HTTP Headers Analysis for https://amanvari.com

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=31536000

Content-Security-Policy

Basic

default-src; worker-src; script-src; +9 more

default-src 'self' blob: *.aman-d8.my127.site *.brightcove.net *.brightcove.com *.boltdns.net *.akamaihd.net *.typekit.net *.nr-data.net *.buyatab.com *.aman.com *.quantummetric.com cloud.typography.com *.sojern.com 'unsafe-inline' 'unsafe-eval'; worker-src blob: *.aman.com *.rudderlabs.com; script-src 'self' 'unsafe-inline' blob: *.googleapis.com 'unsafe-eval' *.brightcove.net *.googletagmanager.com *.newrelic.com *.nr-data.net *.typekit.net *.buyatab.com *.aman.com *.ipstack.com *.quantummetric.com *.doubleclick.net *.googleadservices.com impactradius-event.com utt.impactcdn.com *.cinnox.com *.gstatic.com *.onetrust.com *.synxis.com *.recaptcha.net *.google.com logs-01.loggly.com ojrq.net *.zencdn.net *.thehotelsnetwork.com *.google-analytics.com https://d2wy8f7a9ursnm.cloudfront.net/v6/bugsnag.min.js *.analytics.google.com s.yimg.jp snap.licdn.com connect.facebook.net d.line-scdn.net p.relay-t.io js.sentry-cdn.com *.yahoo.co.jp *.clarity.ms bat.bing.com cdn.linkedin.oribi.io https://cdn.jsdelivr.net/gh/jonthornton/[email protected]/jquery.timepicker.min.js https://cdn.jsdelivr.net/gh/jackocnr/[email protected]/build/js/intlTelInput-jquery.min.js https://cdn.jsdelivr.net/gh/jackocnr/[email protected]/build/js/intlTelInput.min.js https://cdn.jsdelivr.net/gh/jackocnr/[email protected]/build/js/utils.js fxgate.baidu.com secure-hotel-tracker.com newbooking.azds.com *.cinnox.cn https://*.googletagmanager.com aman-d8.my127.site browser.sentry-cdn.com *.visualwebsiteoptimizer.com app.vwo.com https://acsbapp.com https://accesswidget-log-receiver.acsbapp.com https://global.localizecdn.com https://js.appboycdn.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net https://js.adsrvr.org https://*.cloudflare.com https://*.metrics.brightcove.com api.mapbox.com js-agent.newrelic.com https://tags.srv.stackadapt.com https://srv.stackadapt.com https://ap.srv.stackadapt.com https://east.srv.stackadapt.com https://uw.srv.stackadapt.com https://eu.srv.stackadapt.com https://qvdt3feo.com *.sojern.com; style-src 'self' 'unsafe-inline' 'unsafe-eval' cloud.typography.com *.buyatab.com *.aman.com *.cinnox.com *.googleapis.com *.bootstrapcdn.com *.synxis.com *.thehotelsnetwork.com https://cdn.jsdelivr.net/gh/jonthornton/[email protected]/jquery.timepicker.min.css https://cdn.jsdelivr.net/gh/jackocnr/[email protected]/build/css/intlTelInput.min.css newbooking.azds.com cdnjs.cloudflare.com *.cinnox.cn *.aman-d8.my127.site *.visualwebsiteoptimizer.com app.vwo.com https://use.fontawesome.com api.mapbox.com https://tags.srv.stackadapt.com https://srv.stackadapt.com https://ap.srv.stackadapt.com https://east.srv.stackadapt.com https://uw.srv.stackadapt.com https://eu.srv.stackadapt.com https://qvdt3feo.com; img-src 'self' data: about: *.brightcove.net *.brightcove.com *.googletagmanager.com *.buyatab.com *.aman.com *.cinnox.com *.boltdns.net *.google-analytics.com *.onetrust.com *.thehotelsnetwork.com https://www.google.com https://www.google.com.uk https://www.google.co.uk https://px.ads.linkedin.com https://cdn.jsdelivr.net/gh/jackocnr/[email protected]/build/img/flags.png bat.bing.com tr.line.me ad.doubleclick.net doubleclick.net www.facebook.com *.clarity.ms newbooking.azds.com dbmajt85xhr99.cloudfront.net controlcenter-p1.synxis.com newbooking.azds.com dbmajt85xhr99.cloudfront.net d1t1qzzb2zwrre.cloudfront.net *.bing.com *.linkedin.com *.cinnox.cn https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://*.g.doubleclick.net https://*.google.com *.aman-d8.my127.site *.visualwebsiteoptimizer.com chart.googleapis.com app.vwo.com appboy-images.com braze-images.com cdn.braze.eu https://ade.googlesyndication.com *.mapbox.com https://*.cloudflare.com api.mapbox.com https://tags.srv.stackadapt.com https://srv.stackadapt.com https://ap.srv.stackadapt.com https://east.srv.stackadapt.com https://uw.srv.stackadapt.com https://eu.srv.stackadapt.com https://qvdt3feo.com; media-src 'self' blob: *.buyatab.com *.aman.com *.akamaihd.net *.boltdns.net *.aman-d8.my127.site *.brightcovecdn.com *.media.brightcove.com *.cf.brightcove.com; frame-src *; frame-ancestors 'self'; child-src *; font-src 'self' data: *.typekit.net *.aman.com *.gstatic.com *.cinnox.com *.thehotelsnetwork.com newbooking.azds.com dbmajt85xhr99.cloudfront.net d1t1qzzb2zwrre.cloudfront.net *.cinnox.cn *.aman-d8.my127.site https://use.fontawesome.com; connect-src 'self' *.aman.com *.boltdns.net *.thehotelsnetwork.com *.quantummetric.com *.akamaihd.net *.doubleclick.net *.google-analytics.com *.nr-data.net ws: 'unsafe-eval' *.googleapis.com *.onetrust.com *.synxis.com *.cinnox.com impactradius-event.com utt.impactcdn.com *.brightcove.com ojrq.net logs-01.loggly.com amanresorts.pxf.io sessions.bugsnag.com p.relay-t.io cdn.linkedin.oribi.io pagead2.googlesyndication.com *.clarity.ms newbooking.azds.com *.analytics.google.com *.cinnox.cn https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://*.g.doubleclick.net https://*.google.com *.aman-d8.my127.site px.ads.linkedin.com am.yahoo.co.jp *.visualwebsiteoptimizer.com app.vwo.com https://cdn.acsbapp.com/config/stage.www.aman.com/config.json https://cdn.acsbapp.com/cache/app/wildcards.json https://sdk.iad-01.braze.com https://sdk.fra-02.braze.eu https://www.facebook.com *.mapbox.com p.typekit.net use.typekit.net fastly-signed-eu-west-1-prod.brightcovecdn.com *.brightcovecdn.com insight.adsrvr.org bat.bing.com apm.yahoo.co.jp https://tags.srv.stackadapt.com https://srv.stackadapt.com https://ap.srv.stackadapt.com https://east.srv.stackadapt.com https://uw.srv.stackadapt.com https://eu.srv.stackadapt.com https://qvdt3feo.com *.sojern.com; upgrade-insecure-requests

