HTTP Headers Analysis for https://api.rootly.com

HTTP Security Headers

Status

Strict-Transport-Security

Excellent

max-age=31536000; includeSubDomains; preload

Content-Security-Policy

Weak

frame-ancestors

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin-when-cross-origin

Permissions-Policy

Missing

Not configured

Recommendations

• Significantly strengthen CSP directives
• Consider adding Permissions-Policy to control browser features

Performance Headers

3 headers

Connection

Performance

close

Transfer-Encoding

Performance

chunked

Vary

Performance

Accept-Encoding, Origin

Caching Headers

3 headers

Age

Caching

14814

Cache-Control

Caching

max-age=0, private, must-revalidate

Last-Modified

Caching

Thu, 08 Jan 2026 21:09:48 GMT

Content Headers

1 headers

Content-Type

Content

text/html

Server Headers

2 headers

Server

cloudflare

X-Runtime

Server

0.170536

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

Cookies

__cf_bm=jr5zbXKJluBm8Kf6GyxDYMsQpnHGuQr4sUaqXbRYxcQ-1767921402-1.0.1.1-8QEPjxTh8zDn3kPvP0.9gnrRQ6MbBXrIUOp_OlCC9Ve0NZL5x0IAoEHYFFpwYE5ujvIZJcKyojR26rcyaBXqIJLevVTRbcZmfXjgkCstqlY; path=/; expires=Fri, 09-Jan-26 01:46:42 GMT; domain=.rootly.com; HttpOnly; Secure; SameSite=None

Other Headers

11 headers

Alt-Svc

Other

h3=":443"; ma=86400

Cf-Cache-Status

Other

DYNAMIC

Cf-Ray

Other

9bb0173b08ef8245-IAD

Content-Security-Policy-Report-Only

Other

default-src 'none'; base-uri 'self'; child-src 'self' https:; connect-src 'self' https: https://*.usepylon.com wss://*.pusher.com wss://*.collab.tiptap.cloud; font-src 'self' https: data: https://*.usepylon.com; form-action 'self' https:; frame-ancestors 'self' *.datadoghq.com; frame-src 'self' https:; img-src 'self' https: data: blob: https://*.usepylon.com https://pylon-avatars.s3.us-west-1.amazonaws.com https://d3vl36l12sfx26.cloudfront.net; manifest-src 'self'; media-src 'self' https: data:; object-src 'none'; script-src 'self' https: https://widget.usepylon.com unpkg.com cdn.tailwindcss.com www.googletagmanager.com *.rootly.com cdn.jsdelivr.net *.rootly.cn *.rootly.net.cn api.segment.io cdn.segment.com 'nonce-OpQzWEb+LkK4zLcjWX6CTQ=='; style-src 'self' https: 'unsafe-inline' https://*.usepylon.com; worker-src 'self' https:; report-uri https://csp-report.browser-intake-datadoghq.com/api/v2/logs?dd-api-key=pubcc1b8f1c2f10afdc6b082eb2129d0b40&dd-evp-origin=content-security-policy&ddsource=csp-report&ddtags=environment:production&service:rootly-api

Date

Other

Fri, 09 Jan 2026 01:16:42 GMT

Surrogate-Control

Other

max-age=432000

Surrogate-Key

Other

webflow.rootly.com 65eb28a668c15a253c5417a6 pageId:68aac9a4fb7e86bf4cfd2caf 65eead504a77785f4df7dca4 65f0353e536fb555d0e6eed5 66600c304354301e7cb1f505 661e53cbc8ac093dfc5e0d73

X-Cluster-Name

Other

us-east-1-prod-hosting-red

X-Lambda-Id

Other

b31309e4-d856-4f44-9874-ae2abc01afb4

X-Permitted-Cross-Domain-Policies

Other

none

X-Request-Id

Other

9dae7216-833c-450e-88c3-a6a5d016b9e2