carnegie.co.uk

HTML metadata

Title: Start - Carnegie United Kingdom
Language: en-GB
Canonical: https://www.carnegie.co.uk/

Open Graph

url: https://www.carnegie.co.uk/
title: Start - Carnegie United Kingdom
locale: en_GB
site name: Carnegie United Kingdom

Technology

Server: nginx
CMS: WordPress
jQuery: 3.7.1

Analytics

Google Tag Manager

Third-party hosts loaded (4)

www.dnbcarnegie.com×8
cdn.cookie-script.com×2
browser.sentry-cdn.com×1
www.googletagmanager.com×1

DNS records live

NS

ns1.p201.dns.oraclecloud.net
ns2.p201.dns.oraclecloud.net
ns3.p201.dns.oraclecloud.net
ns4.p201.dns.oraclecloud.net

MX

10 mxa-00588c01.gslb.pphosted.com
10 mxb-00588c01.gslb.pphosted.com

TXT

_jzx7dddw0ux7riq7p0iic9a2srvxr28
iMWfQvofXAtZzGD+RergGGT5M2BsdnvqYUhaqvjor4AA9p4Y4WscBMxntgnd6WEyDAH7Q1DVz4Uvnfd5e1JwOw==

Verified for

Google
Microsoft 365

Email authentication strong

SPF

v=spf1 include:_spf-dc33.sapsf.eu include:spf.protection.outlook.com ip4:193.182.104.28/31 include:spf-00588c01.pphosted.com -all

strict (-all)

DMARC

v=DMARC1; p=reject; fo=1; rua=mailto:dmarc_rua@emaildefense.proofpoint.com; ruf=mailto:dmarc_ruf@emaildefense.proofpoint.com,mailto:phishing@dnb.no

policy: reject (enforced)

DKIM

selector1: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzAPIX86nGSKKcx7OYWUJjCUbpE1nNFF5GbIEuiF8HZCk/9RZV+x++JVVcQ5zQii4kTVlCNH/DcEbVidMGNc…

selectors probed

Certificate (current)

DigiCert Global G2 TLS RSA SHA256 2020 CA1

from 2026-01-19 to 2027-01-20

Expires in 231 days

Full certificate history on crt.sh ↗

HTTP security headers

Header hygiene 75/100 Checked live page: https://www.carnegie.co.uk/

present

strict-transport-security
content-security-policy
x-frame-options
x-content-type-options

findings

CSP allows unsafe inline scripts/styles
CSP uses wildcard sources
weak frame protection
missing Referrer Policy
missing Permissions Policy

Header values

x-frame-options: DENY;
x-content-type-options: nosniff
content-security-policy: default-src 'self' dnbcarnegie.com www.dnbcarnegie.com;connect-src 'self' www.google-analytics.com analytics.google.com consent.cookie-script.com sentry.frojd.se stats.g.doubleclick.net www.google.se www.google.dk www.google.no www.google.co.uk www.google.fi *.dynamics.com *.azureedge.net *.microsoft.com widget.datablocks.se hub.mfn.se pagead2.googlesyndication.com www.google.com googleads.g.doubleclick.net;script-src 'self' blob: 'unsafe-inline' cdn.cookie-script.com code.jquery.com www.googletagmanager.com www.google-analytics.com www.youtube.com browser.sentry-cdn.com www.google.com www.gstatic.com connect.facebook.net *.dynamics.com *.azureedge.net *.microsoft.com report.cookie-script.com widget.datablocks.se www.googleadservices.com;style-src 'self' 'unsafe-inline' translate.googleapis.com;frame-src 'self' www.googletagmanager.com w.soundcloud.com vimeo.com player.vimeo.com www.youtube.com www.google.com *.dynamics.com td.doubleclick.net;img-src 'self' www.google.se www.google-ana
strict-transport-security: max-age=31536000;