HTTP Headers Analysis for https://api.lemlist.com

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=31536000;

Content-Security-Policy

Basic

default-src; script-src; connect-src; +5 more

default-src 'self' blob: https://auth.lempire.com https://app.lemlist.com https://app.lemwarm.com https://app.lemcal.com https://app.lemgod.com https://*.rudderlabs.com https://*.cloudfront.net/v6/bugsnag.min.js https://*.doubleclick.net https://*.googleadservices.com https://www.googletagmanager.com https://static.ads-twitter.com http://*.google-analytics.com https://*.google-analytics.com https://*.google.com https://*.googleapis.com https://*.gstatic.com https://js.stripe.com https://*.lemlist.com https://*.crisp.chat https://*.drift.com https://*.driftt.com https://*.driftqa.com https://*.intercom.io https://*.intercomcdn.com https://intercom-sheets.com https://*.facebook.net https://*.youtube.com https://youtube.com https://*.youtu.be https://youtu.be https://*.ytimg.com https://*.vimeo.com https://*.loom.com https://*.jquery.com https://*.amazonaws.com https://*.calendly.com https://calendly.com https://*.hubspot.com https://*.hsappstatic.net https://*.vidyard.com https://*.wistia.com https://*.outreach.io https://*.typeform.com https://*.salesforce.com https://zapier.com https://*.zapier.com https://*.linkedin.com https://*.hotjar.com:* https://*.hotjar.io wss://*.hotjar.com https://*.hs-analytics.net https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js https://*.twitter.com https://*.lemcal.com https://lemcal.webflow.io https://media.licdn.com https://senja-assets.b-cdn.net https://*.senja.io https://fonts.googleapis.com https://cdn.jsdelivr.net/npm/hls.js@1 https://app.supademo.com https://*.clarity.ms https://embed.typeform.com https://dms.licdn.com https://*.hubspoteditor.com https://*.r2.cloudflarestorage.com https://*.verisoul.ai https://*.lightning.force.com https://*.my.salesforce.com https://*.visual.force.com https://cdn.jsdelivr.net/npm/react-scan/dist/auto.global.js https://*.default.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: https://auth.lempire.com https://app.lemlist.com https://app.lemwarm.com https://app.lemcal.com https://app.lemgod.com https://*.rudderlabs.com https://*.cloudfront.net/v6/bugsnag.min.js https://*.doubleclick.net https://*.googleadservices.com https://www.googletagmanager.com https://static.ads-twitter.com http://*.google-analytics.com https://*.google-analytics.com https://*.google.com https://*.googleapis.com https://*.gstatic.com https://js.stripe.com https://*.lemlist.com https://*.crisp.chat https://*.drift.com https://*.driftt.com https://*.driftqa.com https://*.intercom.io https://*.intercomcdn.com https://intercom-sheets.com https://*.facebook.net https://*.youtube.com https://youtube.com https://*.youtu.be https://youtu.be https://*.ytimg.com https://*.vimeo.com https://*.loom.com https://*.jquery.com https://*.amazonaws.com https://*.calendly.com https://calendly.com https://*.hubspot.com https://*.hsappstatic.net https://*.vidyard.com https://*.wistia.com https://*.outreach.io https://*.typeform.com https://*.salesforce.com https://zapier.com https://*.zapier.com https://*.linkedin.com https://*.hotjar.com:* https://*.hotjar.io wss://*.hotjar.com https://*.hs-analytics.net https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js https://*.twitter.com https://*.lemcal.com https://lemcal.webflow.io https://media.licdn.com https://senja-assets.b-cdn.net https://*.senja.io https://fonts.googleapis.com https://cdn.jsdelivr.net/npm/hls.js@1 https://app.supademo.com https://*.clarity.ms https://embed.typeform.com https://dms.licdn.com https://*.hubspoteditor.com https://*.r2.cloudflarestorage.com https://*.verisoul.ai https://*.lightning.force.com https://*.my.salesforce.com https://*.visual.force.com https://cdn.jsdelivr.net/npm/react-scan/dist/auto.global.js https://*.default.com https://*.usejimo.com https://*.usesjimo.com https://bat.bing.com; connect-src * 'self' blob: https://auth.lempire.com https://app.lemlist.com https://app.lemwarm.com https://app.lemcal.com https://app.lemgod.com https://*.rudderlabs.com https://*.cloudfront.net/v6/bugsnag.min.js https://*.doubleclick.net https://*.googleadservices.com https://www.googletagmanager.com https://static.ads-twitter.com http://*.google-analytics.com https://*.google-analytics.com https://*.google.com https://*.googleapis.com https://*.gstatic.com https://js.stripe.com https://*.lemlist.com https://*.crisp.chat https://*.drift.com https://*.driftt.com https://*.driftqa.com https://*.intercom.io https://*.intercomcdn.com https://intercom-sheets.com https://*.facebook.net https://*.youtube.com https://youtube.com https://*.youtu.be https://youtu.be https://*.ytimg.com https://*.vimeo.com https://*.loom.com https://*.jquery.com https://*.amazonaws.com https://*.calendly.com https://calendly.com https://*.hubspot.com https://*.hsappstatic.net https://*.vidyard.com https://*.wistia.com https://*.outreach.io https://*.typeform.com https://*.salesforce.com https://zapier.com https://*.zapier.com