HTTP Headers Analysis for https://findqbexpert.com

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=31536000

Content-Security-Policy

Missing

Not configured

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Add Content-Security-Policy header to prevent XSS attacks
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

2 headers

Connection

Performance

close

Vary

Performance

Accept-Encoding

Caching Headers

4 headers

Cache-Control

Caching

private,no-cache,no-store,pre-check=0,post-check=0,must-revalidate

Etag

Caching

W/"fece-FDgFMbyyO7WCNjZITlnEDM6ZSf8"

Expires

Caching

-1

Pragma

Caching

no-cache

Content Headers

2 headers

Content-Length

Content

65230

Content-Type

Content

text/html; charset=utf-8

Server Headers

2 headers

Server

nginx

X-Powered-By

Server

Express

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

Cookies

hosted-shell=%7B%22clientId%22%3A%22f6c7f469-6395-470c-a6db-0bffd0c34186%22%7D; Path=/; Expires=Wed, 16 Jan 2036 19:57:45 GMT; HttpOnly; Secure

Other Headers

11 headers

Content-Security-Policy-Report-Only

Other

connect-src https://api.segment.io 'self' https://*.intuit.com https://*.intuit.com:* https://*.intuitcdn.net:* https://hosted-shell-assets-us-west-2.s3.us-west-2.amazonaws.com wss://plugin-localhost.intuitcdn.net:* wss://plugin.intuitcdn.net:* https://*.intuit.net consent.intuit.apps.com consent.intuit.quickbooksconnect.com; default-src 'self' https://*.intuit.com https://*.intuitcdn.net:*; font-src data: 'self' https://*.intuit.com https://*.intuitcdn.net:*; frame-src https://*.intuitcdn.net https://*.intuit.com; img-src data: 'self' https://*.intuit.com https://*.intuitcdn.net:*; object-src 'self' https://*.intuitcdn.net https://*.intuit.com; report-uri https://csp.intuit.com/v1/8073845824298273361; script-src https://cdn.segment.io https://cdn.segment.com 'self' https://*.intuit.com https://*.intuitcdn.net:*; style-src 'self' https://*.intuitcdn.net:* https://*.intuit.com; worker-src 'self' blob:;

Date

Other

Sun, 18 Jan 2026 19:57:45 GMT

Intuit_tid

Other

Self=1-696d3b39-1031dd183f54352f4b2131f6;Root=1-696d3b39-2300bd2c11f8cbc63da11bf4

Server-Timing

Other

pluginConfigs;dur=0.25,appMw;dur=0.02,ixpAssignments;dur=0.02,appPostAuthMw;dur=0.01,shellServiceMw;dur=3.28,totalMwExecTime;dur=12.46

X-Amzn-Trace-Id

Other

Self=1-696d3b39-1031dd183f54352f4b2131f6;Root=1-696d3b39-2300bd2c11f8cbc63da11bf4

X-Dns-Prefetch-Control

Other

off

X-Download-Options

Other

noopen

X-Envoy-Upstream-Service-Time

Other

19

X-Intuit-Upstream-Locality-Region

Other

us-west-2

X-Request-Id

Other

Self=1-696d3b39-1031dd183f54352f4b2131f6;Root=1-696d3b39-2300bd2c11f8cbc63da11bf4

X-Spanid

Other

8d15dbf3-9245-58c8-6766-0f5566a44336

Recommendations

Enable compression (gzip/brotli) to improve performance

Consider removing X-Powered-By header to hide server technology