Content-Security-Policy Analysis for https://app.stackhawk.com

Open Cached · just now

12 directives

Content-Security-Policy

Content-Security-Policy: default-src 'none'; form-action 'self' https://*.stackhawk.com; connect-src 'self' https://*.stackhawk.com wss://*.stackhawk.com https://*.googleusercontent.com https://*.amazonaws.com https://*.linkedin.com https://*.licdn.com https://*.stripe.com https://*.intercom.io wss://*.intercom.io https://*.intercom-messenger.com wss://*.intercom-messenger.com https://*.wistia.com https://*.intercomcdn.com https://*.doubleclick.net https://*.google.com https://api.hubapi.com https://*.ingest.sentry.io https://*.google-analytics.com https://*.hubspot.com https://sentry.io https://*.githubusercontent.com https://*.merge.dev; frame-src https://js.stripe.com https://www.googletagmanager.com https://*.intercom.io https://*.wistia.net https://*.doubleclick.net https://*.merge.dev; script-src 'self' 'wasm-unsafe-eval' 'unsafe-inline' https://*.stackhawk.com https://js.stripe.com https://*.wistia.com https://*.intercom.io https://*.intercomcdn.com https://*.doubleclick.net https://*.licdn.com https://www.googletagmanager.com https://js.hsadspixel.net https://js.hs-scripts.com https://js.hs-banner.com https://js.hs-analytics.net https://www.google-analytics.com https://*.ingest.sentry.io https://*.merge.dev; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' data: https://*.intercomcdn.com https://*.wistia.com https://*.gstatic.com; object-src 'none'; img-src 'self' data: https://static.intercomassets.com https://*.intercomcdn.com https://*.linkedin.com https://*.google.com https://*.google-analytics.com https://*.hubspot.com https://*.googleusercontent.com https://*.githubusercontent.com https://*.merge.dev; manifest-src 'self'; worker-src 'self' blob:; media-src 'self' https://*.wistia.com https://*.stackhawk.com;

default-src Keyword —

'none'

form-action Keyword —

'self'

form-action Host —

https://*.stackhawk.com

ASN | Cloudflare

connect-src Keyword —

'self'

connect-src Host —

https://*.stackhawk.com

ASN | Cloudflare

connect-src Host —

wss://*.stackhawk.com

ASN | Cloudflare

connect-src Host

Google Cloud Storage

https://*.googleusercontent.com

connect-src Host

AWS

https://*.amazonaws.com

connect-src Host

LinkedIn

https://*.linkedin.com

ASN | Microsoft

connect-src Host

LinkedIn

https://*.licdn.com

connect-src Host

Stripe

https://*.stripe.com

connect-src Host

Intercom

https://*.intercom.io

connect-src Host

Intercom

wss://*.intercom.io

connect-src Host

Intercom

https://*.intercom-messenger.com

connect-src Host

Intercom

wss://*.intercom-messenger.com

connect-src Host

Wistia

https://*.wistia.com

connect-src Host

Intercom

https://*.intercomcdn.com

connect-src Host

Google DoubleClick

https://*.doubleclick.net

connect-src Host —

https://*.google.com

connect-src Host

HubSpot

https://api.hubapi.com

ASN | Cloudflare

connect-src Host

Sentry

https://*.ingest.sentry.io

connect-src Host

Google Analytics

https://*.google-analytics.com

connect-src Host

HubSpot

https://*.hubspot.com

ASN | Cloudflare

connect-src Host

Sentry

https://sentry.io

ASN | Google Cloud

connect-src Host

GitHub

https://*.githubusercontent.com

connect-src Host —

https://*.merge.dev

ASN | Cloudflare

frame-src Host

Stripe

https://js.stripe.com

frame-src Host

Google Tag Manager

https://www.googletagmanager.com

frame-src Host

Intercom

https://*.intercom.io

frame-src Host

Wistia

https://*.wistia.net

frame-src Host

Google DoubleClick

https://*.doubleclick.net

frame-src Host —

https://*.merge.dev

ASN | Cloudflare

script-src Keyword —

'self'

script-src Keyword —

'wasm-unsafe-eval'

script-src Keyword —

'unsafe-inline'

script-src Host —

https://*.stackhawk.com

ASN | Cloudflare

script-src Host

Stripe

https://js.stripe.com

script-src Host

Wistia

https://*.wistia.com

script-src Host

Intercom

https://*.intercom.io

script-src Host

Intercom

https://*.intercomcdn.com

script-src Host

Google DoubleClick

https://*.doubleclick.net

script-src Host

LinkedIn

https://*.licdn.com

script-src Host

Google Tag Manager

https://www.googletagmanager.com

script-src Host

HubSpot

https://js.hsadspixel.net

ASN | Cloudflare

script-src Host

HubSpot

https://js.hs-scripts.com

ASN | Cloudflare

script-src Host

HubSpot

https://js.hs-banner.com

ASN | Cloudflare

script-src Host

HubSpot Analytics

https://js.hs-analytics.net

ASN | Cloudflare

script-src Host

Google Analytics

https://www.google-analytics.com

script-src Host

Sentry

https://*.ingest.sentry.io

script-src Host —

https://*.merge.dev

ASN | Cloudflare

style-src Keyword —

'self'

style-src Keyword —

'unsafe-inline'

style-src Host

Google Fonts

https://fonts.googleapis.com

font-src Keyword —

'self'

font-src Scheme —

data:

font-src Host

Intercom

https://*.intercomcdn.com

font-src Host

Wistia

https://*.wistia.com

font-src Host

Google Static File Front End

https://*.gstatic.com

object-src Keyword —

'none'

img-src Keyword —

'self'

img-src Scheme —

data:

img-src Host

Intercom

https://static.intercomassets.com

img-src Host

Intercom

https://*.intercomcdn.com

img-src Host

LinkedIn

https://*.linkedin.com

ASN | Microsoft

img-src Host —

https://*.google.com

img-src Host

Google Analytics

https://*.google-analytics.com

img-src Host

HubSpot

https://*.hubspot.com

ASN | Cloudflare

img-src Host

Google Cloud Storage

https://*.googleusercontent.com

img-src Host

GitHub

https://*.githubusercontent.com

img-src Host —

https://*.merge.dev

ASN | Cloudflare

manifest-src Keyword —

'self'

worker-src Keyword —

'self'

worker-src Scheme —

blob:

media-src Keyword —

'self'

media-src Host

Wistia

https://*.wistia.com

media-src Host —

https://*.stackhawk.com

ASN | Cloudflare

Content-Security-Policy-Report-Only

No report-only CSP headers found.