HTTP Headers Analysis for https://api.figured.com

Detected Technologies from Headers

See all in URL Inspect 28

AWS CloudFront

Cloudflare NEL Monitoring

AWS

Bugsnag

Cloudflare CDN

Dropbox

Facebook

Font Awesome

Fullstory

GitHub

Google Analytics

Google Cloud Storage

Google Conversion Tracking

Google DoubleClick

Google Fonts

Google Maps

Google Search

Google Static File Front End

Google Tag Manager

Intercom

jQuery

jsDelivr

New Relic

Pusher

Sentry

Vimeo

YouTube

Google Cloud

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=15552000

Content-Security-Policy

Missing

Not configured Analyze

Content-Security-Policy-Report-Only

Basic

default-src; script-src; img-src; +11 more Analyze

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Add Content-Security-Policy header to prevent XSS attacks
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

Connection

Performance

close

Transfer-Encoding

Performance

chunked

Vary

Performance

X-Inertia

connection: close
transfer-encoding: chunked
vary: X-Inertia

Caching Headers

Cache-Control

Caching

no-cache, private

cache-control: no-cache, private

Content Headers

Content-Type

Content

text/html; charset=utf-8

content-type: text/html; charset=utf-8

Server Headers

Server

cloudflare

server: cloudflare

CORS Headers

No CORS headers found

Cookies Headers

Set-Cookie

Cookies

set-cookie: XSRF-TOKEN=eyJpdiI6Inl3bG1RejY3YnRRQjdJV1JWMUtyZ2c9PSIsInZhbHVlIjoiZmlzNFlnUTBlUmV3UHRDMGVUdmdYczRSK0Z1RE0yYlhER0h6bjZ3VTU0Rml4b1UxamthT0dwSW13eUFKNmlybWphY0VUb1NMMjNxQy9SeUUyUVA5WXE0cU4vaEZQUjZaajRzL05ncTlHRmRtVE03dDRidmNMd0xuWFBCS200T08iLCJtYWMiOiJhMDUzMzFmNmE5ZjIxZjMwNzBhYzg4NjhjYWI5ZmNjZWVkYTBhYWUxOTY0ZmY5YWFmNTVlNWJkYmEzNTkzMzJhIiwidGFnIjoiIn0%3D; expires=Fri, 08 May 2026 19:25:57 GMT; Max-Age=3600; path=/; secure; samesite=lax
fig_session=eyJpdiI6InRpSUpWMXBhNGdJZFlHMkNDbHExR2c9PSIsInZhbHVlIjoiMDRGRVppRkxHdE1pakZJaFNhbTlWWG1LZVM3ODcvdUJCWjQ0YytkakMxWG1VWGtwbVFVWmZKODUrYVQ3NkxoWDNHVVI1OFFobFJrWnI0OUptKzBhV1laQ1lrU3gyMCt5djErU1lFQnMwTGsvejlwVklTYzV4Q1hlc1RVL3d4MU4iLCJtYWMiOiJhZWIyZTBhNWJlNzYyMThmYWZjYzQzNmEzMzM5MTRkNzNmMmM3NGFlZDhmNjdiZTBiZjc1NjU3NjRlMDZiNmQwIiwidGFnIjoiIn0%3D; expires=Fri, 08 May 2026 19:25:57 GMT; Max-Age=3600; path=/; secure; httponly; samesite=lax

Other Headers

Cf-Cache-Status

Other

DYNAMIC

Cf-Ray

Other

9f8a82840e7c0bfe-IAD

Date

Other

Fri, 08 May 2026 18:25:57 GMT

Nel

Other

Report-To Group cf-nel max-age: 1w

success: 0.0%

Report-To

Other

Group cf-nel max-age: 1w

Endpoint 1 https://a.nel.cloudflare.com/report/v4?s=ghip1npUz57dFtQ2bXhiW%2FuEEeDrwut48xuS9VrEUzX7q1NoTL7Y6ZZpxTVwONlhV9%2F87SCEficIoBEOLDQSuAbfQ9rCXkXW%2FT5yoz%2FWe8gnGII3VwoNBwGNnDSr%2FikLXA%3D%3D

