HTTP Headers Analysis for https://connect.sleekplan.com

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=5184000; includeSubDomains

Content-Security-Policy

Missing

Not configured

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Add Content-Security-Policy header to prevent XSS attacks
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

2 headers

Accept-Ranges

Performance

bytes

Connection

Performance

close

Caching Headers

3 headers

Cache-Control

Caching

public, max-age=3600

Etag

Caching

W/"478-196c4a0d1e0"

Last-Modified

Caching

Mon, 12 May 2025 13:13:16 GMT

Content Headers

2 headers

Content-Length

Content

1144

Content-Type

Content

text/html; charset=UTF-8

Server Headers

1 headers

Server

nginx

CORS Headers

2 headers

Access-Control-Allow-Origin

Cors

*

Access-Control-Expose-Headers

Cors

Authorization, Etag, Content-Type, Content-Length, X-Nango-Signature, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset

Cookies Headers

0 headers

No cookies headers found

Other Headers

4 headers

Content-Security-Policy-Report-Only

Other

default-src 'self' https://connect.sleekplan.com https://connect.sleekplan.com https://connect-ui.sleekplan.com;child-src 'self';connect-src 'self' https://*.google-analytics.com https://*.sentry.io https://connect.sleekplan.com https://connect.sleekplan.com wss://connect.sleekplan.com/ https://connect-ui.sleekplan.com https://*.posthog.com ;font-src 'self' https://*.googleapis.com https://*.gstatic.com;frame-src 'self' https://accounts.google.com https://connect.sleekplan.com https://connect.sleekplan.com https://connect-ui.sleekplan.com https://www.youtube.com;img-src 'self' data: https://connect.sleekplan.com https://connect.sleekplan.com https://*.google-analytics.com https://*.googleapis.com https://*.posthog.com https://img.logo.dev https://*.ytimg.com;manifest-src 'self';media-src 'self';object-src 'self';script-src 'self' 'unsafe-eval' 'unsafe-inline' https://connect.sleekplan.com https://connect.sleekplan.com https://*.google-analytics.com https://*.googleapis.com https://apis.google.com https://*.posthog.com https://www.youtube.com ;style-src blob: 'self' 'unsafe-inline' https://*.googleapis.com https://connect.sleekplan.com https://connect.sleekplan.com;worker-src blob: 'self' https://connect.sleekplan.com https://connect.sleekplan.com https://*.googleapis.com https://*.posthog.com;base-uri 'self';form-action 'self';frame-ancestors 'self';script-src-attr 'none';upgrade-insecure-requests

Date

Other

Mon, 26 Jan 2026 14:10:17 GMT

X-Dns-Prefetch-Control

Other

off

X-Download-Options

Other

noopen

Recommendations

Enable compression (gzip/brotli) to improve performance