HTTP Headers Analysis for https://api.padlet.com

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=15552000; includeSubDomains; preload

Content-Security-Policy

Missing

Not configured

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin-when-cross-origin

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Add Content-Security-Policy header to prevent XSS attacks
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Consider adding Permissions-Policy to control browser features

Performance Headers

3 headers

Connection

Performance

close

Transfer-Encoding

Performance

chunked

Vary

Performance

Accept-Encoding, Accept-Language

Caching Headers

1 headers

Cache-Control

Caching

max-age=0, private, must-revalidate

Content Headers

1 headers

Content-Type

Content

text/html; charset=utf-8

Server Headers

2 headers

Server

cloudflare

X-Runtime

Server

0.062011

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

Cookies

__cf_bm=KyNS43ffRb9nTwjdIP_pbNW2Q.MH3fL4Yk1j61RDxGE-1769194582-1.0.1.1-.vP2OCIPfEbsBKBXviPJgXwl356Dwozi.ssgD5Nsis2W_M8iyHkqR6DS5jeiHScmCY97r13Lz1x5GSxx4FzpIQxpzx81uZ_UgDwrF_UVarnx5iolVx1BVyhvtoHFdwtI; path=/; expires=Fri, 23-Jan-26 19:26:22 GMT; domain=.padlet.com; HttpOnly; Secure; SameSite=None

Other Headers

15 headers

Alt-Svc

Other

h3=":443"; ma=86400

Cf-Cache-Status

Other

MISS

Cf-Ray

Other

9c2982b94d1123d0-IAD

Content-Security-Policy-Report-Only

Other

script-src 'self' padlet.net maps.googleapis.com apis.google.com ta-echo.padlet.com api.commandbar.com cdn.commandbar.com app.getbeamer.com challenges.cloudflare.com embed.cloudflarestream.com cdn.usefathom.com blob: 'unsafe-inline' 'unsafe-eval'; style-src 'self' padlet.net fonts.googleapis.com cdn.commandbar.com app.getbeamer.com 'unsafe-inline'; font-src 'self' padlet.net fonts.gstatic.com data:; report-uri https://padlet.com/csp-report;

Date

Other

Fri, 23 Jan 2026 18:56:22 GMT

Link

Other

<https://padlet.net/ui/assets/landside-Cew6_UG2.js>; rel=modulepreload; as=script; crossorigin=anonymous; nopush,<https://padlet.net/ui/assets/landside-BKtLm9aT.css>; rel=preload; as=style; nopush,<https://padlet.net/ui/assets/tailwind-CS-Ih9O0.css>; rel=preload; as=style; nopush,<https://padlet.net/ui/assets/OzIcon-Dg2mQp41.css>; rel=preload; as=style; nopush,<https://padlet.net/ui/assets/OzPadletLogo-CTWHZv6G.css>; rel=preload; as=style; nopush,<https://padlet.net/ui/assets/OzOverlay-BCcFiH3u.css>; rel=preload; as=style; nopush,<https://padlet.net/ui/assets/OzInput-CH0qDiel.css>; rel=preload; as=style; nopush,<https://padlet.net/fonts/inter/subset/inter-latin.woff2>;rel="preload";as="font";crossorigin,<https://padlet.net/fonts/inter/subset/inter-latin.woff2>; rel=preload; as=font; type=font/woff2; crossorigin=anonymous

P3p

Other

CP="IDC DSP COR CURa ADMa OUR NOR ONL COM"

Via

Other

1.1 google

Ww-App-Version

Other

v-2601231005-6f286-production

Ww-Box

Other

mozart-web-5c6bcc7566-mwxr8

Ww-Cat

Other

landside

Ww-Qt

Other

low

X-Backend

Other

GKE-mozart-production

X-Permitted-Cross-Domain-Policies

Other

none

X-Request-Id

Other

1371e9f3-0f86-4f60-963c-8c67aed50c3a

Recommendations

Enable compression (gzip/brotli) to improve performance