Content-Security-Policy Analysis for https://trainsplit.com

Open Cached · just now

15 directives

Content-Security-Policy

Content-Security-Policy: default-src 'self';script-src 'self' https://sentry.services.trainsplit.com https://*.googletagmanager.com https://apis.google.com https://js.stripe.com https://pay.google.com https://www.google.com/pay https://hcaptcha.com https://*.hcaptcha.com https://challenges.cloudflare.com 'unsafe-eval';style-src 'self' https://fonts.googleapis.com https://rsms.me https://hcaptcha.com https://*.hcaptcha.com 'nonce-lSl+O/H0qvdcASkx55/7XL7jx8PA88q8xd8FaonpH1w=';child-src 'self' blob:;connect-src 'self' https://sentry.services.trainsplit.com https://identitytoolkit.googleapis.com https://securetoken.googleapis.com https://api.stripe.com https://fonts.googleapis.com https://*.google-analytics.com https://*.googletagmanager.com https://*.analytics.google.com https://osm.trainsplit.app https://osm-assets.trainsplit.app https://railcards.trainsplit.com https://railcards.development.trainsplit.com https://railcards.staging.trainsplit.com https://hcaptcha.com https://*.hcaptcha.com;font-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net https://rsms.me;form-action 'self' https://accounts.google.com;img-src 'self' data: https://raileasyapi.apidev.trainsplit.com https://*.google-analytics.com https://raileasyapi.api.trainsplit.com https://directus.trainsplit.com https://trainsplit.com https://play-lh.googleusercontent.com/ https://*.googletagmanager.com;media-src 'self' https://directus.trainsplit.com;object-src 'none';frame-ancestors 'self';frame-src * https://timetables.trainsplit.com https://timetables.trainsplit.dev https://timetables.staging.trainsplit.com https://trainsplit.firebaseapp.com https://trainsplitcorporate.firebaseapp.com https://trainsplitcorporatepro.firebaseapp.com https://www.stay22.com https://hcaptcha.com https://*.hcaptcha.com https://seatselector.trainsplit.com https://seatselector-test.trainsplit.com https://seatselector.trainsplit.dev https://www.youtube.com https://js.stripe.com https://hooks.stripe.com https://docs.google.com/forms/ https://accounts.google.com https://challenges.cloudflare.com;worker-src 'self' blob:;base-uri 'self';report-uri https://sentry.services.trainsplit.com/api/3/security/?sentry_key=2ebbd667730e81902c8ef1cf84e4c313

default-src Keyword —

'self'

script-src Keyword —

'self'

script-src Host —

https://sentry.services.trainsplit.com

ASN | Google Cloud

script-src Host

Google Tag Manager

https://*.googletagmanager.com

script-src Host

Google API JS Client

https://apis.google.com

script-src Host

Stripe

https://js.stripe.com

script-src Host

Google Pay

https://pay.google.com

script-src Host

Google Search

https://www.google.com/pay

script-src Host

hCaptcha

https://hcaptcha.com

ASN | Cloudflare

script-src Host

hCaptcha

https://*.hcaptcha.com

ASN | Cloudflare

script-src Host

Cloudflare Turnstile

https://challenges.cloudflare.com

ASN | Cloudflare

script-src Keyword —

'unsafe-eval'

style-src Keyword —

'self'

style-src Host

Google Fonts

https://fonts.googleapis.com

style-src Host —

https://rsms.me

ASN | Cloudflare

style-src Host

hCaptcha

https://hcaptcha.com

ASN | Cloudflare

style-src Host

hCaptcha

https://*.hcaptcha.com

ASN | Cloudflare

style-src Nonce —

'nonce-lSl+O/H0qvdcASkx55/7XL7jx8PA88q8xd8FaonpH1w='

child-src Keyword —

'self'

child-src Scheme —

blob:

connect-src Keyword —

'self'

