haveibeenpwned.com

HTML metadata

Title

Have I Been Pwned: Check if your email address has been exposed in a data breach

Description

Have I Been Pwned allows you to check whether your email address has been exposed in a data breach.

Language

en

Feeds

Have I Been Pwned latest breaches RSS

Open Graph

url: https://haveibeenpwned.com/
title: Have I Been Pwned: Check if your email address has been exposed in a data breach
site name: Have I Been Pwned
description: Have I Been Pwned allows you to check whether your email address has been exposed in a data breach.

Technology

CDN: Cloudflare

Analytics

Cloudflare Insights

Third-party hosts loaded (4)

cdnjs.cloudflare.com×2
api.fontshare.com×1
challenges.cloudflare.com×1
static.cloudflareinsights.com×1

Social

Contact

Address: st a FeatureDonateMerchConnect With Us© 2026

Registration

Registrar

1API GmbH

Created

2013-11-13

Expires

2026-11-13 176 days left

Updated

2025-11-23

Name servers

leah.ns.cloudflare.com
rob.ns.cloudflare.com

DNS records live

NS

leah.ns.cloudflare.com
rob.ns.cloudflare.com

MX

10 mxa.mailgun.org
10 mxb.mailgun.org

TXT

ALIAS for haveibeenpwned.azurewebsites.net
keybase-site-verification=ImeAFts_XWPcJ4XKyCC-nGZekutZ-ks1WpqvlL6EcOM

Verified for

Google

Email authentication strong

SPF

v=spf1 include:mailgun.org include:sendgrid.net include:mail.zendesk.com -all

strict (-all)

DMARC

v=DMARC1; p=reject; rua=mailto:heimdall-t@dmarc.report-uri.com; ruf=mailto:heimdall-t@dmarc.report-uri.com; aspf=r; adkim=r

policy: reject (enforced)

DKIM

s1: k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvcpU1f1J6mjF8/Efn77MyIt2gwW7SJunKYcKtbwWIVIVmR+0XW3rzbeGUvdJqgHneDvAaBBSBOS82e9Ntl…
s2: k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0p6ZLlYdQ4atFsc9lgkIg5z1m0xWX/b3R5kT4EnCCVtECi2BVUHg7nSNW3FrwWfdPJkyg46KqQz92fsixm1k9x+…

selectors probed

Certificate (current)

WE1

from 2026-05-08 to 2026-08-06

Expires in 78 days

Full certificate history on crt.sh ↗

HTTP security headers

Header hygiene 90/100 Checked live page: https://haveibeenpwned.com/

present

strict-transport-security
content-security-policy
x-frame-options
x-content-type-options
referrer-policy
permissions-policy

findings

CSP allows unsafe inline scripts/styles
CSP uses wildcard sources

Header values

referrer-policy: no-referrer-when-downgrade
x-frame-options: DENY
permissions-policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()
x-content-type-options: nosniff
content-security-policy: script-src 'self' cdnjs.cloudflare.com az416426.vo.msecnd.net ajax.cloudflare.com challenges.cloudflare.com static.cloudflareinsights.com *.monitor.azure.com *.applicationinsights.io 'report-sample' 'sha256-cj00wrTvlrj8ekHe2A9FqhDO5X0mvSr/lzIuvFKuMmA=' 'nonce-s61lciCek31V7S4r8Ik5VxNBs48YETfDy/s3mE0nPGI='; upgrade-insecure-requests; default-src 'none'; base-uri 'self'; worker-src 'self' blob:; style-src 'self' cdnjs.cloudflare.com api.fontshare.com 'report-sample' 'unsafe-inline'; img-src 'self' translate.google.com logos.haveibeenpwned.com haveibeenpwned.com cdnjs.cloudflare.com i.ytimg.com data:; font-src 'self' data: cdnjs.cloudflare.com cdn.fontshare.com fonts.scalar.com; frame-ancestors 'none'; frame-src challenges.cloudflare.com www.youtube.com; form-action 'self' www.paypal.com billing.stripe.com checkout.stripe.com billing.haveibeenpwned.com; connect-src 'self' stage.haveibeenpwned.com api.pwnedpasswords.com stage-api.haveibeenpwned.com api.haveibeenpwned.com haveibeenpwned.com
strict-transport-security: max-age=31536000; includeSubDomains; preload