https://*.linkedin.com https://*.hotjar.com:* https://*.hotjar.io wss://*.hotjar.com https://*.hs-analytics.net https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js https://*.twitter.com https://*.lemcal.com https://lemcal.webflow.io https://media.licdn.com https://senja-assets.b-cdn.net https://*.senja.io https://fonts.googleapis.com https://cdn.jsdelivr.net/npm/hls.js@1 https://app.supademo.com https://*.clarity.ms https://embed.typeform.com https://dms.licdn.com https://*.hubspoteditor.com https://*.r2.cloudflarestorage.com https://*.verisoul.ai https://*.lightning.force.com https://*.my.salesforce.com https://*.visual.force.com https://cdn.jsdelivr.net/npm/react-scan/dist/auto.global.js https://*.default.com wss://*.verisoul.ai; img-src data: 'self' blob: http://* https://* https://auth.lempire.com https://app.lemlist.com https://app.lemwarm.com https://app.lemcal.com https://app.lemgod.com https://*.rudderlabs.com https://*.cloudfront.net/v6/bugsnag.min.js https://*.doubleclick.net https://*.googleadservices.com https://www.googletagmanager.com https://static.ads-twitter.com http://*.google-analytics.com https://*.google-analytics.com https://*.google.com https://*.googleapis.com https://*.gstatic.com https://js.stripe.com https://*.lemlist.com https://*.crisp.chat https://*.drift.com https://*.driftt.com https://*.driftqa.com https://*.intercom.io https://*.intercomcdn.com https://intercom-sheets.com https://*.facebook.net https://*.youtube.com https://youtube.com https://*.youtu.be https://youtu.be https://*.ytimg.com https://*.vimeo.com https://*.loom.com https://*.jquery.com https://*.amazonaws.com https://*.calendly.com https://calendly.com https://*.hubspot.com https://*.hsappstatic.net https://*.vidyard.com https://*.wistia.com https://*.outreach.io https://*.typeform.com https://*.salesforce.com https://zapier.com https://*.zapier.com https://*.linkedin.com https://*.hotjar.com:* https://*.hotjar.io wss://*.hotjar.com https://*.hs-analytics.net https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js https://*.twitter.com https://*.lemcal.com https://lemcal.webflow.io https://media.licdn.com https://senja-assets.b-cdn.net https://*.senja.io https://fonts.googleapis.com https://cdn.jsdelivr.net/npm/hls.js@1 https://app.supademo.com https://*.clarity.ms https://embed.typeform.com https://dms.licdn.com https://*.hubspoteditor.com https://*.r2.cloudflarestorage.com https://*.verisoul.ai https://*.lightning.force.com https://*.my.salesforce.com https://*.visual.force.com https://cdn.jsdelivr.net/npm/react-scan/dist/auto.global.js https://*.default.com; style-src 'self' 'unsafe-inline' blob: https://auth.lempire.com https://app.lemlist.com https://app.lemwarm.com https://app.lemcal.com https://app.lemgod.com https://*.rudderlabs.com https://*.cloudfront.net/v6/bugsnag.min.js https://*.doubleclick.net https://*.googleadservices.com https://www.googletagmanager.com https://static.ads-twitter.com http://*.google-analytics.com https://*.google-analytics.com https://*.google.com https://*.googleapis.com https://*.gstatic.com https://js.stripe.com https://*.lemlist.com https://*.crisp.chat https://*.drift.com https://*.driftt.com https://*.driftqa.com https://*.intercom.io https://*.intercomcdn.com https://intercom-sheets.com https://*.facebook.net https://*.youtube.com https://youtube.com https://*.youtu.be https://youtu.be https://*.ytimg.com https://*.vimeo.com https://*.loom.com https://*.jquery.com https://*.amazonaws.com https://*.calendly.com https://calendly.com https://*.hubspot.com https://*.hsappstatic.net https://*.vidyard.com https://*.wistia.com https://*.outreach.io https://*.typeform.com https://*.salesforce.com https://zapier.com https://*.zapier.com https://*.linkedin.com https://*.hotjar.com:* https://*.hotjar.io wss://*.hotjar.com https://*.hs-analytics.net https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js https://*.twitter.com https://*.lemcal.com https://lemcal.webflow.io https://media.licdn.com https://senja-assets.b-cdn.net https://*.senja.io https://fonts.googleapis.com https://cdn.jsdelivr.net/npm/hls.js@1 https://app.supademo.com https://*.clarity.ms https://embed.typeform.com https://dms.licdn.com https://*.hubspoteditor.com https://*.r2.cloudflarestorage.com https://*.verisoul.ai https://*.lightning.force.com https://*.my.salesforce.com https://*.visual.force.com https://cdn.jsdelivr.net/npm/react-scan/dist/auto.global.js https://*.default.com; font-src 'self' blob: data: https://auth.lempire.com https://app.lemlist.com https://app.lemwarm.com https://app.lemcal.com https://app.lemgod.com https://*.rudderlabs.com https://*.cloudfront.net/v6/bugsnag.min.js https://*.doubleclick.net https://*.googleadservices.com https://www.googletagmanager.com https://static.ads-twitter.com http://*.google-analytics.com https://*.google-analytics.com https://*.google.com https://*.googleapis.com https://*.gstatic.com https://js.stripe.com https://*.lemlist.com https://*.crisp.chat https://*.drift.com https://*.driftt.com https://*.driftqa.com https://*.intercom.io https://*.intercomcdn.com