Via

Other

1.1 google

X-Content-Security-Policy-Report-Only

Other

default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' data: https://widget.intercom.io https://js.intercomcdn.com https://*.fullstory.com https://*.google-analytics.com https://*.googletagmanager.com https://*.analytics.google.com https://analytics.google.com https://www.google.com https://www.gstatic.com https://connect.facebook.net https://*.newrelic.com https://*.nr-data.net https://*.pusher.com https://inlinemanual.com https://www.googleadservices.com https://*.ezidebit.com.au https://*.jsdelivr.net https://kit.fontawesome.com https://code.jquery.com https://maps.googleapis.com https://fip-static.figured.com; img-src 'self' data: blob: https: https://*.s3.ap-southeast-2.amazonaws.com https://*.s3.us-west-2.amazonaws.com; style-src 'self' 'unsafe-inline' data: https://fonts.googleapis.com https://*.cloudfront.net https://kit-pro.fontawesome.com https://fip-static.figured.com; child-src 'self' blob:; connect-src 'self' https://my.figured.com wss://*.pusher.com wss://*.pusher.com:443 https://*.pusher.com wss://*.intercom.io https://*.intercom.io https://*.intercomcdn.com https://*.intercom-messenger.com wss://*.intercom-messenger.com https://sentry.io https://*.sentry.io https://*.facebook.com https://*.google-analytics.com https://*.googletagmanager.com https://*.analytics.google.com https://analytics.google.com https://*.doubleclick.net https://analytics.inlinemanual.com https://*.newrelic.com https://*.nr-data.net https://sessions.bugsnag.com https://maps.googleapis.com https://data.linz.govt.nz https://*.fullstory.com https://fip-static.figured.com https://storage.googleapis.com https://*.s3.ap-southeast-2.amazonaws.com https://*.s3.us-west-2.amazonaws.com; font-src 'self' data: https://fonts.gstatic.com https://*.intercomcdn.com https://dl.dropboxusercontent.com https://kit-pro.fontawesome.com https://raw.githubusercontent.com/adobe-fonts/source-sans/release/OTF/SourceSans3-Black.otf https://fip-static.figured.com; frame-src 'self' https://www.facebook.com https://*.doubleclick.net https://www.google.com https://www.google.co.nz https://*.analytics.google.com https://analytics.google.com https://*.vimeo.com https://intercom-sheets.com https://api.dev-icbf.com https://api.icbf.com blob: https://www.youtube.com https://storage.googleapis.com; media-src 'self' https://intercomcdn.com https://*.intercomcdn.com https://*.vimeo.com; worker-src blob: https://*.jsdelivr.net; report-uri https://api.figured.com/csp/violation-reports; object-src 'self' https://storage.googleapis.com; script-src-elem 'self' 'unsafe-inline' 'unsafe-eval' data: https://widget.intercom.io https://js.intercomcdn.com https://*.fullstory.com https://*.google-analytics.com https://*.googletagmanager.com https://*.analytics.google.com https://analytics.google.com https://www.google.com https://www.gstatic.com https://connect.facebook.net https://*.newrelic.com https://*.nr-data.net https://*.pusher.com https://inlinemanual.com https://www.googleadservices.com https://*.ezidebit.com.au https://*.jsdelivr.net https://kit.fontawesome.com https://code.jquery.com https://maps.googleapis.com https://fip-static.figured.com; style-src-elem 'self' 'unsafe-inline' data: https://fonts.googleapis.com https://*.cloudfront.net https://kit-pro.fontawesome.com https://fip-static.figured.com

