HTTP Headers Analysis for https://carta.com

HTTP Security Headers

Status

Strict-Transport-Security

Good

max-age=31536000; includeSubDomains

Content-Security-Policy

Missing

Not configured

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Consider adding 'preload' to HSTS for maximum security
• Add Content-Security-Policy header to prevent XSS attacks
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

3 headers

Connection

Performance

close

Transfer-Encoding

Performance

chunked

Vary

Performance

rsc,next-router-state-tree,next-router-prefetch,next-router-segment-prefetch,Accept-Encoding

Caching Headers

2 headers

Age

Caching

0

Cache-Control

Caching

private,no-cache,no-store,max-age=0,must-revalidate

Content Headers

1 headers

Content-Type

Content

text/html; charset=utf-8

Server Headers

2 headers

Server

cloudflare

X-Powered-By

Server

Next.js

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

Cookies

__cf_bm=A0GS0aqS4GPa_V77H0ScJwo_HNEMR7kaR.rfaiMSCBc-1766676634.087964-1.0.1.1-Mmto01SYzhJtb2Aedofa3iJlKl.S4U3Ppew4brTpK7C8LOg..zgQh7H4p.mQBTQXmdN8aZ1bIxaR0lwQWfhQg.tftHcWyIANLawPeTUeBDY3U1wHNfp4SxCMPgB4l5jR; HttpOnly; Secure; Path=/; Domain=carta.com; Expires=Thu, 25 Dec 2025 16:00:34 GMT

Other Headers

7 headers

Cache-Status

Other

"Netlify Durable"; fwd=bypass, "Netlify Edge"; fwd=miss;detail=p1

Cf-Cache-Status

Other

DYNAMIC

Cf-Ray

Other

9b39616308a8d643-IAD

Date

Other

Thu, 25 Dec 2025 15:30:34 GMT

Link

Other

</_next/static/media/251df36401e2f093-s.p.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2", </_next/static/media/35a91d7a43063ba6-s.p.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2", </_next/static/media/37786be940ec402b-s.p.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2", </_next/static/media/636a5ac981f94f8b-s.p.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2", </_next/static/media/98e207f02528a563-s.p.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2", </_next/static/media/be134c60f3754e50-s.p.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2", </_next/static/media/c49dcee81b580683-s.p.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2", </_next/static/media/d3ebbfd689654d3a-s.p.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2", </_next/static/media/da6de786a91fb953-s.p.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2", </_next/static/media/db96af6b531dc71f-s.p.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2", </_next/static/media/ef2122007cde2da5-s.p.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2", </_next/static/media/f2f95c8193f29589-s.p.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2", </_next/static/css/15c8d2211a719a7e.css>; rel=preload; as="style", </_next/static/css/2b4bf9dc3a9d2dfc.css>; rel=preload; as="style", </_next/static/css/c7c83bb12963fe6c.css>; rel=preload; as="style", </_next/static/css/07b3e0925564062e.css>; rel=preload; as="style", </_next/static/css/79a899337c9e7a3c.css>; rel=preload; as="style", </_next/static/css/4321707e93965c4a.css>; rel=preload; as="style", </_next/static/css/5f219cb4f6dbd269.css>; rel=preload; as="style"

Netlify-Vary

Other

country=ad|ae|af|al|am|ao|as|at|au|ax|az|ba|bd|be|bg|bh|bi|bj|bn|bt|bw|by|cf|cg|ch|ci|ck|cm|cn|cv|cy|cz|de|dj|dk|dz|ee|eg|eh|er|es|et|fi|fj|fm|fo|fr|ga|gb|ge|gg|gh|gi|gm|gn|gr|hk|hr|hu|id|ie|il|im|in|io|iq|ir|is|it|je|jo|jp|ke|kh|ki|km|kp|kr|kw|kz|la|lb|li|lk|lr|ls|lt|lu|lv|ly|ma|mc|md|me|mg|mk|ml|mm|mn|mo|mp|mr|mt|mu|mv|mw|my|mz|na|nc|ne|nl|no|np|nr|nu|nz|om|pf|pg|ph|pk|pl|ps|pt|pw|qa|re|rs|ru|rw|sa|sb|sc|sd|se|sg|sh|si|sk|sl|sm|sn|st|sy|sz|td|tg|th|tk|tl|tn|to|tr|tv|tw|tz|ua|ug|va|vn|vu|wf|ws|ye|yt|za|zm|zw,query

X-Nf-Request-Id

Other

01KDB246FQ8VCHDQH96JGX58WH

Recommendations

Enable compression (gzip/brotli) to improve performance

Consider removing X-Powered-By header to hide server technology