Open
Cached
·
4h ago
18
directives
Content-Security-Policy
Content-Security-Policy: default-src 'self' https://assets.step.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://js.sentry-cdn.com https://*.sentry.io https://www.google-analytics.com https://www.googletagmanager.com https://consent.cookiebot.com https://*.cookiebot.com https://connect.facebook.net https://*.iesnare.com https://js.stripe.com https://maps.googleapis.com https://cdn.plaid.com https://assets.step.com https://*.clarity.ms https://c.bing.com https://cdn.mgln.ai https://googleads.g.doubleclick.net https://websdk.appsflyer.com https://boards.greenhouse.io https://www.recaptcha.net https://www.gstatic.com https://pagead2.googlesyndication.com https://sc-static.net https://*.snapchat.com https://*.tiktok.com https://*.shakebugs.com; script-src-elem 'self' 'unsafe-inline' https://js.sentry-cdn.com https://*.sentry.io https://www.google-analytics.com https://www.googletagmanager.com https://consent.cookiebot.com https://*.cookiebot.com https://connect.facebook.net https://*.iesnare.com https://js.stripe.com https://maps.googleapis.com https://cdn.plaid.com https://assets.step.com https://*.clarity.ms https://c.bing.com https://cdn.mgln.ai https://googleads.g.doubleclick.net https://websdk.appsflyer.com https://boards.greenhouse.io https://www.recaptcha.net https://www.gstatic.com https://pagead2.googlesyndication.com https://sc-static.net https://*.snapchat.com https://*.tiktok.com https://static.userback.io https://*.shakebugs.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.step.com https://www.googletagmanager.com; style-src-elem 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.step.com https://www.googletagmanager.com; img-src 'self' data: blob: https://images.ctfassets.net https://assets.step.com https://step.com https://pps.step.com https://logos.step.com https://www.google-analytics.com https://www.facebook.com https://connect.facebook.net https://*.cookiebot.com https://maps.gstatic.com https://googleads.g.doubleclick.net https://www.google.com https://www.googleadservices.com https://mgln.ai https://us.mgln.ai https://pixel.tapad.com https://*.clarity.ms https://c.bing.com https://www.googletagmanager.com https://fonts.gstatic.com https://images.contentful.com https://*.onelink.me https://impressions.onelink.me https://pagead2.googlesyndication.com https://*.snapchat.com https://*.tiktok.com https://*.tiktokw.us https://*.shakebugs.com; font-src 'self' data: https://fonts.gstatic.com https://assets.step.com https://*.cdn.office.net https://use.typekit.net; media-src 'self' data: https://videos.ctfassets.net; connect-src 'self' data: https://*.sentry.io https://www.google-analytics.com https://*.step.com https://*.dev.step.com https://*.iesnare.com wss://*.iesnare.com https://*.cookiebot.com https://*.mixpanel.com https://assets.step.com https://graphql.contentful.com https://images.ctfassets.net https://www.google.com https://mgln.ai https://www.googleadservices.com https://analytics.google.com https://*.clarity.ms https://c.bing.com https://stats.g.doubleclick.net https://googleads.g.doubleclick.net https://www.facebook.com https://*.conversionsapigateway.com https://*.appsflyer.com https://*.appsflyersdk.com https://*.onelink.me https://www.gstatic.com https://region1.analytics.google.com https://region1.google-analytics.com https://www.googletagmanager.com https://maps.googleapis.com https://places.googleapis.com https://pagead2.googlesyndication.com https://*.run.app https://*.snapchat.com https://*.tiktok.com https://*.tiktokw.us https://*.shakebugs.com; worker-src 'self' blob:; frame-src 'self' https://step.com https://*.cookiebot.com https://js.stripe.com https://hooks.stripe.com https://cdn.plaid.com https://www.youtube-nocookie.com https://*.withpersona.com https://www.googletagmanager.com https://job-boards.greenhouse.io https://www.recaptcha.net https://*.snapchat.com https://*.53.com https://*.typeform.com https://pagead2.googlesyndication.com; manifest-src 'self'; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'self' https://assets.step.com *.step.com https://app.contentful.com https://hooks.stripe.com https://js.stripe.com; report-uri /api/csp-report; report-to csp-endpoint;
default-src
Keyword
—
'self'
script-src
Keyword
—
'self'
script-src
Keyword
—
'unsafe-inline'
script-src
Keyword
—
'unsafe-eval'
script-src-elem
Keyword
—
'self'
script-src-elem
Keyword
—
'unsafe-inline'
style-src
Keyword
—
'self'
style-src
Keyword
—
'unsafe-inline'
style-src-elem
Keyword
—
'self'
style-src-elem
Keyword
—
'unsafe-inline'
img-src
Keyword
—
'self'
img-src
Scheme
—
data:
img-src
Scheme
—
blob:
font-src
Keyword
—
'self'
font-src
Scheme
—
data:
media-src
Keyword
—
'self'
media-src
Scheme
—
data:
connect-src
Keyword
—
'self'
connect-src
Scheme
—
data:
connect-src
Host
—
worker-src
Keyword
—
'self'
worker-src
Scheme
—
blob:
frame-src
Keyword
—
'self'
manifest-src
Keyword
—
'self'
object-src
Keyword
—
'none'
base-uri
Keyword
—
'self'
form-action
Keyword
—
'self'
frame-ancestors
Keyword
—
'self'
report-uri
Host
—
report-to
Host
—
Content-Security-Policy-Report-Only
No report-only CSP headers found.