"Should I buy a Nitrokey FIDO U2F?"
If there is no specific reason for you to buy the Nitrokey FIDO U2F (which is based on the U2F Zero) and you want open hardware, buy a SoloKey (https://solokeys.com/).
The SoloKey is the official successor of the U2F Zero, and – more importantly – it already supports WebAuthn/FIDO2 (unlike the Nitrokey FIDO U2F).
Besides, keep in mind that U2F/WebAuthn support may not be available for your web services at the moment.
@infosechandbook their website is full of trackers
Trackers on websites are neither always illegal nor directly related to the product, an offline security token.
Besides, Nitrokey also uses at least one tracker.
Several pages of nitrokey.com have Piwik embedded. For instance, https://shop.nitrokey.com/shop. See also https://webbkoll.dataskydd.net/en/results?url=http%3A%2F%2Fshop.nitrokey.com%2Fshop.
If you rely on Webbkoll (we assume this here), always scan all pages. We wrote about this problem in https://infosec-handbook.eu/blog/limits-webbkoll/ and talked with the Webbkoll dev who totally agrees with us. Webbkoll has several limits.
Interestingly scanning https://www.nitrokey.com/de/documentation/applications reveals googleads.g.doubleclick.net, youtube.com, and more Google. Google APIs and YouTube are explicitly allowed in the CSP of nitrokey.com. Just opening this page already transmits data to Google, and you get cookies from YT. Google fonts are also present at support.nitrokey.com.
This again shows the importance of scanning all pages, not only the home page.
You could alternatively only show a link to YouTube without embedding any content. By doing so, you can remove YouTube from your CSP.
This is also true for other third-party content embedded on nitrokey.com and its subdomains.
mastodon.at is a microblogging site that federates with most instances on the Fediverse.