https://intercom-sheets.com https://*.facebook.net https://*.youtube.com https://youtube.com https://*.youtu.be https://youtu.be https://*.ytimg.com https://*.vimeo.com https://*.loom.com https://*.jquery.com https://*.amazonaws.com https://*.calendly.com https://calendly.com https://*.hubspot.com https://*.hsappstatic.net https://*.vidyard.com https://*.wistia.com https://*.outreach.io https://*.typeform.com https://*.salesforce.com https://zapier.com https://*.zapier.com https://*.linkedin.com https://*.hotjar.com:* https://*.hotjar.io wss://*.hotjar.com https://*.hs-analytics.net https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js https://*.twitter.com https://*.lemcal.com https://lemcal.webflow.io https://media.licdn.com https://senja-assets.b-cdn.net https://*.senja.io https://fonts.googleapis.com https://cdn.jsdelivr.net/npm/hls.js@1 https://app.supademo.com https://*.clarity.ms https://embed.typeform.com https://dms.licdn.com https://*.hubspoteditor.com https://*.r2.cloudflarestorage.com https://*.verisoul.ai https://*.lightning.force.com https://*.my.salesforce.com https://*.visual.force.com https://cdn.jsdelivr.net/npm/react-scan/dist/auto.global.js https://*.default.com; frame-ancestors 'self' blob: chrome-extension: https://*.hubspoteditor.com https://auth.lempire.com https://app.lemlist.com https://app.lemwarm.com https://app.lemcal.com https://app.lemgod.com https://*.rudderlabs.com https://*.cloudfront.net/v6/bugsnag.min.js https://*.doubleclick.net https://*.googleadservices.com https://www.googletagmanager.com https://static.ads-twitter.com http://*.google-analytics.com https://*.google-analytics.com https://*.google.com https://*.googleapis.com https://*.gstatic.com https://js.stripe.com https://*.lemlist.com https://*.crisp.chat https://*.drift.com https://*.driftt.com https://*.driftqa.com https://*.intercom.io https://*.intercomcdn.com https://intercom-sheets.com https://*.facebook.net https://*.youtube.com https://youtube.com https://*.youtu.be https://youtu.be https://*.ytimg.com https://*.vimeo.com https://*.loom.com https://*.jquery.com https://*.amazonaws.com https://*.calendly.com https://calendly.com https://*.hubspot.com https://*.hsappstatic.net https://*.vidyard.com https://*.wistia.com https://*.outreach.io https://*.typeform.com https://*.salesforce.com https://zapier.com https://*.zapier.com https://*.linkedin.com https://*.hotjar.com:* https://*.hotjar.io wss://*.hotjar.com https://*.hs-analytics.net https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js https://*.twitter.com https://*.lemcal.com https://lemcal.webflow.io https://media.licdn.com https://senja-assets.b-cdn.net https://*.senja.io https://fonts.googleapis.com https://cdn.jsdelivr.net/npm/hls.js@1 https://app.supademo.com https://*.clarity.ms https://embed.typeform.com https://dms.licdn.com https://*.r2.cloudflarestorage.com https://*.verisoul.ai https://*.lightning.force.com https://*.my.salesforce.com https://*.visual.force.com https://cdn.jsdelivr.net/npm/react-scan/dist/auto.global.js https://*.default.com; frame-src 'self' blob: https://auth.lempire.com https://app.lemlist.com https://app.lemwarm.com https://app.lemcal.com https://app.lemgod.com https://*.rudderlabs.com https://*.cloudfront.net/v6/bugsnag.min.js https://*.doubleclick.net https://*.googleadservices.com https://www.googletagmanager.com https://static.ads-twitter.com http://*.google-analytics.com https://*.google-analytics.com https://*.google.com https://*.googleapis.com https://*.gstatic.com https://js.stripe.com https://*.lemlist.com https://*.crisp.chat https://*.drift.com https://*.driftt.com https://*.driftqa.com https://*.intercom.io https://*.intercomcdn.com https://intercom-sheets.com https://*.facebook.net https://*.youtube.com https://youtube.com https://*.youtu.be https://youtu.be https://*.ytimg.com https://*.vimeo.com https://*.loom.com https://*.jquery.com https://*.amazonaws.com https://*.calendly.com https://calendly.com https://*.hubspot.com https://*.hsappstatic.net https://*.vidyard.com https://*.wistia.com https://*.outreach.io https://*.typeform.com https://*.salesforce.com https://zapier.com https://*.zapier.com https://*.linkedin.com https://*.hotjar.com:* https://*.hotjar.io wss://*.hotjar.com https://*.hs-analytics.net https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js https://*.twitter.com https://*.lemcal.com https://lemcal.webflow.io https://media.licdn.com https://senja-assets.b-cdn.net https://*.senja.io https://fonts.googleapis.com https://cdn.jsdelivr.net/npm/hls.js@1 https://app.supademo.com https://*.clarity.ms https://embed.typeform.com https://dms.licdn.com https://*.hubspoteditor.com https://*.r2.cloudflarestorage.com https://*.verisoul.ai https://*.lightning.force.com https://*.my.salesforce.com https://*.visual.force.com https://cdn.jsdelivr.net/npm/react-scan/dist/auto.global.js https://*.default.com https://*.usejimo.com https://*.usesjimo.com https://*.aircall.io https://*.ringover.com https://*.justcall.io https://www.g2.com https://compliance-embed-poc-2156-dev.twil.io;

