HTTP Headers Analysis for https://app.blueshift.com

HTTP Security Headers

Status

Strict-Transport-Security

Excellent

max-age=31536000; includeSubDomains; preload

Content-Security-Policy

Missing

Not configured

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin-when-cross-origin

Permissions-Policy

Missing

Not configured

Recommendations

• Add Content-Security-Policy header to prevent XSS attacks
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Consider adding Permissions-Policy to control browser features

Performance Headers

3 headers

Connection

Performance

close

Transfer-Encoding

Performance

chunked

Vary

Performance

Accept-Encoding

Caching Headers

3 headers

Cache-Control

Caching

no-cache, no-store

Expires

Caching

Fri, 01 Jan 1990 00:00:00 GMT

Pragma

Caching

no-cache

Content Headers

1 headers

Content-Type

Content

text/html; charset=utf-8

Server Headers

1 headers

X-Runtime

Server

0.010388

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

Cookies

_gbs_session=1df87fa29dca20ea51d66c53af500d52; path=/; expires=Wed, 28 Jan 2026 04:32:09 -0000; secure; HttpOnly; SameSite=Lax

Other Headers

4 headers

Content-Security-Policy-Report-Only

Other

default-src 'self' *.getblueshift.com *.bsftstaging.com; base-uri 'self'; connect-src 'self' wss: https: *.beefree.io *.getbee.io *.getblueshift.com *.blueshift.com *.bsftstaging.com api.segment.io api.amplitude.com api-iam.intercom.io rum.browser-intake-datadoghq.com cdn.statuspage.io pm6tczjx7ntl.statuspage.io blueshiftsuccess.zendesk.com ekr.zendesk.com *.facebook.net *.prodpad.com *.google.com; font-src 'self' *.getblueshift.com *.bsftstaging.com *.googleapis.com fonts.gstatic.com *.typekit.net i.icomoon.io cdn.icomoon.io fonts.cdnfonts.com fonts.intercomcdn.com data:; form-action 'self' *.google.com; frame-ancestors 'self'; frame-src 'self' www.googletagmanager.com www.facebook.com *.getblueshift.com *.bsftstaging.com app.getbee.io *.google.com play.vidyard.com *.youtube.com; img-src 'self' data: https: *.getblueshift.com *.bsftstaging.com *.google.com; media-src 'self' *.getblueshift.com *.bsftstaging.com static2.dassets.com *.zdassets.com *.google.com play.vidyard.com *.youtube.com; object-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.getblueshift.com *.blueshift.com *.bsftstaging.com *.googleapis.com *.googletagmanager.com js.hs-scripts.com www.datadoghq-browser-agent.com *.beefree.io cdn.beefree.io *.getbee.io cdn.segment.com js.intercomcdn.com cdn.amplitude.com widget.intercom.io static.zdassets.com ekr.zdassets.com connect.facebook.net widget.prodpad.com cdn.statuspage.io assets.zendesk.com *.typekit.net *.google.com; style-src 'self' 'unsafe-inline' *.getblueshift.com *.bsftstaging.com *.googleapis.com fonts.googleapis.com *.typekit.net i.icomoon.io cdn.icomoon.io stackpath.bootstrapcdn.com *.beefree.io cdn.beefree.io *.google.com unpkg.com; report-uri /csp-violation-report

Date

Other

Tue, 27 Jan 2026 16:32:09 GMT

X-Permitted-Cross-Domain-Policies

Other

none

X-Request-Id

Other

ea92ed6c-ddd5-43db-ad72-daf1d8e5cfd6

Recommendations

Enable compression (gzip/brotli) to improve performance