wire depth How it works Pricing Compare Roadmap Verify ? Independent audit-log verifier Drop a signed export here (or pass it to our open-source CLI). The browser recomputes hashes, walks the Merkle chain, and checks the daily anchor against the public RFC 3161 timestamp. No Wiredepth login required - your auditor proves we haven't backdated, deleted, or reordered a single row.Docs Blog Sign in Run a check Search tools or ask a question… ⌘K Status
© 2026 Wiredepth Built independently.
← Domain check for cvs.comPrint / PDF Download JSON Copy JSON
Warnings CSP includes 'unsafe-inline'. This negates most of the XSS protection from CSP. Strict-Transport-Security good
max-age 31536000
includeSubDomains yes
preload no max-age=31536000 ; includeSubDomains
Content-Security-Policy weak default-src https://*.cvs.com https://*.caremark.com https://*.cvshealth.com 'self' https://cdn.appdynamics.com *.criteo.com *.criteo.net p11.techlab-cdn.com; script-src 'unsafe-inline' https://*.cvs.com https://*.caremark.com https://*.cvshealth.com 'self' https://d.impactradius-event.com https://*.medallia.com https://*.kampyle.com https://cdn.cookielaw.org https://*.adsrvr.org https://cookie-cdn.cookiepro.com https://geolocation.onetrust.com https://privacyportal.onetrust.com https://*.quantummetric.com https://bat.bing.com https://connect.facebook.net https://*.doubleclick.net https://tags.tiqcdn.com https://*.go-mpulse.net https://cdns.brsrvr.com https://*.adoberesources.net https://www.youtube.com/ https://*.youtube.com/ https://*.bluecore.com https://pagead2.googlesyndication.com https://tpc.googlesyndication.com https://www.googletagmanager.com https://www.googleadservices.com https://console.googletagservices.com https://cdn.appdynamics.com https://request.eprotect.vantivprelive.com https://*.adtrafficquality.google blob: p11.techlab-cdn.com; style-src 'self' 'unsafe-inline' https://*.medallia.com https://*.kampyle.com *.criteo.com *.criteo.net; connect-src https://*.cvs.com https://*.caremark.com https://*.cvshealth.com 'self' https://cvshealth.sjv.io https://*.medallia.com https://*.kampyle.com https://cdn.cookielaw.org https://*.adsrvr.org https://cookie-cdn.cookiepro.com https://geolocation.onetrust.com https://privacyportal.onetrust.com https://col.eum-appdynamics.com https://events.launchdarkly.com https://app.launchdarkly.com https://tags.tiqcdn.com https://dpm.demdex.net https://*.quantummetric.com/ https://www.youtube.com/ https://cm.everesttech.net/ https://pdx-col.eum-appdynamics.com https://securepubads.g.doubleclick.net https://pagead2.googlesyndication.com https://adobedc.demdex.net https://edge.adobedc.net https://csi.gstatic.com https://*.go-mpulse.net https://*.akstat.io/ https://*.bluecore.com https://*.akamaihd.net https://www.googletagmanager.com https://bat.bing.com https://*.adtrafficquality.google https://www.google.com https://dev.virtualearth.net https://www.facebook.com https://ad.doubleclick.net *.criteo.com *.criteo.net p11.techlab-cdn.com; img-src https://*.cvs.com https://*.caremark.com https://*.cvshealth.com 'self' http://*.corp.cvscaremark.com https://str.allinahealthaetna.com/ https://images.ctfassets.net http://images.ctfassets.net https://col.eum-appdynamics.com https://metrics-sentry.cvshealth.com https://cm.everesttech.net https://pdx-col-eum-appdynamics.com https://*.adobecqms.net https://pagead2.googlesyndication.com https://cdn.cookielaw.org https://dpm.demdex.net https://www.facebook.com https://ct.pinterest.com https://ad.doubleclick.net https://bat.bing.com https://googleads.g.doubleclick.net https://ad.doubleclick.net https://csi.gstatic.com https://www.google.com https://p.brsrvr.com https://adservice.google.com https://www.googletagmanager.com https://*.adtrafficquality.google https://cvshealth.sjv.io https://www.ojrq.net https://logs-01.loggly.com https://*.medallia.com https://*.ytimg.com/ https://*.kampyle.com *.criteo.com *.criteo.net data: blob:; frame-src https://*.ubereats.com https://*.googlesyndication.com https://console.googletagservices.com https://www.google.com https://request.eprotect.vantivprelive.com https://cvs.demdex.net https://*.fls.doubleclick.net https://securepubads.g.doubleclick.net https://td.doubleclick.net https://*.adtrafficquality.google https://cvshealth.sjv.io https://*.medallia.com https://www.youtube.com/ https://*.youtube.com/ https://*.kampyle.com *.criteo.com *.criteo.net blob:; object-src data:;
Want alerts when CSP changes or HSTS gets weakened? Continuous security-header monitoring for cvs.com. Alerts on any header regression (HSTS shortened, CSP loosened, X-Frame-Options removed), full diff history, and AI-assisted playbooks to ratchet your CSP from permissive to strict.
Starter from $30/mo, Pro $79/mo (full threat intel + brand watchlist). Cancel any time.
