https://bitget.com
Scanned Apr 15, 2026 · 43.5s
Your website score is
Grade
BannerConsent Banner
Yes
Regulatory Compliance
Multi-regulation overview — click any regulation for details
Technical scan only. A passing score does not equal legal compliance. Consult qualified legal counsel for your jurisdiction.
Tag Leak detected 24 user data leaks before consent on bitget.com, including Google (Tracker Tracker), Google Analytics.
Security Headers
5/6 presentStrict-Transport-Security
max-age=15768000;includeSubDomains;preload
Content-Security-Policy
default-src 'self' blob: https://*.bgbstatic.com https://*.bgstatic.com https://*.gurenla.com https://*.bitget.com; frame-src 'self' https://*.noxiaohao.com https://telegram.org https://*.bitget.com https://www.facebook.com https://accounts.google.com https://oauth.telegram.org; script-src 'self' 'unsafe-inline' https://analytics-ipv6.tiktokw.us https://analytics.tiktok.com https://*.noxiaohao.com https://*.bgbstatic.com https://*.bgstatic.com https://*.gurenla.com https://*.bitget.com https://accounts.google.com https://www.googletagmanager.com https://fonts.googleapis.com https://play.google.com https://analytics.google.com https://fonts.gstatic.com https://telegram.org https://oauth.telegram.org https://*.geetest.com https://*.geevisit.com https://www.facebook.com; connect-src 'self' wss: https://stats.g.doubleclick.net https://analytics.google.com https://www.google.com wss://stream.bitget.cloud https://analytics-ipv6.tiktokw.us https://analytics.tiktok.com https://*.noxiaohao.com wss://*.noxiaohao.com wss://*.bitget.com https://www.turingfraud.net https://play.google.com https://accounts.google.com https://*.bgbstatic.com https://*.bgstatic.com https://*.gurenla.com https://*.bitget.com https://www.facebook.com https://telegram.org https://oauth.telegram.org https://static.geetest.com https://static.geevisit.com; worker-src 'self' blob:; img-src 'self' data: blob: https://www.googletagmanager.com https://img.bgbstatic.com https://*.bgstatic.com https://img.bitgetimg.com https://img.gurenla.com https://*.bgbstatic.com https://www.facebook.com https://lh3.googleusercontent.com https://static.geetest.com https://static.geevisit.com https://static-web.jjdsn.vip https://cdn.bitkeep.vip https://www.google.co.jp https://bin.wangsustatic.com; style-src 'self' 'unsafe-inline' https://static.geetest.com https://static.geevisit.com https://accounts.google.com https://fonts.googleapis.com https://static.bgbstatic.com https://*.bgbstatic.com https://*.bgstatic.com https://*.gurenla.com https://*.bitget.com; font-src 'self' data: https://static.geetest.com https://static.geevisit.com https://fonts.gstatic.com https://*.bgbstatic.com https://*.bgstatic.com https://*.gurenla.com https://*.bitget.com; frame-ancestors 'self'; require-trusted-types-for 'script'; trusted-types default dompurify vue goog#html 'allow-duplicates' html; upgrade-insecure-requests; report-uri /v1/buried/log/cspSecurity;
X-Frame-Options
SAMEORIGIN
X-Content-Type-Options
nosniff
Referrer-Policy
unsafe-url
Permissions-Policy
Add a Permissions-Policy header to restrict browser features like camera, microphone, and geolocation
Google Consent Mode
V2Consent Parameters
Issues (1)
No default consent call detected — consent mode may not be initialised correctly
Post-Rejection Audit
Reject Button
Found
Post-Rejection Fires
0 vendors
Consent Mode
Not Detected
GTM Load
3359ms pre-consent
Google Tag Manager(GTM-WQ4HTBR)
Loaded 3359ms after page load — before the consent banner was detected (banner appeared at 8699ms). Per a 2022 German court ruling, GTM itself transmits the user's IP to Google pre-consent.
Consent Mode V2: Not Detected
Google Consent Mode was not detected on this site.
✓ gtag('consent', 'update') call detected on rejection
Consent Record Audit
Issues detectedConsent record stored after interaction
GDPR Art. 7(1)Found: OptanonConsent (OneTrust)
Record contains timestamp
Art. 7(1)No timestamp found in consent record
Record contains consent state
Art. 7(1)Consent state (accepted/rejected) not found in record
Record contains consent categories
Art. 7(1)Consent categories detected
Consent withdrawal mechanism accessible
GDPR Art. 7(3)No way for users to withdraw consent found on page
No cookie settings link, footer link, or floating consent button was detected. GDPR requires users to withdraw consent as easily as they gave it.
Why this matters
Under GDPR Article 7, controllers must be able to demonstrate that consent was given (Art. 7(1)) and ensure users can withdraw consent at any time, as easily as giving it (Art. 7(3)). Sites with no consent record or no withdrawal mechanism cannot legally rely on consent as a lawful basis.
Tracker categories detected
Critical4
Google (tracker) loaded before consent
Google Analytics2 findings_ga, _ga_Z8Q93KHR0F
_ga, _ga_Z8Q93KHR0F
Google Analytics cookie "_ga" set before consent
Google Analytics cookie "_ga_Z8Q93KHR0F" set before consent
No recognizable consent withdrawal mechanism detected — GDPR Article 7(3) requires users can withdraw consent as easily as giving it (cookie settings link or floating button expected)
Warnings21
Google Tag Manager2 findingsID trackedwww.googletagmanager.com
www.googletagmanager.com
Google Tag Manager loads before consent — this is expected and required for GCM v2 to initialise consent defaults before any tags fire
GTM loaded before consent banner — IP address transmitted to Google pre-consent (container: GTM-WQ4HTBR)
Unknown third-party request to img.bgstatic.com before consent
Unknown third-party request to static.bgbstatic.com before consent
Unknown third-party request to img.gurenla.com before consent
Unknown third-party request to www.turingfraud.net before consent
Unknown third-party request to cecngibhkljoiafhjfmcgbmikfogdiko before consent
localStorage key "compliance-wall-config-microComponent,portal" written before consent
sessionStorage key "sign-verify-gateway-sign-config" written before consent
localStorage key "dy_get_token_is_pending" written before consent
localStorage key "_dx_kvani5r" written before consent
localStorage key "fastestimgdomain" written before consent
localStorage key "fingerprint" written before consent
localStorage key "terminalCode" written before consent
localStorage key "firstVisitTime" written before consent
sessionStorage key "sourceReferer" written before consent
sessionStorage key "SourceTarget" written before consent
localStorage key "customerServiceEventList" written before consent
localStorage key "MICRO_GLOBAL_DIALOG" written before consent
localStorage key "dy_token_expires" written before consent
localStorage key "eventList" written before consent
Info3
Google (cdn) loaded before consent
Cloudflare cookie "_cfuvid" set before consent — The _cfuvid cookie is only set when a site uses this option in a Rate Limiting Rule, and is only used to allow the Cloudflare WAF to distinguish individual users who share the same IP address.
Cloudflare bot management — necessary for site operation
Compliant2
OneTrust2 findingsOptanonAlertBoxClosed, OptanonConsent
OptanonAlertBoxClosed, OptanonConsent
OneTrust cookie "OptanonAlertBoxClosed" set correctly after consent
OneTrust cookie "OptanonConsent" set correctly after consent
Is this your site?
Run a full multi-page scan with monitoring and get detailed remediation steps
Scan bitget.com →This audit is based on publicly observable website behavior. To request removal from the index, email support@tagleak.com