HTTP Headers Analysis for https://api-explorer.xero.com

Detected Technologies from Headers

See all in URL Inspect 11

Akamai

Facebook

Google Analytics

Google DoubleClick

Google Fonts

Google Search

Google Tag Manager

LaunchDarkly

Mixpanel

New Relic

HTTP Security Headers

Status

Strict-Transport-Security

Missing

Not configured

Content-Security-Policy

Good

default-src; frame-ancestors; script-src; +3 more Analyze

Content-Security-Policy-Report-Only

Missing

Not configured Analyze

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Add Strict-Transport-Security header with max-age of at least 1 year
• Strengthen CSP by removing 'unsafe-eval'
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

Connection

Performance

close

connection: close

Caching Headers

Cache-Control

Caching

no-cache, no-store

Pragma

Caching

no-cache

cache-control: no-cache, no-store
pragma: no-cache

Content Headers

Content-Length

Content

40601

Content-Type

Content

text/html; charset=utf-8

content-length: 40601
content-type: text/html; charset=utf-8

Server Headers

No server headers found

CORS Headers

No CORS headers found

Cookies Headers

Set-Cookie

Cookies

Device 7286e55c-749e-49ac-b374-35853324978d

path=/ domain=.xero.com samesite=none secure httponly expires=4y

.AspNetCore.Antiforgery.C9aXng5w_sY CfDJ8MW7anmhPGpJpg9t0dJ4fkQfJR2hvd0Qe4VYTAWTZTmniwKf1VATmLzJCqRTK_JNTFSf7bXmoo6IeTBTz2AbrG1XRJrZMrU8j9VGJpUFSTYZGKZjbC5RcpJPZQLqID5gfdeGWjIPSm0gvEkZIJKN5Uc

path=/identity samesite=strict httponly

_abck 55BD1A0616698F8FB1A20F4B1E229244~-1~YAAQ1mncF6t+Bf2dAQAASEpBFA+l+McbmHc3auvOMVbYVTttBs3UfYEaxwOFUTdZ06xR+xb1bfUn5IvDiPFsLNPJJUsPA3uCtyL03Pa738RgNcgH+5Jd1ZvD4ithi0jQgyXnjlbqmq5bbBsqdwwYN7srFnOwZbzOVU2MZox7TbFcGOVtZ5dTu/SeoLOh34AQaYJ44LXUmE0KqQwhXytjKrd7ITx/OJ+P3vfuhOzKgHSc0I6wNvfhOaNGWWssDk7J2YvH4ORI3rr74qB/+oBn0X7WP4mTJjMOQOl2VJ8Yt8C+eS/nC0eeOyVjDgx9oghtC1rBxuyS2RYxdpXQGHXuKSv4GFVJXYEgsB0kXdk1j8JdVUQ7y8zzkwzneG5gNjHKVVE4ECYqwAXyoquA6iC5ZXVrA3Tdf+CMq4L3EjhWl3ucsCh/u8LbsLQaS6JIgjNEm05Z~-1~-1~-1~-1~-1

Path=/ Domain=.xero.com SameSite=None Secure Max-Age=52w Expires=52w

bm_sz 52973E7F866C9DC8576E05917DEDCE18~YAAQ1mncF6x+Bf2dAQAASEpBFB/B9HR2GteEPcnS3c7YW0YAb4CZlsbMiGrUHO3yFGPbMFXY4zXutYdltmaVXUReCSCbNg/4awdJEN+B9s3gtPHMUGBUeVzRvmh12tDNkMbOY3zPoQX+b7MBihMvPTofMTNO6fipMUd3oIHUg+02XJ/LcAwOiUX3HH28WWEgKqZNSMFHfO+suLSFHA0ZzIilbabtegh+qghjKPPt7jsOJVxWTLC/1fxflBRu/4rdfjtd/hCCJ8htrBscwk5bHiR8f54/MgzHw6e8Gyt8gIqvIoXubOtNfElrzAH5ydCs28/Ea8da7GTKxFFMTaS/Qa4PmWcdhEZPOjvQLg==~4604209~3294534

