https://atlassian.com
Scanned Apr 15, 2026 · 41.4s
Your website score is
Grade
BannerConsent Banner
Yes
Regulatory Compliance
Multi-regulation overview — click any regulation for details
Technical scan only. A passing score does not equal legal compliance. Consult qualified legal counsel for your jurisdiction.
Tag Leak detected 98 user data leaks before consent on atlassian.com, including Google (Tracker Tracker), 6sense (Advertising Tracker), Microsoft Ads and 21 more.
Security Headers
4/6 presentStrict-Transport-Security
max-age=63072000; preload
Content-Security-Policy
base-uri 'self'; default-src 'self' *.atlassian.com *.intercomcdn.com *.orangelogic.com *.6sc.co *.6sense.com sourcetreeapp.com *.sourcetreeapp.com; script-src 'self' *.gstatic.com *.cookielaw.org *.public.atl-paas.net *.prod.atl-paas.net *.googletagmanager.com *.marketo.net *.atlassian.com utt.impactcdn.com *.google.com *.doubleclick.com *.googleadservices.com *.livechatinc.com *.bing.com *.quora.com *.yimg.jp *.clicktale.net *.linkedin.com *.twitter.com *.licdn.com *.demandbase.com *.doubleclick.net *.facebook.net *.redditstatic.com *.clearbitscripts.com *.clarity.ms *.vimeo.com *.google-analytics.com facebook.com *.facebook.com impactcdn.com *.impactcdn.com clearbitjs.com *.clearbitjs.com yahoo.co.jp *.yahoo.co.jp *.recaptcha.net *.ads-twitter.com *.intercom.io *.intercomcdn.com *.jsdelivr.net *.6sc.co *.6sense.com *.techtarget.com *.capterra.com sourcetreeapp.com *.sourcetreeapp.com 'unsafe-eval' 'unsafe-inline'; style-src 'self' *.public.atl-paas.net *.prod.atl-paas.net fonts.googleapis.com *.googletagmanager.com sourcetreeapp.com *.sourcetreeapp.com 'unsafe-inline'; img-src 'self' blob: data: atlassian.com *.atlassian.com *.cookielaw.org *.gravatar.com *.wp.com fd-assets.prod.atl-paas.net pixel.pointmediatracker.com *.prod.public.atl-paas.net cnv.event.prod.bidr.io *.doubleclick.net *.clicktale.net *.bing.com rlcdn.com reddit.com quora.com *.rlcdn.com *.reddit.com *.quora.com *.ctfassets.net *.linkedin.com *.google.com *.google.com.au *.company-target.com *.facebook.com *.google-analytics.com *.twitter.com t.co *.intercomcdn.com *.intercomassets.com *.frontend.public.atl-paas.net *.orangelogic.com *.googletagmanager.com img.logo.dev *.atlassian.net sourcetreeapp.com *.sourcetreeapp.com; font-src 'self' *.ctfassets.net *.intercomcdn.com *.gstatic.com *.frontend.public.atl-paas.net; frame-ancestors 'none'; form-action 'self'; report-uri https://web-security-reports.services.atlassian.com/csp-report/wac-web; report-to csp-default-endpoint; connect-src 'self' ws: atlassian.com *.atlassian.com *.cookielaw.org *.onetrust.com *.public.atl-paas.net *.prod.atl-paas.net *.mktoresp.com *.ingest.sentry.io *.workato.com atlassian.sjv.io statsigapi.net *.statsigapi.net *.contentful.com atlassian.net *.clicktale.net *.contentsquare.net *.bing.com google-analytics.com company-target.com linkedin.com *.google-analytics.com *.company-target.com *.linkedin.com *.doubleclick.net *.reddit.com *.redditstatic.com *.google.com *.demandbase.com *.clarity.ms *.clearbit.com *.intercom.io *.algolianet.com *.algolia.net *.algolia.io *.recaptcha.net https://unpkg.com/@rive-app/ *.facebook.com *.orangelogic.com *.adnxs.com *.6sc.co *.6sense.com apis.auxia.io *.atlassian.net https://participant.connect.us-east-1.amazonaws.com wss://participant.connect.us-east-1.amazonaws.com *.connect.us-east-1.amazonaws.com sourcetreeapp.com *.sourcetreeapp.com; worker-src 'self' blob:; frame-src 'self' *.youtube.com *.google.com *.doubleclick.net *.recaptcha.net *.atl-paas.net *.company-target.com *.googletagmanager.com *.atlassian.net; media-src 'self' *.ctfassets.net *.atlassian.com *.orangelogic.com
X-Frame-Options
DENY
X-Content-Type-Options
nosniff
Referrer-Policy
Set a Referrer-Policy header to control how much referrer information is shared
Permissions-Policy
Add a Permissions-Policy header to restrict browser features like camera, microphone, and geolocation
Google Consent Mode
V2Consent Parameters
Post-Rejection Audit
Reject Button
Found
Post-Rejection Fires
2 vendors
Consent Mode
Not Detected
GTM Load
4733ms pre-consent
Google Tag Manager(GTM-5RJSBR)
Loaded 4733ms after page load — before the consent banner was detected (banner appeared at 8565ms). Per a 2022 German court ruling, GTM itself transmits the user's IP to Google pre-consent.
