See: https://webcookies.org/cookies/www.immuniweb.com/28584469?198666
CSP validation:

default-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ data: -https://yastatic.net/ -https://.webvisor.com/
-https://.yandex.ru/ -https://.yandex.com/ -https://.tile.openstreetmap.org/ -https://.adroll.com/ -https://.gartner.com/
-https://.consensu.org/ -https://.google.com/ -https://google.com/-https://www.youtube.com/ -https://www.gstatic.com/
-https://.facebook.net/ -https://.gstatic.com/ -https://.googleapis.com/ -https://www.htbridge.com/
-https://portal.htbridge.com/ -https://portal.immuniweb.com/ -https://www.google-analytics.com/ -https://certify-js.alexametrics.com/ -https://certify.alexametrics.com/ -https://stats.g.doubleclick.net/ -https://snap.licdn.com/
-https://.facebook.com/ -https://.linkedin.com/ -https://secure.adnxs.com/ -https://.sharethis.com/ -https://.addthis.com/ -https://.addthisedge.com/;
block-all-mixed-content;
report-uri -https://www.immuniweb.com/csp/;

default-src expand_more help_outline'self' 'self' can be problematic if you host JSONP, Angular or user uploaded files. error'unsafe-inline' 'unsafe-inline' allows the execution of unsafe in-page scripts and event handlers. help_outline'unsafe-eval' 'unsafe-eval' allows the execution of code injected into DOM APIs such as eval(). errordata: data: URI in default-src allows the execution of unsafe scripts. errorhttps://yastatic.net/ yastatic.net is known to host Angular libraries which allow to bypass this CSP. help_outlinehttps://*.webvisor.com/ No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries. errorhttps://*.yandex.ru/ mc.yandex.ru is known to host JSONP endpoints which allow to bypass this CSP. errorhttps://*.yandex.com/ pass.yandex.com is known to host JSONP endpoints which allow to bypass this CSP. help_outlinehttps://*.tile.openstreetmap.org/ No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries. help_outlinehttps://*.adroll.com/ No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries. help_outlinehttps://*.gartner.com/ No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries. help_outlinehttps://*.consensu.org/ No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries. errorhttps://*.google.com/ www.google.com is known to host JSONP endpoints which allow to bypass this CSP. help_outlinehttps://google.com/ No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries. errorhttps://www.youtube.com/ www.youtube.com is known to host JSONP endpoints which allow to bypass this CSP. errorhttps://www.gstatic.com/ www.gstatic.com is known to host Angular libraries which allow to bypass this CSP. help_outlinehttps://*.facebook.net/ No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries. errorhttps://*.gstatic.com/ -www.gstatic.com is known to host Angular libraries which allow to bypass this CSP. errorhttps://*.googleapis.com/ -ajax.googleapis.com is known to host JSONP endpoints and Angular libraries which allow to bypass this CSP. -ajax.googleapis.com is known to host Flash files which allow to bypass this CSP. help_outlinehttps://www.htbridge.com/ No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries. help_outlinehttps://portal.htbridge.com/ No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries. help_outlinehttps://portal.immuniweb.com/ No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries. errorhttps://www.google-analytics.com/ www.google-analytics.com is known to host JSONP endpoints which allow to bypass this CSP. help_outlinehttps://certify-js.alexametrics.com/ No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries. help_outlinehttps://certify.alexametrics.com/ No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries. help_outlinehttps://stats.g.doubleclick.net/ No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries. help_outlinehttps://snap.licdn.com/ No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries. errorhttps://*.facebook.com/ api.facebook.com is known to host JSONP endpoints which allow to bypass this CSP. errorhttps://*.linkedin.com/ www.linkedin.com is known to host JSONP endpoints which allow to bypass this CSP. help_outlinehttps://secure.adnxs.com/ No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries. errorhttps://*.sharethis.com/ -www.sharethis.com is known to host JSONP endpoints which allow to bypass this CSP. errorhttps://*.addthis.com/ m.addthis.com is known to host JSONP endpoints which allow to bypass this CSP. help_outlinehttps://*.addthisedge.com/ No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries.

Possibly high severity find: object-src [missing] Can you restrict object-src to 'none'?

Also consider https://observatory.mozilla.org/analyze/www.immuniweb.com
with a C-grade, now also with the above: https://csp-evaluator.withgoogle.com/?csp=https://www.immuniweb.com

Re: https://observatory.mozilla.org/analyze/www.immuniweb.com#third-party No-hsts-preloading.

SSH-scan not available: Scan Failed: The Mozilla SSH Observatory scans from sshscan.rubidus.com at 45.55.176.164.
Many systems are configured with firewalls that block SSH access. To successfully scan with the SSH Observatory, access must be granted to Mozilla’s scanning system. I get a moved permanently here: https://www.shodan.io/search?query=45.55.176.164.

NET::ERR_CERT_COMMON_NAME_INVALID Subject: -sshscan.rubidus.com

Issuer: Let’s Encrypt Authority X3

Expires on: Dec 29, 2019

Current date: Dec 28, 2019

I-status only: https://observatory.mozilla.org/analyze/www.immuniweb.com#tls

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)