com gis.azureedge.net js.arcgis.com liveapi.yext.com liveapi-cached.yext.com pbi.azureedge.net pbipdfapp.azurewebsites.net player.4am.ch player.clevercast.com polyfill.io services.arcgis.com staging-dot-eiu-wellcome-7664.nw.r.appspot.com tiles.arcgis.com utility.arcgisonline.com visuals.azureedge.net wabi-north-europe-redirect.analysis.windows.net westeurope.tts.speech.microsoft.com who.cloudflareaccess.com who-answers.pagescdn.com who-covid-answers.int.pagescdn.com whotest.appiancloud.com www.arcgis.com www.googleadservices.com iris.who.int; script-src 'self' .googleapis.com .gstatic.com www.google.com apis.google.com connect.facebook.net ajax.aspnetcdn.com https://www.youtube.com platform.twitter.com https://syndication.twitter.com/ https://s.ytimg.com https://publish.twitter.com .twimg.com platform.linkedin.com http://platform.stumbleupon.com/1/widgets.js https://.googletagmanager.com https://app-script.monsido.com/v2/monsido-script.js https://heatmaps.monsido.com/ https://tracking.monsido.com/ https://pagecorrect.monsido.com/v1/page-correct.js https://cdn.monsido.com/ 'unsafe-eval' 'unsafe-inline' data: apps.who.int/gho/athena/data/ .clarity.ms .doubleclick.net .eloqua.com .en25.com .google-analytics.com .googletagmanager.com .jwpcdn.com .msecnd.net .nativechat.com .pingdom.net .sharethis.com assets.pinterest.com assets.sitescdn.net cdn.ampproject.org cdn.insight.sitefinity.com cdn.jsdelivr.net cdnjs.cloudflare.com covidfunding.eiu.com https://dec.azureedge.net/ https://www.youtube.com/iframe_api js.arcgis.com js.hs-analytics.net js.hs-scripts.com kendo.cdn.telerik.com munchkin.marketo.net npmcdn.com polyfill.io public.tableau.com services.arcgis.com staging-dot-eiu-wellcome-7664.nw.r.appspot.com storage.googleapis.com tagmanager.google.com tiles.arcgis.com utility.arcgisonline.com who-answers.pagescdn.com who-covid-answers.int.pagescdn.com whosearch.searchblox.com www.arcgis.com www.clarity.ms www.googletagmanager.com www.who.int www.youtube.com youtu.be app-script.monsido.com https://cdn.insight.sitefinity.com https://dec.azureedge.net js.hs-banner.com js.hsleadflows.net forms.hubspot.com js.hscollectedforms.net web-chat.nativechat.com; style-src 'self' .googleapis.com .gstatic.com netdna.bootstrapcdn.com kendo.cdn.telerik.com www.google.com platform.twitter.com/css/ .twimg.com 'unsafe-inline' tiles.arcgis.com www.arcgis.com services.arcgis.com utility.arcgisonline.com js.arcgis.com .nativechat.com .sharethis.com cdn.insight.sitefinity.com cdnjs.cloudflare.com https://dec.azureedge.net use.fontawesome.com www.who.int player.4am.ch player.clevercast.com whosearch.searchblox.com tagmanager.google.com blob: https://cdn.insight.sitefinity.com web-chat.nativechat.com; img-src 'self' .gstatic.com .googleapis.com platform.tumblr.com web.facebook.com www.facebook.com www.redditstatic.com www.linkedin.com i.ytimg.com https://syndication.twitter.com https://static.licdn.com/scds/common/u/images/apps/connect/sprites/sprite_connect_v14.png pbs.twimg.com platform.twitter.com/css/ .twimg.com data: blob: https://.googletagmanager.com tracking.monsido.com iris.who.int tiles.arcgis.com www.arcgis.com services.arcgis.com utility.arcgisonline.com cdn.insight.sitefinity.com js.arcgis.com .nativechat.com .sharethis.com .google-analytics.com .clarity.ms https://delicious.com https://dec.azureedge.net https://apps.who.int https://.dec.sitefinity.com .eloqua.com track.hubspot.com stats.g.doubleclick.net .who.int .who.cloud.sitefinity.com yt3.ggpht.com addthis.com .googleusercontent.com .googletagmanager.com script.hotjar.com www.addthis.com log.pinterest.com whosearch.searchblox.com app.powerbi.com pbi.azureedge.net kendo.cdn.telerik.com img.youtube.com .analytics.google.com .g.doubleclick.net .google.com https://cdn.insight.sitefinity.com js.hsleadflows.net forms.hsforms.com web-chat.nativechat.com; font-src 'self' fonts.gstatic.com kendo.cdn.telerik.com netdna.bootstrapcdn.com data: tiles.arcgis.com www.arcgis.com services.arcgis.com utility.arcgisonline.com js.arcgis.com .nativechat.com .sharethis.com use.fontawesome.com www.who.int player.4am.ch player.clevercast.com whosearch.searchblox.com script.hotjar.com app.powerbi.com pbi.azureedge.net .clarity.ms cdn.jsdelivr.net; frame-src 'self' .kunstmatrix.com .doubleclick.net .nativechat.com .sitefinity.cloud .who.int .who.cloud.sitefinity.com app.powerbi.com app.sli.do apps.who.int assets.pinterest.com covidfunding.eiu.com creativecommons.org