HTTP Headers Analysis for https://bringatrailer.com

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=31536000

Content-Security-Policy

Missing

Not configured

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Missing

Not configured

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Add Content-Security-Policy header to prevent XSS attacks
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Add X-Content-Type-Options: nosniff
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

4 headers

Accept-Ranges

Performance

bytes

Connection

Performance

close

Transfer-Encoding

Performance

chunked

Vary

Performance

Accept-Encoding, Cookie

Caching Headers

1 headers

Cache-Control

Caching

max-age=300, must-revalidate

Content Headers

1 headers

Content-Type

Content

text/html; charset=UTF-8

Server Headers

2 headers

Server

nginx

X-Powered-By

Server

Bring a Trailer

CORS Headers

0 headers

No CORS headers found

Cookies Headers

0 headers

No cookies headers found

Other Headers

10 headers

Content-Security-Policy-Report-Only

Other

report-uri https://bringatrailer.report-uri.com/r/t/csp/wizard; base-uri 'self'; default-src 'self'; object-src 'none'; frame-ancestors 'none'; img-src 'self' data: https:; worker-src 'self' blob:; connect-src 'self' https: wss: *.doubleclick.net *.googlesyndication.com geolocation.onetrust.com *.stripe.com *.carfax.com; font-src 'self' data: https://fonts.gstatic.com *.wp.com; frame-src 'self' *.stripe.com *.google.com *.gstatic.com *.youtube.com *.youtube-nocookie.com *.vimeo.com *.flickr.com anchor.fm *.spotify.com *.facebook.com castbox.fm *.apple.com *.runbuggy.com *.onetrust.com *.googlesyndication.com *.doubleclick.net *.google-analytics.com *.adtrafficquality.google *.googleadservices.com *.googletagservices.com *.nr-data.net *.newrelic.com *.googletagmanager.com *.facebook.net *.reddit.com *.adsrvr.org *.innovid.com *.tvsquared.com *.stackadapt.com *.carfax.com; script-src 'nonce-XwjEN9RboJQ9E1KAyTTPVQ==' 'self' 'strict-dynamic' https://www.googletagmanager.com https://www.google-analytics.com https://js.stripe.com https://securepubads.g.doubleclick.net https://pagead2.googlesyndication.com https://www.google.com https://www.gstatic.com https://cdn.cookielaw.org https://cookie-cdn.cookiepro.com *.carfax.com *.hearstapps.com; style-src 'nonce-XwjEN9RboJQ9E1KAyTTPVQ==' 'self' 'sha256-wG10yjQtjomBxjug4y0XNRthbI89DiUxvDkjYcwyBc8=' 'sha256-6dWhdPqTY6pr0lbgV8vfUDIIH216YiDXS7ai8drnM5A=' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-OTeu7NEHDo6qutIWo0F2TmYrDhsKWCzrUgGoxxHGJ8o=' 'sha256-yTCJFvBsJ3q3wf4Dk4paMpnG1N2ABmaPEXkImUtBFdM=' 'sha256-0I2+3P72yyXJiuT4aoTemWk6gyVi6LnLMHXZrBx3gpY=' https://fonts.googleapis.com *.hearstapps.com; style-src-attr 'unsafe-inline'

Date

Other

Sat, 06 Dec 2025 01:12:43 GMT

Host-Header

Other

a9130478a60e5f9135f765b23f26593b

Link

Other

<https://bringatrailer.com/wp-json/>; rel="https://api.w.org/"

X-Cache

Other

MISS

X-Elasticpress-Query

Other

true

X-Rq

Other

dca5 0 20 9980

X-Tec-Api-Origin

Other

https://bringatrailer.com

X-Tec-Api-Root

Other

https://bringatrailer.com/wp-json/tribe/events/v1/

X-Tec-Api-Version

Other

v1

Recommendations

Enable compression (gzip/brotli) to improve performance

Consider removing X-Powered-By header to hide server technology