HTTP Headers Analysis for https://developer.yelp.com

HTTP Security Headers

Status

Strict-Transport-Security

Excellent

max-age=31536000; includeSubDomains; preload

Content-Security-Policy

Weak

report-uri; frame-ancestors

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Significantly strengthen CSP directives
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

2 headers

Accept-Ranges

Performance

bytes

Connection

Performance

close

Caching Headers

1 headers

Cache-Control

Caching

max-age=0, no-store, private, no-transform

Content Headers

2 headers

Content-Length

Content

176974

Content-Type

Content

text/html; charset=UTF-8

Server Headers

1 headers

Server

envoy

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

Cookies

wdi=2|1204D1395C4CB7E3|0x1.a5f2ba944cabcp+30|5e2a4705276b6c78; Domain=.yelp.com; Path=/; Max-Age=31536000; Expires=Sat, 30 Jan 2027 13:14:13 GMT; HttpOnly; Secure; SameSite=None

Other Headers

18 headers

Alt-Svc

Other

h3=":443";ma=86400,h3-29=":443";ma=86400,h3-27=":443";ma=86400

Content-Security-Policy-Report-Only

Other

report-uri /csp_report_only?directive_set=default&service=gondola&policy_id=ddb6a29f3a8944c5a2fe830caa851e69&timestamp=1769778853&policy_hash=ea6b5fbcc03a57cb0c79ec933ca2a5aa; base-uri 'self'; child-src https: yelp-webview://* yelp://*; connect-src https:; default-src https:; font-src https: data:; form-action https: 'self'; frame-src https: yelp-webview://* yelp://* data:; img-src https: data: blob:; media-src https:; object-src 'self'; script-src https: 'unsafe-inline' 'unsafe-eval' blob:; style-src https: 'unsafe-inline' data:; worker-src blob: https:

Date

Other

Fri, 30 Jan 2026 13:14:13 GMT

Via

Other

1.1 varnish

X-B3-Sampled

Other

0

X-Buffered-Streaming

Other

True

X-Cache

Other

MISS

X-Cache-Hits

Other

0

X-Extlb

Other

10-65-132-146-useast1bprod

X-Mode

Other

ro

X-Proxied

Other

10-65-132-146-useast1bprod

X-Routing-Service

Other

routing-main--useast1-56c8cc7bb4-jnd44; site=www

X-Served-By

Other

cache-ewr-kewr1740075-EWR

X-Streamed-Response

Other

false

X-Streamed-Response-Type

Other

None

X-Timer

Other

S1769778853.048175,VS0,VE346

X-Tracing-Auth

Other

vqzoOReWWIQ0Ew66stSNGmDy5iJlvfI81R-Pj2s2G398ihnDdzzSb31Smk5XloF_

X-Zipkin-Id

Other

4b7b08250afb4e2557e1f56a4c78f79b

Recommendations

Enable compression (gzip/brotli) to improve performance