Check another domain Or share this URL with the team that owns the records.
default-src present frame-ancestors absent 'unsafe-inline' present 'unsafe-eval' absent
All directives (7) default-src https://*.cvs.com https://*.caremark.com https://*.cvshealth.com 'self' https://cdn.appdynamics.com *.criteo.com *.criteo.net p11.techlab-cdn.com script-src 'unsafe-inline' https://*.cvs.com https://*.caremark.com https://*.cvshealth.com 'self' https://d.impactradius-event.com https://*.medallia.com https://*.kampyle.com https://cdn.cookielaw.org https://*.adsrvr.org https://cookie-cdn.cookiepro.com https://geolocation.onetrust.com https://privacyportal.onetrust.com https://*.quantummetric.com https://bat.bing.com https://connect.facebook.net https://*.doubleclick.net https://tags.tiqcdn.com https://*.go-mpulse.net https://cdns.brsrvr.com https://*.adoberesources.net https://www.youtube.com/ https://*.youtube.com/ https://*.bluecore.com https://pagead2.googlesyndication.com https://tpc.googlesyndication.com https://www.googletagmanager.com https://www.googleadservices.com https://console.googletagservices.com https://cdn.appdynamics.com https://request.eprotect.vantivprelive.com https://*.adtrafficquality.google blob: p11.techlab-cdn.com style-src 'self' 'unsafe-inline' https://*.medallia.com https://*.kampyle.com *.criteo.com *.criteo.net connect-src https://*.cvs.com https://*.caremark.com https://*.cvshealth.com 'self' https://cvshealth.sjv.io https://*.medallia.com https://*.kampyle.com https://cdn.cookielaw.org https://*.adsrvr.org https://cookie-cdn.cookiepro.com https://geolocation.onetrust.com https://privacyportal.onetrust.com https://col.eum-appdynamics.com https://events.launchdarkly.com https://app.launchdarkly.com https://tags.tiqcdn.com https://dpm.demdex.net https://*.quantummetric.com/ https://www.youtube.com/ https://cm.everesttech.net/ https://pdx-col.eum-appdynamics.com https://securepubads.g.doubleclick.net https://pagead2.googlesyndication.com https://adobedc.demdex.net https://edge.adobedc.net https://csi.gstatic.com https://*.go-mpulse.net https://*.akstat.io/ https://*.bluecore.com https://*.akamaihd.net https://www.googletagmanager.com https://bat.bing.com https://*.adtrafficquality.google https://www.google.com https://dev.virtualearth.net https://www.facebook.com https://ad.doubleclick.net *.criteo.com *.criteo.net p11.techlab-cdn.com img-src https://*.cvs.com https://*.caremark.com https://*.cvshealth.com 'self' http://*.corp.cvscaremark.com https://str.allinahealthaetna.com/ https://images.ctfassets.net http://images.ctfassets.net https://col.eum-appdynamics.com https://metrics-sentry.cvshealth.com https://cm.everesttech.net https://pdx-col-eum-appdynamics.com https://*.adobecqms.net https://pagead2.googlesyndication.com https://cdn.cookielaw.org https://dpm.demdex.net https://www.facebook.com https://ct.pinterest.com https://ad.doubleclick.net https://bat.bing.com https://googleads.g.doubleclick.net https://ad.doubleclick.net https://csi.gstatic.com https://www.google.com https://p.brsrvr.com https://adservice.google.com https://www.googletagmanager.com https://*.adtrafficquality.google https://cvshealth.sjv.io https://www.ojrq.net https://logs-01.loggly.com https://*.medallia.com https://*.ytimg.com/ https://*.kampyle.com *.criteo.com *.criteo.net data: blob: frame-src https://*.ubereats.com https://*.googlesyndication.com https://console.googletagservices.com https://www.google.com https://request.eprotect.vantivprelive.com https://cvs.demdex.net https://*.fls.doubleclick.net https://securepubads.g.doubleclick.net https://td.doubleclick.net https://*.adtrafficquality.google https://cvshealth.sjv.io https://*.medallia.com https://www.youtube.com/ https://*.youtube.com/ https://*.kampyle.com *.criteo.com *.criteo.net blob: object-src data: 'unsafe-inline' weakens script and style restrictions.
X-Frame-Options good SAMEORIGIN
X-Content-Type-Options good nosniff
Referrer-Policy missing Referrer-Policy header is not set.
Permissions-Policy missing Permissions-Policy header is not set.
Cross-Origin-Opener-Policy missing Cross-Origin-Opener-Policy header is not set.
Cross-Origin-Embedder-Policy missing Cross-Origin-Embedder-Policy header is not set.
Cross-Origin-Resource-Policy missing Cross-Origin-Resource-Policy header is not set. Server disclosure
Server (not exposed)
X-Powered-By (not exposed) Recommendations Once includeSubDomains and a long max-age are stable, submit to the HSTS preload list at hstspreload.org. Add Referrer-Policy: strict-origin-when-cross-origin to limit referrer leaks. Add Permissions-Policy to disable browser features you do not need (camera, microphone, geolocation, etc.). Auto-fix: copy these headers into your server config nginx Apache Caddy Cloudflare Workers / Pages Node / Express
Copy
add_header Referrer-Policy strict-origin-when-cross-origin always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), interest-cohort=()" always;
# Disables features you almost certainly do not need. Add features back inside the parens if your site does need them. Add inside the server { ... } block (or location / for path-scoped). Reload with `nginx -s reload` after editing. Use `always` so headers are sent on error responses too.
Want a tailored fix plan in plain English? Wiredepth Pro sends this report to our AI engine and streams back a 30-day rollout plan tailored to cvs.com, with provider-specific tips when we can infer them from the data. 10 playbooks per month on Pro, 100 on MSP.
Pro See Pro plans→