HTTP Headers Analysis for https://compass.com

HTTP Security Headers

Status

Strict-Transport-Security

Missing

Not configured

Content-Security-Policy

Missing

Not configured

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Add Strict-Transport-Security header with max-age of at least 1 year
• Add Content-Security-Policy header to prevent XSS attacks
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

2 headers

Connection

Performance

close

Vary

Performance

Accept-Encoding

Caching Headers

0 headers

No caching headers found

Content Headers

2 headers

Content-Length

Content

411535

Content-Type

Content

text/html; charset=utf-8

Server Headers

1 headers

X-Powered-By

Server

hydra

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

Cookies

x-amz-continuous-deployment-state=AYABeCo0xrjkN3B3QPtf4BdW+lIAPQACAAFEABxkZHgyOTV2YmlnaWxqLmNsb3VkZnJvbnQubmV0AAFHABVHMDUwNzY0NTJKSzk4VFgyRDdBS0kAAQACQ0QAGkNvb2tpZQAAAIAAAAAMKhYGE0pUUn3KMUfrADDWU6QIzqZCWaq15pLhKVoQbN8PtR8HPsiyrSlowRVlAY0VQEQfJsgdMOcBhD1Zz5cCAAAAAAwABAAAAAAAAAAAAAAAAAAAdgj54Gevvv7xa9MkDvadPv%2F%2F%2F%2F8AAAABAAAAAAAAAAAAAAABAAAADPvOm6Jgix0tnGqJLF8sePMcEWqc1UcMfBoxsOo=; HttpOnly; Path=/; Expires=Tue, 27 Jan 2026 17:15:23 GMT

Other Headers

9 headers

Content-Security-Policy-Report-Only

Other

base-uri 'self'; connect-src https: wss: blob:; default-src 'none'; font-src https: data:; frame-src https: blob:; img-src https: data: blob:; manifest-src 'self'; media-src https:; object-src 'none'; script-src 'report-sample' 'self' 'unsafe-inline' 'unsafe-eval' https://api.compass.com https://app-glide.compass.com https://cdn.heapanalytics.com https://heapanalytics.com https://cdn.segment.com https://connect.facebook.net https://edge.fullstory.com/s/ https://maps.googleapis.com/maps/api/js/ https://static.zdassets.com/ekr/snippet.js https://static.filestackapi.com https://web-sdk.aptrinsic.com/api/aptrinsic.js https://www.datadoghq-browser-agent.com https://www.google-analytics.com https://www.googleadservices.com https://www.google.com/recaptcha/ https://maps.googleapis.com https://apis.google.com https://www.gstatic.com https://www.googletagmanager.com https://js.stripe.com https://stats.pusher.com https://widget.intercom.io https://js.intercomcdn.com https://boards.greenhouse.io https://siteintercept.qualtrics.com https://zn0feyon15oqdwcu1-compass.siteintercept.qualtrics.com https://www.youtube.com https://googleads.g.doubleclick.net https://snap.licdn.com https://js.hubspot.com https://js.hs-analytics.net https://js.hs-scripts.com https://js.hsadspixel.net https://js.hs-banner.com https://fast.wistia.com https://js.userpilot.io https://deploy.userpilot.io https://t.contentsquare.net https://api.compass.com https://ajax.googleapis.com https://cdnjs.cloudflare.com https://unpkg.com https://cdn.jsdelivr.net https://code.jquery.com; script-src-elem 'report-sample' 'self' 'unsafe-inline' 'unsafe-eval' https://api.compass.com https://app-glide.compass.com https://cdn.heapanalytics.com https://heapanalytics.com https://cdn.segment.com https://connect.facebook.net https://edge.fullstory.com/s/ https://maps.googleapis.com/maps/api/js/ https://static.zdassets.com/ekr/snippet.js https://static.filestackapi.com https://web-sdk.aptrinsic.com/api/aptrinsic.js https://www.datadoghq-browser-agent.com https://www.google-analytics.com https://www.googleadservices.com https://www.google.com/recaptcha/ https://maps.googleapis.com https://apis.google.com https://www.gstatic.com https://www.googletagmanager.com https://js.stripe.com https://stats.pusher.com https://widget.intercom.io https://js.intercomcdn.com https://boards.greenhouse.io https://siteintercept.qualtrics.com https://zn0feyon15oqdwcu1-compass.siteintercept.qualtrics.com https://www.youtube.com https://googleads.g.doubleclick.net https://snap.licdn.com https://js.hubspot.com https://js.hs-analytics.net https://js.hs-scripts.com https://js.hsadspixel.net https://js.hs-banner.com https://fast.wistia.com https://js.userpilot.io https://deploy.userpilot.io https://t.contentsquare.net https://api.compass.com https://ajax.googleapis.com https://cdnjs.cloudflare.com https://unpkg.com https://cdn.jsdelivr.net https://code.jquery.com; style-src 'report-sample' 'self' 'unsafe-inline' https://uc-frontend-assets.compass.com https://app-glide.compass.com https://www.google-analytics.com https://www.googletagmanager.com https://fonts.googleapis.com https://static.filestackapi.com https://web-sdk.aptrinsic.com https://www.gstatic.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net https://unpkg.com blob:; worker-src 'self' blob:; report-uri /csp-report/?key=new

Date

Other

Tue, 27 Jan 2026 17:10:23 GMT

Via

Other

1.1 58c3ce6e485adff4a9658be41214af94.cloudfront.net (CloudFront)

X-Amz-Cf-Id

Other

YmRtCvKaURuH2BIgPawdtwBJ6tExX0ROpT2Mj60M8YMVQlMcZrC3Lw==

X-Amz-Cf-Pop

Other

IAD55-P10

X-Cache

Other

Miss from cloudfront

X-Compass-Request-Id

Other

c6686ef5-6bd8-4051-8c5b-de36313902d9

X-Dns-Prefetch-Control

Other

off

X-Download-Options

Other

noopen

Recommendations

Enable compression (gzip/brotli) to improve performance

Add Cache-Control header to optimize caching

Consider removing X-Powered-By header to hide server technology