HTTP Headers Analysis for https://findlocalquickbookshelp.com

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=31536000

Content-Security-Policy

Missing

Not configured

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Add Content-Security-Policy header to prevent XSS attacks
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

2 headers

Connection

Performance

close

Vary

Performance

Accept-Encoding

Caching Headers

4 headers

Cache-Control

Caching

private,no-cache,no-store,pre-check=0,post-check=0,must-revalidate

Etag

Caching

W/"fefa-MueKa3MyQY1721K7bAhByeGPWeY"

Expires

Caching

-1

Pragma

Caching

no-cache

Content Headers

2 headers

Content-Length

Content

65274

Content-Type

Content

text/html; charset=utf-8

Server Headers

2 headers

Server

nginx

X-Powered-By

Server

Express

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

Cookies

hosted-shell=%7B%22clientId%22%3A%2222b6ee6c-8b09-4695-b60a-b5154220f75f%22%7D; Path=/; Expires=Sat, 19 Jan 2036 11:18:39 GMT; HttpOnly; Secure

Other Headers

11 headers

Content-Security-Policy-Report-Only

Other

connect-src https://api.segment.io 'self' https://*.intuit.com https://*.intuit.com:* https://*.intuitcdn.net:* https://hosted-shell-assets-us-west-2.s3.us-west-2.amazonaws.com wss://plugin-localhost.intuitcdn.net:* wss://plugin.intuitcdn.net:* https://*.intuit.net consent.intuit.apps.com consent.intuit.quickbooksconnect.com; default-src 'self' https://*.intuit.com https://*.intuitcdn.net:*; font-src data: 'self' https://*.intuit.com https://*.intuitcdn.net:*; frame-src https://*.intuitcdn.net https://*.intuit.com; img-src data: 'self' https://*.intuit.com https://*.intuitcdn.net:*; object-src 'self' https://*.intuitcdn.net https://*.intuit.com; report-uri https://csp.intuit.com/v1/8073845824298273361; script-src https://cdn.segment.io https://cdn.segment.com 'self' https://*.intuit.com https://*.intuitcdn.net:*; style-src 'self' https://*.intuitcdn.net:* https://*.intuit.com; worker-src 'self' blob:;

Date

Other

Wed, 21 Jan 2026 11:18:39 GMT

Intuit_tid

Other

Self=1-6970b60f-47e55fa07e447d611dac5581;Root=1-6970b60f-4f7bd3095567cee323f3fc0b

Server-Timing

Other

pluginConfigs;dur=0.27,appMw;dur=0.02,ixpAssignments;dur=0.02,appPostAuthMw;dur=0.02,shellServiceMw;dur=1.36,totalMwExecTime;dur=10.74

X-Amzn-Trace-Id

Other

Self=1-6970b60f-47e55fa07e447d611dac5581;Root=1-6970b60f-4f7bd3095567cee323f3fc0b

X-Dns-Prefetch-Control

Other

off

X-Download-Options

Other

noopen

X-Envoy-Upstream-Service-Time

Other

20

X-Intuit-Upstream-Locality-Region

Other

us-west-2

X-Request-Id

Other

Self=1-6970b60f-47e55fa07e447d611dac5581;Root=1-6970b60f-4f7bd3095567cee323f3fc0b

X-Spanid

Other

e69cad8f-fdd8-3366-7025-0182f190401f

Recommendations

Enable compression (gzip/brotli) to improve performance

Consider removing X-Powered-By header to hide server technology