Consent Mode V2: Not Detected
Google Consent Mode was not detected on this site.
✓ gtag('consent', 'update') call detected on rejection
Vendors firing after rejection (2)
| Vendor | Category | Timing | URL |
|---|---|---|---|
| Microsoft — Microsoft Ads | advertising | 19090ms | bat.bing.com |
| Sentry — Sentry | analytics | 21961ms | o55978.ingest.sentry.io |
Consent Record Audit
Issues detectedConsent record stored after interaction
GDPR Art. 7(1)Found: OptanonConsent (OneTrust)
Record contains timestamp
Art. 7(1)Timestamp field detected
Record contains consent state
Art. 7(1)Consent state (accepted/rejected) not found in record
Record contains consent categories
Art. 7(1)Consent categories (analytics, marketing, etc.) not found in record
Consent withdrawal mechanism accessible
GDPR Art. 7(3)No way for users to withdraw consent found on page
No cookie settings link, footer link, or floating consent button was detected. GDPR requires users to withdraw consent as easily as they gave it.
Why this matters
Under GDPR Article 7, controllers must be able to demonstrate that consent was given (Art. 7(1)) and ensure users can withdraw consent at any time, as easily as giving it (Art. 7(3)). Sites with no consent record or no withdrawal mechanism cannot legally rely on consent as a lawful basis.
Tracker categories detected
Critical56
Meta Pixel3 findingsID trackedwww.facebook.com, connect.facebook.net, _fbp
www.facebook.com, connect.facebook.net, _fbp
Meta Pixel (Meta) loaded before consent: Meta Pixel tracking endpoint
Meta Pixel (Meta) loaded before consent: Sends user data to Meta for ad targeting and conversion tracking
Meta Pixel cookie "_fbp" set before consent
Google (Tracker Tracker)2 findingswww.recaptcha.net, adservice.google.com
www.recaptcha.net, adservice.google.com
Google (tracker) loaded before consent
Google (tracker) loaded before consent
6sense (Advertising Tracker)4 findingsj.6sc.co, c.6sc.co, ipv6.6sc.co, b.6sc.co
j.6sc.co, c.6sc.co, ipv6.6sc.co, b.6sc.co
6sense (advertising) loaded before consent
6sense (advertising) loaded before consent
6sense (advertising) loaded before consent
6sense (advertising) loaded before consent
Microsoft Ads3 findingsbat.bing.com, _uetsid, _uetvid
bat.bing.com, _uetsid, _uetvid
Microsoft Ads (Microsoft) loaded before consent: Microsoft Ads (Bing) UET conversion tracking
Microsoft Ads cookie "_uetsid" set before consent
Microsoft Ads cookie "_uetvid" set before consent
LinkedIn Insight Tag (LinkedIn) loaded before consent: Tracks conversions and enables LinkedIn audience targeting
Twitter/X Pixel (X (Twitter)) loaded before consent: Loads Twitter/X conversion tracking script
ContentSquare (Analytics Tracker)4 findingscdnssl.clicktale.net, c.clicktale.net, k-aus1.clicktale.net, srm.bf.contentsquare.net
cdnssl.clicktale.net, c.clicktale.net, k-aus1.clicktale.net, srm.bf.contentsquare.net
ContentSquare (analytics) loaded before consent
ContentSquare (analytics) loaded before consent
ContentSquare (analytics) loaded before consent
ContentSquare (analytics) loaded before consent
Marketo2 findingsmunchkin.marketo.net, _mkto_trk
munchkin.marketo.net, _mkto_trk
Marketo (Adobe) loaded before consent: Marketo Munchkin tracking for marketing automation
Marketo cookie "_mkto_trk" set before consent
Advertising Tracker2 findingstrk.techtarget.com, epsilon.6sense.com
trk.techtarget.com, epsilon.6sense.com
advertising tracker at trk.techtarget.com loaded before consent
advertising tracker at epsilon.6sense.com loaded before consent
reddit (advertising) loaded before consent
Impact (Advertising Tracker)3 findingsutt.impactcdn.com, atlassian.sjv.io, www.ojrq.net
utt.impactcdn.com, atlassian.sjv.io, www.ojrq.net
Impact (advertising) loaded before consent
Impact (advertising) loaded before consent
Impact (advertising) loaded before consent
Bliss Point (advertising) loaded before consent
Informa (advertising) loaded before consent
Reddit Pixel2 findingsalb.reddit.com, _rdt_uuid
alb.reddit.com, _rdt_uuid