cf-cache-status: DYNAMIC
cf-ray: 9f8a82840e7c0bfe-IAD
date: Fri, 08 May 2026 18:25:57 GMT
nel: {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800}
report-to: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=ghip1npUz57dFtQ2bXhiW%2FuEEeDrwut48xuS9VrEUzX7q1NoTL7Y6ZZpxTVwONlhV9%2F87SCEficIoBEOLDQSuAbfQ9rCXkXW%2FT5yoz%2FWe8gnGII3VwoNBwGNnDSr%2FikLXA%3D%3D"}]}
via: 1.1 google
x-content-security-policy-report-only: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' data: https://widget.intercom.io https://js.intercomcdn.com https://*.fullstory.com https://*.google-analytics.com https://*.googletagmanager.com https://*.analytics.google.com https://analytics.google.com https://www.google.com https://www.gstatic.com https://connect.facebook.net https://*.newrelic.com https://*.nr-data.net https://*.pusher.com https://inlinemanual.com https://www.googleadservices.com https://*.ezidebit.com.au https://*.jsdelivr.net https://kit.fontawesome.com https://code.jquery.com https://maps.googleapis.com https://fip-static.figured.com; img-src 'self' data: blob: https: https://*.s3.ap-southeast-2.amazonaws.com https://*.s3.us-west-2.amazonaws.com; style-src 'self' 'unsafe-inline' data: https://fonts.googleapis.com https://*.cloudfront.net https://kit-pro.fontawesome.com https://fip-static.figured.com; child-src 'self' blob:; connect-src 'self' https://my.figured.com wss://*.pusher.com wss://*.pusher.com:443 https://*.pusher.com wss://*.intercom.io https://*.intercom.io https://*.intercomcdn.com https://*.intercom-messenger.com wss://*.intercom-messenger.com https://sentry.io https://*.sentry.io https://*.facebook.com https://*.google-analytics.com https://*.googletagmanager.com https://*.analytics.google.com https://analytics.google.com https://*.doubleclick.net https://analytics.inlinemanual.com https://*.newrelic.com https://*.nr-data.net https://sessions.bugsnag.com https://maps.googleapis.com https://data.linz.govt.nz https://*.fullstory.com https://fip-static.figured.com https://storage.googleapis.com https://*.s3.ap-southeast-2.amazonaws.com https://*.s3.us-west-2.amazonaws.com; font-src 'self' data: https://fonts.gstatic.com https://*.intercomcdn.com https://dl.dropboxusercontent.com https://kit-pro.fontawesome.com https://raw.githubusercontent.com/adobe-fonts/source-sans/release/OTF/SourceSans3-Black.otf https://fip-static.figured.com; frame-src 'self' https://www.facebook.com https://*.doubleclick.net https://www.google.com https://www.google.co.nz https://*.analytics.google.com https://analytics.google.com https://*.vimeo.com https://intercom-sheets.com https://api.dev-icbf.com https://api.icbf.com blob: https://www.youtube.com https://storage.googleapis.com; media-src 'self' https://intercomcdn.com https://*.intercomcdn.com https://*.vimeo.com; worker-src blob: https://*.jsdelivr.net; report-uri https://api.figured.com/csp/violation-reports; object-src 'self' https://storage.googleapis.com; script-src-elem 'self' 'unsafe-inline' 'unsafe-eval' data: https://widget.intercom.io https://js.intercomcdn.com https://*.fullstory.com https://*.google-analytics.com https://*.googletagmanager.com https://*.analytics.google.com https://analytics.google.com https://www.google.com https://www.gstatic.com https://connect.facebook.net https://*.newrelic.com https://*.nr-data.net https://*.pusher.com https://inlinemanual.com https://www.googleadservices.com https://*.ezidebit.com.au https://*.jsdelivr.net https://kit.fontawesome.com https://code.jquery.com https://maps.googleapis.com https://fip-static.figured.com; style-src-elem 'self' 'unsafe-inline' data: https://fonts.googleapis.com https://*.cloudfront.net https://kit-pro.fontawesome.com https://fip-static.figured.com

Recommendations

Enable compression (gzip/brotli) to improve performance