experience.arcgis.com html5-player.libsyn.com js.arcgis.com pbi.azureedge.net platform.twitter.com player.4am.ch player.clevercast.com player.vimeo.com vimeo.com public.tableau.com services.arcgis.com staging-dot-eiu-wellcome-7664.nw.r.appspot.com syndication.twitter.com tiles.arcgis.com utility.arcgisonline.com wabi-north-europe-g-primary-redirect.analysis.windows.net who.maps.arcgis.com who-answers.pagescdn.com who-covid-answers.int.pagescdn.com whotest.appiancloud.com www.arcgis.com www.facebook.com www.youtube.com www.youtube-nocookie.com youtube-nocookie.com https://app.powerbi.com/ appianportals.com forms.hsforms.com web-chat.nativechat.com; connect-src 'self' data: accounts.google.com .gstatic.com https://.googletagmanager.com heatmaps.monsido.com tracking.monsido.com frontdoor-l4uikgap6gz3m.azurefd.net whotest.appiancloud.com geocode.arcgis.com tiles.arcgis.com www.arcgis.com services.arcgis.com static.arcgis.com utility.arcgisonline.com js.arcgis.com cdn.jsdelivr.net stats.g.doubleclick.net https://.dec.sitefinity.com .nativechat.com .mktoresp.com .who.int .who.cloud.sitefinity.com .clarity.ms dc.services.visualstudio.com whosearch.searchblox.com .google-analytics.com smartsuggest.searchblox.com m.addthis.com liveapi-cached.yext.com liveapi.yext.com answers.yext-pixel.com wss://westeurope.tts.speech.microsoft.com in.hotjar.com wss://.hotjar.com .hotjar.com vc.hotjar.io app.powerbi.com pbi.azureedge.net pbipdfapp.azurewebsites.net wabi-north-europe-redirect.analysis.windows.net .analytics.google.com .googletagmanager.com .g.doubleclick.net .google.com https://.insight.sitefinity.com forms.hubspot.com .hsforms.com; media-src 'self' data: blob: tiles.arcgis.com www.arcgis.com services.arcgis.com utility.arcgisonline.com js.arcgis.com terrance.who.int .who.int .who.cloud.sitefinity.com; child-src 'self' https://platform.twitter.com/ https://syndication.twitter.com/ https://www.youtube.com/ https://www.youtube-nocookie.com https://player.vimeo.com/ https://w.soundcloud.com/ apis.google.com accounts.google.com staticxx.facebook.com www.facebook.com web.facebook.com badge.stumbleupon.com blob: tiles.arcgis.com www.arcgis.com apps.who.int/gho/athena/data/ services.arcgis.com utility.arcgisonline.com js.arcgis.com .nativechat.com https://vimeo.com www.who.int web-chat.nativechat.com; frame-ancestors tiles.arcgis.com www.arcgis.com services.arcgis.com utility.arcgisonline.com js.arcgis.com app.powerbi.com pbi.azureedge.net .who.int .who.cloud.sitefinity.com appianportals.com 'self'; object-src tiles.arcgis.com www.arcgis.com services.arcgis.com utility.arcgisonline.com js.arcgis.com app.powerbi.com pbi.azureedge.net pbipdfapp.azurewebsites.net wabi-north-europe-redirect.analysis.windows.net 'self'
content-type	text/html; charset=utf-8
date	Fri, 03 May 2024 05:41:31 GMT
expires	Fri, 03 May 2024 01:52:13 GMT
last-modified	Thu, 02 May 2024 20:47:56 GMT
referrer-policy	no-referrer-when-downgrade
request-context	appId=cid-v1:de8aa419-25cb-497c-a74e-dd1c159376e3
server	cloudflare
strict-transport-security	max-age=31536000; preload
vary	Accept-Encoding
x-content-type-options	nosniff
x-frame-options	SAMEORIGIN
x-instance-name	wn0ldwk0005PQ
x-xss-protection	1; mode=block

What this tool checks (and doesn't check)

This tool attempts to simulate what happens when a user visits a specified page with a typical browser. The browser has no addons/extensions installed, and Do Not Track (DNT) is not enabled, since this is the default setting in most browsers.

External files such as images, scripts and CSS are loaded, but the tool performs no interactions with the page â no links are clicked, no forms are submitted.

Disclaimer: The results presented here might not be 100% correct. Bugs happen. This tool is meant to be used by site owners as a starting point for improvements, not as a rigorous analysis.

Text about HTTPS partly adapted from the CIO Council's The HTTPS-Only Standard (public domain). MaxMind's GeoLite2 country database (CC-BY-SA 4.0) is used for GeoIP lookups. See here for more information.

Results for www.who.int

HTTPS by default

HTTP Strict Transport Security (HSTS)

Content Security Policy

Reporting (CSP, Certificate Transparency, Network Error Logging)

Referrer Policy

Subresource Integrity (SRI)

HTTP headers

Cookies

First-party cookies (13)

Third-party cookies (3)

localStorage

Third-party requests

Server location

Raw headers

What this tool checks (and doesn't check)