Reddit Pixel (Reddit) loaded before consent: Reddit conversion tracking pixel
Reddit Pixel cookie "_rdt_uuid" set before consent
Microsoft (advertising) loaded before consent
Adobe (analytics) loaded before consent
Segment2 findingsajs_anonymous_id
ajs_anonymous_id
Segment cookie "ajs_anonymous_id" set before consent
Segment (Twilio) wrote "ajs_anonymous_id" to localStorage before consent
Google Ads2 findings_gcl_au, _gcl_ls
_gcl_au, _gcl_ls
Google Ads cookie "_gcl_au" set before consent
Google Ads (Google) wrote "_gcl_ls" to localStorage before consent
Google Analytics4 findings_ga, _gid, _gat_UA-6032469-23, _ga_EKLW76PEWW
_ga, _gid, _gat_UA-6032469-23, _ga_EKLW76PEWW
Google Analytics cookie "_ga" set before consent
Google Analytics cookie "_gid" set before consent
Google Analytics cookie "_gat_UA-6032469-23" set before consent
Google Analytics cookie "_ga_EKLW76PEWW" set before consent
X5 findingsguest_id_marketing, guest_id_ads, personalization_id, guest_id, muc_ads
guest_id_marketing, guest_id_ads, personalization_id, guest_id, muc_ads
X cookie "guest_id_marketing" set before consent — This cookie is for advertising when logged out
X cookie "guest_id_ads" set before consent — This cookie is for advertising when logged out
X cookie "personalization_id" set before consent — Unique value with which users can be identified by X. Collected information is used to be personalize X services, including X trends, stories, ads and suggestions.
X cookie "guest_id" set before consent — This cookie is set by X to identify and track the website visitor. Registers if a users is signed in the X platform and collects information about ad preferences.
X cookie "muc_ads" set before consent — These cookies are placed when you come to our website via X. A cookie from X is also placed on our website, with which we can later show a relevant offer on X
LinkedIn3 findingslidc, bcookie, brwsr
lidc, bcookie, brwsr
LinkedIn cookie "lidc" set before consent — Used by the social networking service, LinkedIn, for tracking the use of embedded services.
LinkedIn cookie "bcookie" set before consent — Used by LinkedIn to track the use of embedded services.
LinkedIn cookie "brwsr" set before consent — This cookie is used to Affiliate Marketing Cookie for LinkedIn
DoubleClick/Google Marketing cookie "IDE" set before consent — This cookie is used for targeting, analyzing and optimisation of ad campaigns in DoubleClick/Google Marketing Suite
Bing / Microsoft cookie "MUID" set before consent — Identifies unique web browsers visiting Microsoft sites. These cookies are used for advertising, site analytics, and other operational purposes.
ContentSquare3 findings_cs_c, _cs_id, _cs_s
_cs_c, _cs_id, _cs_s
ContentSquare cookie "_cs_c" set before consent — Consent state: digit between 0 and 3. Used for capturing analytics on web pages
ContentSquare cookie "_cs_id" set before consent — Contains: user ID, timestamp (in seconds) of user creation, number of visits for this user
ContentSquare cookie "_cs_s" set before consent — Number of page views for the current session, and the recording state
Microsoft — Microsoft Ads fires after user rejected consent
Sentry — Sentry fires after user rejected consent
No recognizable consent withdrawal mechanism detected — GDPR Article 7(3) requires users can withdraw consent as easily as giving it (cookie settings link or floating button expected)
Warnings45
Google Tag Manager2 findingsID trackedwww.googletagmanager.com
www.googletagmanager.com
Google Tag Manager loads before consent — this is expected and required for GCM v2 to initialise consent defaults before any tags fire
GTM loaded before consent banner — IP address transmitted to Google pre-consent (container: GTM-5RJSBR)
Twitter (social) loaded before consent
Google Analytics2 findingsID trackedregion1.analytics.google.com, www.google-analytics.com
region1.analytics.google.com, www.google-analytics.com
GA4 cookieless ping detected before consent — GCM v2 active with analytics_storage: denied. No cookies or user identifiers are collected in this request.
