HTTP Headers Analysis for https://eftsure.com

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=63072000

Content-Security-Policy

Basic

default-src; frame-src; script-src; +7 more

default-src 'self' blob: *.sentry-cdn.com *.chilipiper.com *.hsappstatic.net *.clearbitscripts.com https://www.eftsure.com https://eftsure.vercel.app https://eftsure-develop.vercel.app *.vercel-analytics.com *.algolia.net *.algolianet.com *.algolia.io *.doubleclick.net *.google-analytics.com *.analytics.google.com www.google.com *.clarity.ms analytics.tiktok.com js.intercomcdn.com tagmanager.google.com use.typekit.net p.typekit.net https://*.hotjar.com https://*.hotjar.io wss://*.hotjar.com *.wistia.com *.litix.io www.facebook.com *.hsforms.net *.hsforms.com *.posthog.com https://www.google.com.au https://analytics.google.com https://px.ads.linkedin.com https://analytics.ahrefs.com *.reddit.com https://www.redditstatic.com https://cdn.dreamdata.cloud https://ws.zoominfo.com https://api.hubapi.com https://d.adroll.com *.hubspot.com https://forms.hscollectedforms.net https://www.googleadservices.com https://google.com https://x.clearbitjs.com https://app.clearbit.com *.osano.com tracking-api.g2.com; frame-src 'self' *.algolia.net optimize.google.com *.google.com/recaptcha www.gstatic.com www.google.com googletagmanager.com www.googletagmanager.com googleanalytics.com google-analytics.com googleoptimize.com *.youtube.com *.doubleclick.net www.facebook.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://eftsure.vercel.app https://eftsure-develop.vercel.app https://www.eftsure.com *.wistia.com https://vercel.live https://x.adroll.com https://forms.hsforms.com *.chilipiper.com; script-src 'self' *.hsappstatic.net *.clearbitscripts.com *.google.com/recaptcha *.gstatic.com *.youtube.com cdnjs.cloudflare.com ajax.googleapis.com *.formstack.com *.algolia.net *.doubleclick.net widget.intercom.io js.intercomcdn.com optimize.google.com www.googleoptimize.com connect.facebook.net www.clarity.ms js.adsrvr.org/up_loader.1.1.0.js sc-static.net/scevent.min.js static.ads-twitter.com www.googletagmanager.com www.googleanalytics.com www.google-analytics.com *.vercel.app analytics.tiktok.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ *.hotjar.com 'unsafe-inline' 'unsafe-eval' https://eftsure.vercel.app https://eftsure-develop.vercel.app https://www.eftsure.com *.wistia.com *.sentry-cdn.com *.hsforms.net *.vercel-scripts.com *.posthog.com https://vercel.live https://snap.licdn.com https://bat.bing.com https://www.redditstatic.com https://ws.zoominfo.com https://cdn.dreamdata.cloud https://analytics.ahrefs.com https://www.googleadservices.com https://reveal.clearbit.com https://js.hscollectedforms.net https://js.hs-analytics.net https://js.hsadspixel.net https://js.hubspot.com https://js.hs-banner.com https://d.adroll.com *.chilipiper.com https://x.clearbitjs.com https://app.clearbit.com *.optimizely.com *.hs-scripts.com *.adroll.com *.osano.com tracking-api.g2.com; worker-src 'self' blob:; style-src 'self' use.typekit.net p.typekit.net *.vercel.app optimize.google.com fonts.googleapis.com fonts.gstatic.com 'unsafe-inline' https://eftsure.vercel.app https://eftsure-develop.vercel.app https://www.eftsure.com; img-src 'self' https: data: https://eftsure.vercel.app https://eftsure-develop.vercel.app https://www.eftsure.com *.wistia.com; font-src 'self' fonts.intercomcdn.com fonts.gstatic.com use.typekit.net data: https://eftsure.vercel.app https://eftsure-develop.vercel.app https://www.eftsure.com *.wistia.com; frame-ancestors 'self' https://www.eftsure.com https://eftsure.vercel.app https://eftsure-develop.vercel.app *.cms.optimizely.com; base-uri 'self'; form-action 'self' https://www.facebook.com https://forms.hsforms.com;

X-Frame-Options

Excellent

deny

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

2 headers

Connection

Performance

close

Transfer-Encoding

Performance

chunked

Caching Headers

1 headers

Cache-Control

Caching

public, max-age=0, must-revalidate

Content Headers

1 headers

Content-Type

Content

text/plain

Server Headers

1 headers

Server

Vercel

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

Cookies

region-redirected=1; Path=/; Expires=Sat, 28 Feb 2026 18:01:15 GMT; Max-Age=2592000

Other Headers

3 headers

Date

Other

Thu, 29 Jan 2026 18:01:15 GMT

Location

Other

/

X-Vercel-Id

Other

iad1::5g2dm-1769709675886-45f76837078a

Recommendations

Enable compression (gzip/brotli) to improve performance