HTTP Headers Analysis for https://app.cuseum.com

HTTP Security Headers

Status

Strict-Transport-Security

Missing

Not configured

Content-Security-Policy

Weak

frame-ancestors Analyze

Content-Security-Policy-Report-Only

Missing

Not configured Analyze

X-Frame-Options

Present

ALLOW-FROM vanderbiltmuseum.mp.cuseum.com njit.mp.cuseum.com nascarhall.mp.cuseum.com curiodyssey.mp.cuseum.com ismsociety.mp.cuseum.com sciowa.mp.cuseum.com high-museumpass.mp.cuseum.com member.hudsonvalleybikernetwork.com abt.mp.cuseum.com testmuseum.mp.cuseum.com ucbg.mp.cuseum.com blantonmuseum.mp.cuseum.com detroithistorical.mp.cuseum.com high-membership.mp.cuseum.com wings.mp.cuseum.com app.cuseum.com

X-Content-Type-Options

Missing

Not configured

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Add Strict-Transport-Security header with max-age of at least 1 year
• Significantly strengthen CSP directives
• Add X-Content-Type-Options: nosniff
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

Connection

Performance

close

Vary

Performance

Accept-Encoding, Origin

connection: close
vary: Accept-Encoding, Origin

Caching Headers

Cache-Control

Caching

max-age=0, private, must-revalidate

Etag

Caching

W/"4c3d3326e6776611a27e985c61ccdd64"

cache-control: max-age=0, private, must-revalidate
etag: W/"4c3d3326e6776611a27e985c61ccdd64"

Content Headers

Content-Length

Content

622

Content-Type

Content

text/html; charset=utf-8

content-length: 622
content-type: text/html; charset=utf-8

Server Headers

X-Powered-By

Server

cloud66

X-Runtime

Server

0.042793

x-powered-by: cloud66
x-runtime: 0.042793

CORS Headers

Access-Control-Allow-Headers

Cors

newrelic, traceparent, tracestate

access-control-allow-headers: newrelic, traceparent, tracestate

Cookies Headers

Set-Cookie

Cookies

set-cookie: ahoy_visitor=8bf8cb5f-5f11-44de-b85b-2935b0a98ec0; path=/; expires=Sat, 13 May 2028 15:58:38 GMT; secure; HttpOnly; SameSite=Lax
ahoy_visit=1a4d8a1b-65bd-488c-9b49-ce485b496c99; path=/; expires=Wed, 13 May 2026 19:58:38 GMT; secure; HttpOnly; SameSite=Lax

Other Headers

Date

Other

Wed, 13 May 2026 15:58:38 GMT

Link

Other

URL /assets/new_home-67bb52637c34c5fd878214a20192bc75e9812f50312dc02a54b6a4410854fbb7.css

rel=preload as=style nopush

X-Request-Id

Other

28b736e4-3458-4115-959b-d3c578b34b9b

date: Wed, 13 May 2026 15:58:38 GMT
link: </assets/new_home-67bb52637c34c5fd878214a20192bc75e9812f50312dc02a54b6a4410854fbb7.css>; rel=preload; as=style; nopush
x-request-id: 28b736e4-3458-4115-959b-d3c578b34b9b

Recommendations

Enable compression (gzip/brotli) to improve performance

Consider removing X-Powered-By header to hide server technology