GA4 cookieless ping detected before consent — GCM v2 active with analytics_storage: denied. No cookies or user identifiers are collected in this request.
Google (Tracker Tracker)3 findingsID trackedstats.g.doubleclick.net, ad.doubleclick.net, 5406241.fls.doubleclick.net
stats.g.doubleclick.net, ad.doubleclick.net, 5406241.fls.doubleclick.net
Google (Tracker Tracker) cookieless ping detected before consent — GCM v2 active with ad_storage and ad_user_data: denied. No user identifiers are collected in this request.
Google (Tracker Tracker) cookieless ping detected before consent — GCM v2 active with ad_storage and ad_user_data: denied. No user identifiers are collected in this request.
Google (Tracker Tracker) cookieless ping detected before consent — GCM v2 active with ad_storage and ad_user_data: denied. No user identifiers are collected in this request.
Unknown third-party request to t.co before consent
Google Ads2 findingswww.google.com, googleads.g.doubleclick.net
www.google.com, googleads.g.doubleclick.net
Google Ads cookieless ping detected before consent — GCM v2 active with ad_storage and ad_user_data: denied. No user identifiers are collected in this request.
Google Ads cookieless ping detected before consent — GCM v2 active with ad_storage and ad_user_data: denied. No user identifiers are collected in this request.
reddit (social) loaded before consent
Unknown third-party request to ds-cdn.prod-east.frontend.public.atl-paas.net before consent
Unknown third-party request to wac-web.prod-east.frontend.public.atl-paas.net before consent
Unknown third-party request to dam-cdn.atl.orangelogic.com before consent
Unknown third-party request to assets.ctfassets.net before consent
Unknown third-party request to xxid.atl-paas.net before consent
Unknown third-party request to px.ads.linkedin.com before consent
Unknown third-party request to www.google.com before consent
localStorage key "ufvisitor" written before consent
sessionStorage key "awc.storage.support" written before consent
sessionStorage key "awc.taskSessions" written before consent
sessionStorage key "awc.taskSessionsInit" written before consent
localStorage key "statsig.stable_id.1647434767" written before consent
localStorage key "STATSIG_OVERRIDES" written before consent
localStorage key "_storage_test" written before consent
localStorage key "onboarding-journey" written before consent
localStorage key "onboarding-journey_expiresIn" written before consent
localStorage key "statsig.session_id.1647434767" written before consent
localStorage key "atl_xid.xc" written before consent
localStorage key "atl_xid.ts" written before consent
localStorage key "atl_xid.current" written before consent
sessionStorage key "awc.tab.id" written before consent
localStorage key "awc.session.expiry" written before consent
localStorage key "awc.session.id" written before consent
localStorage key "marketingContext" written before consent
localStorage key "marketingContext_expiresIn" written before consent
localStorage key "lastExternalReferrer" written before consent
sessionStorage key "awc.last.screen.event" written before consent
localStorage key "_uetsid" written before consent
localStorage key "_uetsid_exp" written before consent
localStorage key "_uetvid" written before consent
localStorage key "_uetvid_exp" written before consent
localStorage key "_6senseCompanyDetails" written before consent
localStorage key "_6signalTTL" written before consent
Info10
OneTrust2 findingscdn.cookielaw.org, OptanonConsent
cdn.cookielaw.org, OptanonConsent
OneTrust (OneTrust) loaded before consent: OneTrust cookie consent management
OneTrust cookie "OptanonConsent" set before consent
Sentry (Sentry) loaded before consent: Sentry error reporting endpoint
OneTrust CMP (OneTrust) loaded before consent: OneTrust geo-lookup — determines which consent banner to show based on user location
Google (Cdn)3 findingswww.gstatic.com, fonts.gstatic.com, www.google.nl
www.gstatic.com, fonts.gstatic.com, www.google.nl
Google (cdn) loaded before consent
Google (cdn) loaded before consent
Google (cdn) loaded before consent
Vimeo (cdn) loaded before consent
LinkedIn cookie "li_gc" set before consent — Used to store guest consent to the use of cookies for non-essential purposes
Cloudflare cookie "_cfuvid" set before consent — The _cfuvid cookie is only set when a site uses this option in a Rate Limiting Rule, and is only used to allow the Cloudflare WAF to distinguish individual users who share the same IP address.
Compliant1
OneTrust cookie "OptanonAlertBoxClosed" set correctly after consent
Is this your site?
Run a full multi-page scan with monitoring and get detailed remediation steps
Scan atlassian.com →This audit is based on publicly observable website behavior. To request removal from the index, email support@tagleak.com