HTTP Headers Analysis for https://findquickbookssupport.com

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=31536000

Content-Security-Policy

Missing

Not configured

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Add Content-Security-Policy header to prevent XSS attacks
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

2 headers

Connection

Performance

close

Vary

Performance

Accept-Encoding

Caching Headers

4 headers

Cache-Control

Caching

private,no-cache,no-store,pre-check=0,post-check=0,must-revalidate

Etag

Caching

W/"ff43-5JhUgMEY+6p5RRdQ+N508wJZaGc"

Expires

Caching

-1

Pragma

Caching

no-cache

Content Headers

2 headers

Content-Length

Content

65347

Content-Type

Content

text/html;charset=utf-8

Server Headers

2 headers

Server

nginx

X-Powered-By

Server

Express

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

Cookies

hosted-shell=%7B%22clientId%22%3A%22545c9c23-f79f-4f65-b3f1-ac885fd79698%22%7D; Path=/; Expires=Sun, 03 Feb 2036 13:08:16 GMT; HttpOnly; Secure

Other Headers

10 headers

Content-Security-Policy-Report-Only

Other

connect-src https://api.segment.io 'self' https://*.intuit.com https://*.intuit.com:* https://*.intuitcdn.net:* https://hosted-shell-assets-us-west-2.s3.us-west-2.amazonaws.com wss://plugin-localhost.intuitcdn.net:* wss://plugin.intuitcdn.net:* https://*.intuit.net consent.intuit.apps.com consent.intuit.quickbooksconnect.com; default-src 'self' https://*.intuit.com https://*.intuitcdn.net:*; font-src data: 'self' https://*.intuit.com https://*.intuitcdn.net:*; frame-src https://*.intuitcdn.net https://*.intuit.com; img-src data: 'self' https://*.intuit.com https://*.intuitcdn.net:*; object-src 'self' https://*.intuitcdn.net https://*.intuit.com; report-uri https://csp.intuit.com/v1/8073845824298273361; script-src https://cdn.segment.io https://cdn.segment.com 'self' https://*.intuit.com https://*.intuitcdn.net:*; style-src 'self' https://*.intuitcdn.net:* https://*.intuit.com; worker-src 'self' blob:;

Date

Other

Thu, 05 Feb 2026 13:08:16 GMT

Intuit_tid

Other

Self=1-69849640-41527ef73ce7f0194d4aa523;Root=1-69849640-5975dad07575b696673e30f4

Server-Timing

Other

pluginConfigs;dur=0.23,appMw;dur=0.08,ixpAssignments;dur=0.04,appPostAuthMw;dur=0.05,shellServiceMw;dur=1.91,totalMwExecTime;dur=13.39

X-Amzn-Trace-Id

Other

Self=1-69849640-41527ef73ce7f0194d4aa523;Root=1-69849640-5975dad07575b696673e30f4

X-Dns-Prefetch-Control

Other

off

X-Download-Options

Other

noopen

X-Envoy-Upstream-Service-Time

Other

19

X-Request-Id

Other

Self=1-69849640-41527ef73ce7f0194d4aa523;Root=1-69849640-5975dad07575b696673e30f4

X-Spanid

Other

563cf3e3-fda6-e487-9f21-b65b34a60407

Recommendations

Enable compression (gzip/brotli) to improve performance

Consider removing X-Powered-By header to hide server technology