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

3 headers

Connection

Performance

close

Transfer-Encoding

Performance

chunked

Vary

Performance

Cookie,Accept-Encoding

Caching Headers

3 headers

Cache-Control

Caching

must-revalidate, no-cache, private

Expires

Caching

Sun, 19 Nov 1978 05:00:00 GMT

Last-Modified

Caching

Wed, 04 Feb 2026 09:33:55 GMT

Content Headers

2 headers

Content-Language

Content

en

Content-Type

Content

text/html; charset=UTF-8

Server Headers

1 headers

Server

cloudflare

CORS Headers

0 headers

No CORS headers found

Cookies Headers

0 headers

No cookies headers found

Other Headers

13 headers

Alt-Svc

Other

h3=":443"; ma=86400

Cf-Cache-Status

Other

MISS

Cf-Ray

Other

9c892b4abeb05ceb-IAD

Date

Other

Wed, 04 Feb 2026 09:33:55 GMT

Link

Other

<https://www.aman.com/resorts/amanvari>; rel="alternate"; hreflang="en", <https://www.aman.com/zh-cn/resorts/amanvari>; rel="alternate"; hreflang="zh-hans", <https://www.aman.com/ja-jp/resorts/amanvari>; rel="alternate"; hreflang="ja", <https://www.aman.com/resorts/amanvari>; rel="alternate"; hreflang="en-gb", <https://www.aman.com/resorts/amanvari>; rel="alternate"; hreflang="en-gb", <https://www.aman.com/resorts/amanvari>; rel="alternate"; hreflang="en-gb"

Speculation-Rules

Other

"/cdn-cgi/speculation"

Via

Other

varnish

X-Ah-Environment

Other

prod

X-Cache

Other

MISS

X-Drupal-Cache

Other

UNCACHEABLE (response policy)

X-Drupal-Dynamic-Cache

Other

UNCACHEABLE (poor cacheability)

X-Generator

Other

Drupal 11 (https://www.drupal.org)

X-Request-Id

Other

v-9f0ed482-01ac-11f1-8445-172f6d778d51

Recommendations

Enable compression (gzip/brotli) to improve performance