HTTP Headers Analysis for https://findhelpwithquickbooks.com

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=31536000

Content-Security-Policy

Missing

Not configured

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Add Content-Security-Policy header to prevent XSS attacks
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

2 headers

Connection

Performance

close

Vary

Performance

Accept-Encoding

Caching Headers

4 headers

Cache-Control

Caching

private,no-cache,no-store,pre-check=0,post-check=0,must-revalidate

Etag

Caching

W/"fefd-Jm/aEOeSFhWKqv1DXSx4PxOpDZ0"

Expires

Caching

-1

Pragma

Caching

no-cache

Content Headers

2 headers

Content-Length

Content

65277

Content-Type

Content

text/html;charset=utf-8

Server Headers

2 headers

Server

nginx

X-Powered-By

Server

Express

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

Cookies

hosted-shell=%7B%22clientId%22%3A%22f646da1e-b594-4530-897c-0dbab73b16a3%22%7D; Path=/; Expires=Mon, 21 Jan 2036 09:57:54 GMT; HttpOnly; Secure

Other Headers

10 headers

Content-Security-Policy-Report-Only

Other

connect-src https://api.segment.io 'self' https://*.intuit.com https://*.intuit.com:* https://*.intuitcdn.net:* https://hosted-shell-assets-us-west-2.s3.us-west-2.amazonaws.com wss://plugin-localhost.intuitcdn.net:* wss://plugin.intuitcdn.net:* https://*.intuit.net consent.intuit.apps.com consent.intuit.quickbooksconnect.com; default-src 'self' https://*.intuit.com https://*.intuitcdn.net:*; font-src data: 'self' https://*.intuit.com https://*.intuitcdn.net:*; frame-src https://*.intuitcdn.net https://*.intuit.com; img-src data: 'self' https://*.intuit.com https://*.intuitcdn.net:*; object-src 'self' https://*.intuitcdn.net https://*.intuit.com; report-uri https://csp.intuit.com/v1/8073845824298273361; script-src https://cdn.segment.io https://cdn.segment.com 'self' https://*.intuit.com https://*.intuitcdn.net:*; style-src 'self' https://*.intuitcdn.net:* https://*.intuit.com; worker-src 'self' blob:;

Date

Other

Fri, 23 Jan 2026 09:57:54 GMT

Intuit_tid

Other

Self=1-69734622-66cf99965e72f1941cae008d;Root=1-69734622-37f837135f2796001cbde5b8

Server-Timing

Other

pluginConfigs;dur=0.30,appMw;dur=0.08,ixpAssignments;dur=0.02,appPostAuthMw;dur=0.05,shellServiceMw;dur=2.58,totalMwExecTime;dur=12.20

X-Amzn-Trace-Id

Other

Self=1-69734622-66cf99965e72f1941cae008d;Root=1-69734622-37f837135f2796001cbde5b8

X-Dns-Prefetch-Control

Other

off

X-Download-Options

Other

noopen

X-Envoy-Upstream-Service-Time

Other

17

X-Request-Id

Other

Self=1-69734622-66cf99965e72f1941cae008d;Root=1-69734622-37f837135f2796001cbde5b8

X-Spanid

Other

a01d6abf-2b0d-d0bb-87bb-ff789c54c3b2

Recommendations

Enable compression (gzip/brotli) to improve performance

Consider removing X-Powered-By header to hide server technology