Path=/ Domain=.xero.com SameSite=None Secure Max-Age=4h Expires=4h

set-cookie: Device=7286e55c-749e-49ac-b374-35853324978d; expires=Sat, 10 May 2031 23:38:03 GMT; domain=.xero.com; path=/; secure; samesite=none; httponly
.AspNetCore.Antiforgery.C9aXng5w_sY=CfDJ8MW7anmhPGpJpg9t0dJ4fkQfJR2hvd0Qe4VYTAWTZTmniwKf1VATmLzJCqRTK_JNTFSf7bXmoo6IeTBTz2AbrG1XRJrZMrU8j9VGJpUFSTYZGKZjbC5RcpJPZQLqID5gfdeGWjIPSm0gvEkZIJKN5Uc; path=/identity; samesite=strict; httponly
_abck=55BD1A0616698F8FB1A20F4B1E229244~-1~YAAQ1mncF6t+Bf2dAQAASEpBFA+l+McbmHc3auvOMVbYVTttBs3UfYEaxwOFUTdZ06xR+xb1bfUn5IvDiPFsLNPJJUsPA3uCtyL03Pa738RgNcgH+5Jd1ZvD4ithi0jQgyXnjlbqmq5bbBsqdwwYN7srFnOwZbzOVU2MZox7TbFcGOVtZ5dTu/SeoLOh34AQaYJ44LXUmE0KqQwhXytjKrd7ITx/OJ+P3vfuhOzKgHSc0I6wNvfhOaNGWWssDk7J2YvH4ORI3rr74qB/+oBn0X7WP4mTJjMOQOl2VJ8Yt8C+eS/nC0eeOyVjDgx9oghtC1rBxuyS2RYxdpXQGHXuKSv4GFVJXYEgsB0kXdk1j8JdVUQ7y8zzkwzneG5gNjHKVVE4ECYqwAXyoquA6iC5ZXVrA3Tdf+CMq4L3EjhWl3ucsCh/u8LbsLQaS6JIgjNEm05Z~-1~-1~-1~-1~-1; Domain=.xero.com; Path=/; Expires=Mon, 10 May 2027 23:38:03 GMT; Max-Age=31536000; SameSite=None; Secure
bm_sz=52973E7F866C9DC8576E05917DEDCE18~YAAQ1mncF6x+Bf2dAQAASEpBFB/B9HR2GteEPcnS3c7YW0YAb4CZlsbMiGrUHO3yFGPbMFXY4zXutYdltmaVXUReCSCbNg/4awdJEN+B9s3gtPHMUGBUeVzRvmh12tDNkMbOY3zPoQX+b7MBihMvPTofMTNO6fipMUd3oIHUg+02XJ/LcAwOiUX3HH28WWEgKqZNSMFHfO+suLSFHA0ZzIilbabtegh+qghjKPPt7jsOJVxWTLC/1fxflBRu/4rdfjtd/hCCJ8htrBscwk5bHiR8f54/MgzHw6e8Gyt8gIqvIoXubOtNfElrzAH5ydCs28/Ea8da7GTKxFFMTaS/Qa4PmWcdhEZPOjvQLg==~4604209~3294534; Domain=.xero.com; Path=/; Expires=Mon, 11 May 2026 03:38:03 GMT; Max-Age=14400; SameSite=None; Secure

Other Headers

Akamai-Grn

Other

0.d669dc17.1778456283.2b5e5ace

Date

Other

Sun, 10 May 2026 23:38:03 GMT

X-Akamai-Transformed

Other

0 - 0 -

X-Client-Ip

Other

42056

Xero-Activity-Id

Other

e262c143457f47deaf7538617dc1d62e

Xero-Causation-Id

Other

6ec7c7b9e5ad4ad9b627890325dc9b50

Xero-Correlation-Id

Other

f3adb7c363744704b4eac7ca39dd37ec

Xero-Message-Id

Other

6a94d02b90b64ce98202afe15ba3e0c5

Xero-Origin-Id

Other

IdentityServer.Web

akamai-grn: 0.d669dc17.1778456283.2b5e5ace
date: Sun, 10 May 2026 23:38:03 GMT
x-akamai-transformed: 0 - 0 -
x-client-ip: 42056
xero-activity-id: e262c143457f47deaf7538617dc1d62e
xero-causation-id: 6ec7c7b9e5ad4ad9b627890325dc9b50
xero-correlation-id: f3adb7c363744704b4eac7ca39dd37ec
xero-message-id: 6a94d02b90b64ce98202afe15ba3e0c5
xero-origin-id: IdentityServer.Web

Recommendations

Enable compression (gzip/brotli) to improve performance