default-src 'self'; font-src 'self' data:; object-src 'none'; worker-src blob:; child-src blob: 'self'; frame-src 'self' *.instatus.com headway-widget.net rdv-service-public-metabase.osc-secnum-fr1.scalingo.io; media-src 'self' rdv-insertion-medias-production.s3.fr-par.scw.cloud; img-src 'self' data: blob: voxusagers.numerique.gouv.fr tile.openstreetmap.org unpkg.com openmaptiles.data.gouv.fr; style-src 'self' 'unsafe-inline' *.bootstrapcdn.com api.mapbox.com cdn.headwayapp.co unpkg.com; connect-src 'self' api-adresse.data.gouv.fr etalab-tiles.fr openmaptiles.data.gouv.fr; script-src 'self' 'unsafe-inline' api.mapbox.com cdn.headwayapp.co unpkg.com

Diagnostics

Metrics

_rdv_sp_session

Ruby is an open-source object-oriented programming language.

Ruby

Ruby on Rails is a server-side web application framework written in Ruby under the MIT License.

Ruby on Rails

Turbolinks is a Rails feature, available as a gem and enabled by default in new Rails apps. It is intended to speed up navigating between pages of your application.

Turbolinks

HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.

Impact	Description	Documentation
-20	Content Security Policy (CSP) implemented unsafely. This includes `'unsafe-inline'` or `data:` inside `script-src`, overly broad sources such as `https:` inside `object-src` or `script-src`, or not restricting the sources for `object-src` or `script-src`.	Remove `unsafe-inline` and `data:` from `script-src`, overly broad sources from `object-src` and `script-src`, and ensure `object-src` and `script-src` are set.
-20	`X-Frame-Options` (XFO) header not implemented.	Documentation for x-frame-options-sameorigin-or-deny

https://rdv.anct.gouv.fr/

Mozilla HTTP observatory

SSL

Expiration : 26/06/2025