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin-when-cross-origin

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Consider adding Permissions-Policy to control browser features

Performance Headers

3 headers

Connection

Performance

close

Transfer-Encoding

Performance

chunked

Vary

Performance

Accept-Encoding

Caching Headers

0 headers

No caching headers found

Content Headers

1 headers

Content-Type

Content

text/html; charset=utf-8

Server Headers

1 headers

Server

cloudflare

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

Cookies

__cflb=02DiuDD9PfrVSUaYK1tmRRWgfqNrq7WxSEEhGAAZ6XLCQ; HttpOnly; SameSite=Lax; Path=/; Expires=Sat, 17 Jan 2026 11:42:49 GMT

Other Headers

6 headers

Cf-Cache-Status

Other

DYNAMIC

Cf-Ray

Other

9bf3302acd70c99b-IAD

Date

Other

Sat, 17 Jan 2026 04:42:49 GMT

Nel

Other

{"report_to":"cf-nel","success_fraction":0.0,"max_age":604800}

Report-To

Other

{"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=v92g2ummyL6Y4CYIv4hdaVFwW%2F%2FTQIlChcfHC%2F%2Binsi2%2FqC45NNooAu1ryMV4e8SPPEBwoqqmkRBmFlsGgCCEzaSAs9Kg4%2FqAL3nEsm9"}]}

X-Cache-Debug

Other

app.main.cf

Recommendations

Enable compression (gzip/brotli) to improve performance

Add Cache-Control header to optimize caching