DNS Gurus
Cached · just now
27 Headers

HTTP Security Headers

Status
Strict-Transport-Security
Good
max-age=63072000; includeSubDomains
Content-Security-Policy
Missing
Not configured
X-Frame-Options
Good
SAMEORIGIN
X-Content-Type-Options
Good
nosniff
Referrer-Policy
Good
strict-origin-when-cross-origin
Permissions-Policy
Missing
Not configured
Recommendations
  • Consider adding 'preload' to HSTS for maximum security
  • Add Content-Security-Policy header to prevent XSS attacks
  • Consider adding Permissions-Policy to control browser features

Performance Headers

2 headers
Connection
Performance
close
Vary
Performance
Accept-Encoding, Origin

Caching Headers

2 headers
Cache-Control
Caching
max-age=0, private, must-revalidate
Etag
Caching
W/"949d301d95cb6256c702fb7af29b9545"

Content Headers

2 headers
Content-Length
Content
16352
Content-Type
Content
text/html; charset=utf-8

Server Headers

2 headers
Server
Server
Heroku
X-Runtime
Server
0.026127

CORS Headers

0 headers
No CORS headers found

Cookies Headers

1 headers
Set-Cookie
Cookies
_my_app_session=a1025bde038c3d38d993962b1cdbdbd9; path=/; secure; HttpOnly

Other Headers

10 headers
Content-Security-Policy-Report-Only
Other
default-src 'self' https: https://app.tyfoom.com https://tyfoom-rails-production.herokuapp.com; img-src 'self' https: data: blob: https://app.tyfoom.com https://tyfoom-rails-production.herokuapp.com; font-src 'self' https: data: fonts.gstatic.com https://app.tyfoom.com https://tyfoom-rails-production.herokuapp.com; object-src 'none'; script-src 'self' https: code.jquery.com cdn.datatables.net blob: https://www.googletagmanager.com https://www.google-analytics.com https://ssl.google-analytics.com https://player.vimeo.com https://www.gstatic.com https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/cast/sdk/libs/sender/1.0/cast_framework.js https://www.gstatic.com/eureka/clank 'unsafe-inline' 'unsafe-eval' https://app.tyfoom.com https://tyfoom-rails-production.herokuapp.com; script-src-elem 'self' https: code.jquery.com cdn.datatables.net blob: https://www.googletagmanager.com https://www.google-analytics.com https://ssl.google-analytics.com https://player.vimeo.com https://www.gstatic.com https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/cast/sdk/libs/sender/1.0/cast_framework.js https://www.gstatic.com/eureka/clank 'unsafe-inline' 'unsafe-eval' https://app.tyfoom.com https://tyfoom-rails-production.herokuapp.com; connect-src 'self' https: https://app.tyfoom.com https://tyfoom-rails-production.herokuapp.com https://www.google-analytics.com https://stats.g.doubleclick.net https://api.vimeo.com; style-src 'self' https: 'unsafe-inline' https://app.tyfoom.com https://tyfoom-rails-production.herokuapp.com; frame-src 'self' https://app.tyfoom.com https://tyfoom-rails-production.herokuapp.com https://www.googletagmanager.com https://www.google.com https://player.vimeo.com https://vimeo.com https://viewer.louassist.com https://www.youtube.com https://app.tyfoom.com/web https://www.herokucdn.com; media-src 'self' https: blob: https://app.tyfoom.com https://tyfoom-rails-production.herokuapp.com https://player.vimeo.com; form-action 'self' https://app.tyfoom.com https://tyfoom-rails-production.herokuapp.com; worker-src 'self' blob: https://app.tyfoom.com https://tyfoom-rails-production.herokuapp.com; report-uri /csp_violation_report_endpoint.txt
Date
Other
Sun, 18 Jan 2026 19:55:41 GMT
Feature-Policy
Other
accelerometer 'none'; gyroscope 'none'; magnetometer 'none'; autoplay 'self' https://vimeo.com https://*.vimeo.com https://player.vimeo.com https://vimeocdn.com https://*.vimeocdn.com https://i.vimeocdn.com; picture-in-picture 'self' https://vimeo.com https://*.vimeo.com https://player.vimeo.com https://vimeocdn.com https://*.vimeocdn.com https://i.vimeocdn.com; encrypted-media 'self' https://vimeo.com https://*.vimeo.com https://player.vimeo.com https://vimeocdn.com https://*.vimeocdn.com https://i.vimeocdn.com; camera 'self'; microphone 'none'; usb 'none'; geolocation 'self'; fullscreen 'self' https://vimeo.com https://*.vimeo.com https://player.vimeo.com https://vimeocdn.com https://*.vimeocdn.com https://i.vimeocdn.com; payment 'none'; midi 'none'
Link
Other
</app-assets/application-d2a9d64e225ef7f88cadfdc871801edc6f5bc4e6d58c86d8c8cce414c32a4c54.css>; rel=preload; as=style; nopush,</app-assets/tailwind-300459bcc03d31b8fcb157527bf16438ce2f79ac3fa04cda68a3edea8b1d9648.css>; rel=preload; as=style; nopush,</app-assets/print-5367449d2f918dff4a6805ef3319187125b919bbc2dc1e4c3f16c3690cf19c02.css>; rel=preload; as=style; nopush,</app-assets/es-module-shims.min-a0e02f0f37eb67badf69f69d30f3d3ef921c0ba3d076579d03a937c6b1c29d2d.js>; rel=preload; as=script; nopush,</app-assets/application-81be452e301c9ace4873451db1d7a042113364eecbd1f4d99a48309b8ad45a3a.js>; rel=preload; as=script; nopush
Nel
Other
{"report_to":"heroku-nel","response_headers":["Via"],"max_age":3600,"success_fraction":0.01,"failure_fraction":0.1}
Report-To
Other
{"group":"heroku-nel","endpoints":[{"url":"https://nel.heroku.com/reports?s=ZBum%2Bdxmd96Fo%2FTwWLShaD2rM2CLPdyrGtuyElIPOpI%3D\u0026sid=67ff5de4-ad2b-4112-9289-cf96be89efed\u0026ts=1768766141"}],"max_age":3600}
Reporting-Endpoints
Other
heroku-nel="https://nel.heroku.com/reports?s=ZBum%2Bdxmd96Fo%2FTwWLShaD2rM2CLPdyrGtuyElIPOpI%3D&sid=67ff5de4-ad2b-4112-9289-cf96be89efed&ts=1768766141"
Via
Other
1.1 heroku-router
X-Permitted-Cross-Domain-Policies
Other
none
X-Request-Id
Other
4c31485a-3230-8fef-d115-921943ac3607

Recommendations

Enable compression (gzip/brotli) to improve performance