HTTP Headers Analysis for https://findquickbookshelp.com

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=31536000

Content-Security-Policy

Missing

Not configured

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Add Content-Security-Policy header to prevent XSS attacks
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

2 headers

Connection

Performance

close

Vary

Performance

Accept-Encoding

Caching Headers

4 headers

Cache-Control

Caching

private,no-cache,no-store,pre-check=0,post-check=0,must-revalidate

Etag

Caching

W/"fefa-I4seQ7QM8FmT3Aq260SVJoN8Mtg"

Expires

Caching

-1

Pragma

Caching

no-cache

Content Headers

2 headers

Content-Length

Content

65274

Content-Type

Content

text/html; charset=utf-8

Server Headers

2 headers

Server

nginx

X-Powered-By

Server

Express

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

Cookies

hosted-shell=%7B%22clientId%22%3A%2229eae997-963e-4ee2-bb29-a731aef10ea4%22%7D; Path=/; Expires=Sat, 19 Jan 2036 03:24:47 GMT; HttpOnly; Secure

Other Headers

11 headers

Content-Security-Policy-Report-Only

Other

connect-src https://api.segment.io 'self' https://*.intuit.com https://*.intuit.com:* https://*.intuitcdn.net:* https://hosted-shell-assets-us-west-2.s3.us-west-2.amazonaws.com wss://plugin-localhost.intuitcdn.net:* wss://plugin.intuitcdn.net:* https://*.intuit.net consent.intuit.apps.com consent.intuit.quickbooksconnect.com; default-src 'self' https://*.intuit.com https://*.intuitcdn.net:*; font-src data: 'self' https://*.intuit.com https://*.intuitcdn.net:*; frame-src https://*.intuitcdn.net https://*.intuit.com; img-src data: 'self' https://*.intuit.com https://*.intuitcdn.net:*; object-src 'self' https://*.intuitcdn.net https://*.intuit.com; report-uri https://csp.intuit.com/v1/8073845824298273361; script-src https://cdn.segment.io https://cdn.segment.com 'self' https://*.intuit.com https://*.intuitcdn.net:*; style-src 'self' https://*.intuitcdn.net:* https://*.intuit.com; worker-src 'self' blob:;

Date

Other

Wed, 21 Jan 2026 03:24:47 GMT

Intuit_tid

Other

Self=1-697046ff-1918e5313b62134743a51574;Root=1-697046ff-0c5c4afd5336260622bf34d2

Server-Timing

Other

pluginConfigs;dur=0.38,appMw;dur=0.02,ixpAssignments;dur=0.02,appPostAuthMw;dur=0.02,shellServiceMw;dur=2.84,totalMwExecTime;dur=12.89

X-Amzn-Trace-Id

Other

Self=1-697046ff-1918e5313b62134743a51574;Root=1-697046ff-0c5c4afd5336260622bf34d2

X-Dns-Prefetch-Control

Other

off

X-Download-Options

Other

noopen

X-Envoy-Upstream-Service-Time

Other

23

X-Intuit-Upstream-Locality-Region

Other

us-west-2

X-Request-Id

Other

Self=1-697046ff-1918e5313b62134743a51574;Root=1-697046ff-0c5c4afd5336260622bf34d2

X-Spanid

Other

0ad58e42-d5d7-1003-f01a-728b42113d7f

Recommendations

Enable compression (gzip/brotli) to improve performance

Consider removing X-Powered-By header to hide server technology