connect-src Host —

https://sentry.services.trainsplit.com

ASN | Google Cloud

connect-src Host

Google API JS Client

https://identitytoolkit.googleapis.com

connect-src Host

Google API JS Client

https://securetoken.googleapis.com

connect-src Host

Stripe

https://api.stripe.com

connect-src Host

Google Fonts

https://fonts.googleapis.com

connect-src Host

Google Analytics

https://*.google-analytics.com

connect-src Host

Google Tag Manager

https://*.googletagmanager.com

connect-src Host

Google Analytics

https://*.analytics.google.com

connect-src Host —

https://osm.trainsplit.app

ASN | Cloudflare

connect-src Host —

https://osm-assets.trainsplit.app

ASN | Cloudflare

connect-src Host —

https://railcards.trainsplit.com

ASN | Google Cloud

connect-src Host —

https://railcards.development.trainsplit.com

ASN | Google Cloud

connect-src Host —

https://railcards.staging.trainsplit.com

ASN | Google Cloud

connect-src Host

hCaptcha

https://hcaptcha.com

ASN | Cloudflare

connect-src Host

hCaptcha

https://*.hcaptcha.com

ASN | Cloudflare

font-src Keyword —

'self'

font-src Host

Google Fonts

https://fonts.gstatic.com

font-src Host

jsDelivr

https://cdn.jsdelivr.net

font-src Host —

https://rsms.me

ASN | Cloudflare

form-action Keyword —

'self'

form-action Host

Google Sign-In

https://accounts.google.com

img-src Keyword —

'self'

img-src Scheme —

data:

img-src Host —

https://raileasyapi.apidev.trainsplit.com

ASN | Google Cloud

img-src Host

Google Analytics

https://*.google-analytics.com

img-src Host —

https://raileasyapi.api.trainsplit.com

ASN | Google Cloud

img-src Host —

https://directus.trainsplit.com

img-src Host —

https://trainsplit.com

ASN | Google Cloud

img-src Host

Google Cloud Storage

https://play-lh.googleusercontent.com/

img-src Host

Google Tag Manager

https://*.googletagmanager.com

media-src Keyword —

'self'

media-src Host —

https://directus.trainsplit.com

object-src Keyword —

'none'

frame-ancestors Keyword —

'self'

frame-src Host —

*

frame-src Host —

https://timetables.trainsplit.com

ASN | Google Cloud

frame-src Host —

https://timetables.trainsplit.dev

ASN | Google Cloud

frame-src Host —

https://timetables.staging.trainsplit.com

ASN | Google Cloud

frame-src Host

Firebase

https://trainsplit.firebaseapp.com

frame-src Host

Firebase

https://trainsplitcorporate.firebaseapp.com

frame-src Host

Firebase

https://trainsplitcorporatepro.firebaseapp.com

frame-src Host —

https://www.stay22.com

ASN | Cloudflare

frame-src Host

hCaptcha

https://hcaptcha.com

ASN | Cloudflare

frame-src Host

hCaptcha

https://*.hcaptcha.com

ASN | Cloudflare

frame-src Host —

https://seatselector.trainsplit.com

ASN | Google Cloud

frame-src Host —

https://seatselector-test.trainsplit.com

ASN | Google Cloud

frame-src Host —

https://seatselector.trainsplit.dev

ASN | Google Cloud

frame-src Host

YouTube

https://www.youtube.com

frame-src Host

Stripe

https://js.stripe.com

frame-src Host

Stripe

https://hooks.stripe.com

frame-src Host

G Workspace

https://docs.google.com/forms/

frame-src Host

Google Sign-In

https://accounts.google.com

frame-src Host

Cloudflare Turnstile

https://challenges.cloudflare.com

ASN | Cloudflare

worker-src Keyword —

'self'

worker-src Scheme —

blob:

base-uri Keyword —

'self'

report-uri Host —

https://sentry.services.trainsplit.com/api/3/security/?sentry_key=2ebbd667730e81902c8ef1cf84e4c313

ASN | Google Cloud

Content-Security-Policy-Report-Only

No report-only CSP headers found.