HTTP Headers Analysis for https://engage.envoke.com

HTTP Security Headers

Status

Strict-Transport-Security

Good

max-age=31536000; includeSubDomains

Content-Security-Policy

Basic

default-src; script-src; style-src; +10 more

default-src 'self' blob: https://cdn-ilcfdhd.nitrocdn.com/ https://nitroscripts.com/ https://*.paddle.com https://*.profitwell.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://e1.envoke.com https://engage.envoke.com/ext/embed/engagements/ https://eml.envoke.com/ext/embed/engagements/ https://tagmanager.google.com https://*.googletagmanager.com https://*.google-analytics.com https://googleads.g.doubleclick.net https://js.intercomcdn.com https://widget.intercom.io/widget/ev9a263d https://w338l7p6z1nt.statuspage.io https://files.envoke.com/web_files/812/scripts/nvk.js https://player.vimeo.com/api/player.js https://sc.lfeeder.com/lftracker_v1_bElvO73rqp18ZMqj.js https://code.jquery.com/jquery-3.5.1.min.js https://use.fontawesome.com/ba2b83a682.js https://ct.capterra.com/capterra_tracker.js https://cdnjs.cloudflare.com/ajax/libs/ https://unpkg.com/micromodal/dist/micromodal.min.js https://unpkg.com/alpinejs https://cdn.jsdelivr.net/npm/[email protected]/dist/js/select2.min.js https://nitroscripts.com https://cdnjs.cloudflare.com/polyfill/v3/polyfill.min.js https://polyfill.io https://*.googleapis.com https://*.sentry-cdn.com https://*.paddle.com https://*.profitwell.com https://js.stripe.com/v3/ blob: https://cdn-ilefnbb.nitrocdn.com/; style-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: https://tagmanager.google.com https://fonts.googleapis.com https://use.fontawesome.com https://e1.envoke.com/css/nvk-content.min.css https://cdn.jsdelivr.net/npm/[email protected]/dist/css/select2.min.css https://cdn-ilcfdhd.nitrocdn.com/ https://*.paddle.com https://*.profitwell.com https://cdn-ilefnbb.nitrocdn.com/; img-src 'self' http: https: data: https://e1.envoke.com https://*.gstatic.com https://*.google-analytics.com https://*.googletagmanager.com https://www.google.com/ads/ga-audiences https://capterra.s3.amazonaws.com/assets/images/ https://assets.capterra.com https://cdn-ilcfdhd.nitrocdn.com/ https://to.getnitropack.com/ https://dna8twue3dlxq.cloudfront.net; connect-src 'self' https://engage.envoke.com/ext/embed/engagements/ https://*.envoke.com/form.php https://*.google.com https://*.google.ca https://*.google.co.uk https://*.google.com.au https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://*.googleapis.com https://*.googlesyndication.com https://*.gstatic.com https://stats.g.doubleclick.net https://api-iam.intercom.io/messenger/web/ wss://nexus-websocket-a.intercom.io/pubsub/ https://to.getnitropack.com/p https://*.paddle.com https://*.profitwell.com https://browser.sentry-cdn.com https://cdn-ilefnbb.nitrocdn.com/ https://to.getnitropack.com/; font-src 'self' data: https://fonts.gstatic.com https://fonts.googleapis.com https://use.fontawesome.com https://fonts.intercomcdn.com/messenger-m4/ https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/fonts/ https://cdn-ilcfdhd.nitrocdn.com/ https://cdn-ilefnbb.nitrocdn.com/; media-src 'self' https://js.intercomcdn.com; child-src 'self' blob: https://*.google.com https://td.doubleclick.net https://player.vimeo.com https://w338l7p6z1nt.statuspage.io; frame-ancestors 'self'; frame-src 'self' data: https://w338l7p6z1nt.statuspage.io https://player.vimeo.com/video/ https://maps.google.com/ https://www.google.com/ https://www.googletagmanager.com https://*.paddle.com https://*.profitwell.com https://js.stripe.com/v3/; worker-src 'self' blob: https://cdn-ilcfdhd.nitrocdn.com/ https://cdn-ilefnbb.nitrocdn.com/; report-to envoke-csp; report-uri https://envoke.report-uri.com/r/d/csp/enforce

X-Frame-Options

Excellent

DENY

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin-when-cross-origin

Permissions-Policy

Present

autoplay=("https://player.vimeo.com"), camera=(), display-capture=(), fullscreen=(self "https://player.vimeo.com" "https://*.vimeocdn.com"), geolocation=*, microphone=(), picture-in-picture=("https://player.vimeo.com")

Recommendations

• Consider adding 'preload' to HSTS for maximum security
• Improve CSP by adding more specific directives and removing 'unsafe-inline'

Performance Headers

3 headers

Connection

Performance

close

Transfer-Encoding

Performance

chunked

Vary

Performance

Accept-Encoding,Cookie

Caching Headers

1 headers

Cache-Control

Caching

max-age=600, must-revalidate

Content Headers

1 headers

Content-Type

Content

text/html; charset=UTF-8

Server Headers

2 headers

Server

cloudflare

X-Powered-By

Server

WP Engine

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

Cookies

__cf_bm=PM_R6jqoZx0LdKKLXBnxhqa0RcpJo_BJbStZN_An2ro-1767162506-1.0.1.1-RGUqgowzmEUdrWUuH7wEGd0r_Aou2G.3UU8yCLSUGydCo1e4HBORUJP45CsPF1zuypIQMua60_uvJE7uEgx_2TWrHfRfTQxrDFKn5mas.hQ; path=/; expires=Wed, 31-Dec-25 06:58:26 GMT; domain=.envoke.com; HttpOnly; Secure; SameSite=None

Other Headers

13 headers

Accept-Ch

Other

Sec-CH-UA-Mobile

Alt-Svc

Other

h3=":443"; ma=86400

Cf-Cache-Status

Other

DYNAMIC

Cf-Ray

Other

9b67b77ff9317411-IAD

Date

Other

Wed, 31 Dec 2025 06:28:26 GMT

Link

Other

<https://envoke.com/>; rel=shortlink

X-Cache

Other

X-Cache-Ctime

Other

1766162865

X-Cache-Group

Other

normal

X-Cacheable

Other

SHORT

X-Nitro-Cache

Other

HIT

X-Nitro-Cache-From

Other

drop-in

X-Nitro-Rev

Other

819aa90

Recommendations

Enable compression (gzip/brotli) to improve performance

Consider removing X-Powered-By header to hide server technology