HTTP Headers Analysis for https://dashboard.bugfender.com

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=15724800; includeSubDomains

Content-Security-Policy

Good

child-src; font-src; media-src; +10 more

child-src 'self' https://www.youtube.com https://player.vimeo.com https://fast.wistia.net https://intercom-sheets.com https://www.intercom-reporting.com; font-src 'self' https://js.intercomcdn.com https://fonts.intercomcdn.com; media-src 'self' https://downloads.intercomcdn.eu https://downloads.au.intercomcdn.com https://js.intercomcdn.com https://downloads.intercomcdn.com; default-src 'self'; form-action https://api-iam.au.intercom.io 'self' https://intercom.help https://api-iam.intercom.io https://api-iam.eu.intercom.io; frame-src 'self' https://dashboard:5601 https://kmw.bugfender.com:443 https://kmw.bugfender.com https://kibana.bugfender.com:443 https://kibana.bugfender.com https://*.js.stripe.com https://js.stripe.com https://www.youtube.com https://hooks.stripe.com; style-src 'self' 'unsafe-inline'; worker-src blob: https://api.bugfender.com; base-uri 'self'; connect-src https://api.stripe.com wss://nexus-australia-websocket.intercom.io https://js.stripe.com https://api-ping.intercom.io 'self' https://api.au.intercom.io https://via.intercom.io https://maps.googleapis.com https://api.bugfender.com wss://*.intercom-messenger.com https://nexus-europe-websocket.intercom.io https://nexus-australia-websocket.intercom.io https://api.intercom.io wss://nexus-websocket-b.intercom.io https://*.intercom-messenger.com https://uploads.au.intercomcdn.com https://uploads.eu.intercomcdn.com https://nexus-websocket-b.intercom.io https://uploads.intercomcdn.com https://uploads.intercomusercontent.com https://kmw.bugfender.com https://js.bugfender.com wss://nexus-europe-websocket.intercom.io https://api-iam.intercom.io https://api.eu.intercom.io https://api-iam.au.intercom.io https://nexus-websocket-a.intercom.io https://plausible.io https://uploads.intercomcdn.eu https://kmw.bugfender.com:443 https://api-iam.eu.intercom.io wss://nexus-websocket-a.intercom.io; script-src https://maps.googleapis.com https://plausible.io 'self' https://widget.intercom.io https://app.intercom.io https://*.js.stripe.com blob: 'nonce-Aksm1NQsNm5D3ktf1oc7sQ' https://js.bugfender.com https://js.intercomcdn.com https://js.stripe.com; img-src blob: https://*.intercom-attachments-4.com https://js.intercomcdn.com https://*.intercom-attachments-3.com https://uploads.intercomusercontent.com https://*.intercom-attachments-1.com https://*.intercom-attachments-8.com https://*.intercom-attachments-2.com https://*.intercom-attachments-9.com https://static.intercomassets.com https://*.intercom-attachments-6.com https://downloads.intercomcdn.com https://gravatar.com https://video-messages.intercomcdn.com https://messenger-apps.intercom.io https://*.intercom-attachments-7.com https://static.au.intercomassets.com https://downloads.intercomcdn.eu https://downloads.au.intercomcdn.com https://gifs.intercomcdn.com https://*.intercom-attachments.eu https://*.au.intercom-attachments.com https://messenger-apps.eu.intercom.io https://static.intercomassets.eu data: https://messenger-apps.au.intercom.io https://*.intercom-attachments-5.com 'self'; frame-ancestors 'none'

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin-when-cross-origin

Permissions-Policy

Present

accelerometer=(), autoplay=*, camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(self), screen-wake-lock=(), sync-xhr=(), usb=(), xr-spatial-tracking=()

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Strengthen CSP by removing 'unsafe-eval'
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking

Performance Headers

3 headers

Connection

Performance

close

Transfer-Encoding

Performance

chunked

Vary

Performance

Accept-Encoding

Caching Headers

3 headers

Cache-Control

Caching

no-cache, no-store, must-revalidate

Expires

Caching

0

Pragma

Caching

no-cache

Content Headers

1 headers

Content-Type

Content

text/html; charset=UTF-8

Server Headers

1 headers

Server

envoy

CORS Headers

0 headers

No CORS headers found

Cookies Headers

0 headers

No cookies headers found

Other Headers

6 headers

Date

Other

Sat, 27 Dec 2025 05:47:13 GMT

Ratelimit-Limit

Other

10

Ratelimit-Policy

Other

10;w=60

Ratelimit-Remaining

Other

9

Ratelimit-Reset

Other

60

X-Envoy-Upstream-Service-Time

Other

132

Recommendations

Enable compression (gzip/brotli) to improve performance