HTTP Headers Analysis for https://api.ynab.com

Detected Technologies from Headers

See all in URL Inspect 21

Gravatar

YouTube

Amplitude

Amazon S3

Castle

Cloudflare CDN

Cloudflare Stream

Datadog

Forethought

GIPHY

Google API JS Client

Google Fonts

Google Sign-In

Heroku

jsDelivr

Kustomer

OneTrust

Plaid

Recurly

Rollbar

Stripe

HTTP Security Headers

Status

Strict-Transport-Security

Good

max-age=63072000; includeSubDomains

Content-Security-Policy

Basic

upgrade-insecure-requests; base-uri; default-src; +11 more Analyze

Content-Security-Policy-Report-Only

Missing

Not configured Analyze

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin-when-cross-origin

Permissions-Policy

Missing

Not configured

Recommendations

• Consider adding 'preload' to HSTS for maximum security
• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Consider adding Permissions-Policy to control browser features

Performance Headers

Connection

Performance

close

Transfer-Encoding

Performance

chunked

Vary

Performance

Accept-Encoding

connection: close
transfer-encoding: chunked
vary: Accept-Encoding

Caching Headers

Cache-Control

Caching

no-cache

cache-control: no-cache

Content Headers

Content-Type

Content

text/html; charset=utf-8

content-type: text/html; charset=utf-8

Server Headers

Server

cloudflare

X-Runtime

Server

0.007071

server: cloudflare
x-runtime: 0.007071

CORS Headers

No CORS headers found

Cookies Headers

No cookies headers found

Other Headers

Alt-Svc

Other

h3=":443"; ma=86400

Cf-Cache-Status

Other

DYNAMIC

Cf-Ray

Other

9f77ab19cef27b4b-IAD

Date

Other

Wed, 06 May 2026 11:33:08 GMT

Heroku-Connect-Time

Other

0.517

Heroku-Desired-Backends

Other

4

Heroku-Dyno-Id

Other

30d24ea7-dc83-4fba-9798-9c697db8b372

Heroku-Dyno-Name

Other

web.1

Heroku-Router-Availability-Zone

Other

us-east-1f

Heroku-Router-Instance-Name

Other

router.2446829

Heroku-Sid

Other

va02

Link

Other

URL /assets/papi-44be7a1325e09dd94749afa0574cdcfb57fd7fef1a9b752f31aeb664e725d1e8.css

rel=preload as=style nopush

Nel

Other

Report-To Group heroku-nel max-age: 1h

success: 1.0% failure: 10.0%

Report-To

Other

Group heroku-nel max-age: 1h

Endpoint 1 https://nel.heroku.com/reports?s=1lUSrQSbKVMQr3BIUgLDDgNJqsbFtb0sku95%2FIlH0DE%3D&sid=af571f24-03ee-46d1-9f90-ab9030c2c74c&ts=1778067188

Reporting-Endpoints

Other

heroku-nel="https://nel.heroku.com/reports?s=1lUSrQSbKVMQr3BIUgLDDgNJqsbFtb0sku95%2FIlH0DE%3D&sid=af571f24-03ee-46d1-9f90-ab9030c2c74c&ts=1778067188"

Via

Other

2.0 heroku-router

X-Permitted-Cross-Domain-Policies

Other

none

X-Request-Id

Other

cb60a650-84a4-a609-61ad-63994c9396dc

alt-svc: h3=":443"; ma=86400
cf-cache-status: DYNAMIC
cf-ray: 9f77ab19cef27b4b-IAD
date: Wed, 06 May 2026 11:33:08 GMT
heroku-connect-time: 0.517
heroku-desired-backends: 4
heroku-dyno-id: 30d24ea7-dc83-4fba-9798-9c697db8b372
heroku-dyno-name: web.1
heroku-router-availability-zone: us-east-1f
heroku-router-instance-name: router.2446829
heroku-sid: va02
link: </assets/papi-44be7a1325e09dd94749afa0574cdcfb57fd7fef1a9b752f31aeb664e725d1e8.css>; rel=preload; as=style; nopush
nel: {"report_to":"heroku-nel","response_headers":["Via"],"max_age":3600,"success_fraction":0.01,"failure_fraction":0.1}
report-to: {"group":"heroku-nel","endpoints":[{"url":"https://nel.heroku.com/reports?s=1lUSrQSbKVMQr3BIUgLDDgNJqsbFtb0sku95%2FIlH0DE%3D\u0026sid=af571f24-03ee-46d1-9f90-ab9030c2c74c\u0026ts=1778067188"}],"max_age":3600}
reporting-endpoints: heroku-nel="https://nel.heroku.com/reports?s=1lUSrQSbKVMQr3BIUgLDDgNJqsbFtb0sku95%2FIlH0DE%3D&sid=af571f24-03ee-46d1-9f90-ab9030c2c74c&ts=1778067188"
via: 2.0 heroku-router
x-permitted-cross-domain-policies: none
x-request-id: cb60a650-84a4-a609-61ad-63994c9396dc

Recommendations

Enable compression (gzip/brotli) to improve performance