HTTP Headers Analysis for https://getveriswap.com

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=63072000

Content-Security-Policy

Basic

default-src; connect-src; script-src; +10 more

default-src 'self'; connect-src 'self' http://127.0.0.1:9100 https://*.googleapis.com https://*.typesense.net https://veriswap.com https://apis.google.com https://veriswap-backend-284186565927.us-central1.run.app https://veriswap-backend-689107296832.us-central1.run.app https://us-central1-veriswap-staging.cloudfunctions.net https://us-central1-veriswap-44297.cloudfunctions.net https://*.google-analytics.com https://veriswapsupport.zendesk.com wss://*.firebaseio.com https://*.firebaseio.com https://*.clarity.ms https://*.mixpanel.com https://*.hotjar.com https://*.hotjar.io wss://*.hotjar.com wss://*.hotjar.io https://*.cookiebot.com https://www.google.com data:; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://*.googletagmanager.com https://*.googleapis.com https://*.firebaseio.com https://apis.google.com https://*.cookiebot.com https://*.clarity.ms https://*.google.com https://www.gstatic.com https://*.hotjar.com; worker-src 'self' blob: https://*.google.com; style-src 'self' 'unsafe-inline'; img-src 'self' * data: blob: file:; font-src 'self' https://fonts.gstatic.com https://*.gstatic.com data:; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'self' https://*.google.com https://*.facebook.com https://*.apple.com https://*.veriswap.com https://*.vercel.app; frame-src 'self' blob: https://*.googlesyndication.com https://*.googleapis.com https://apis.google.com https://*.veriswap.com https://veriswap-web-git-dev-veriswap.vercel.app https://*.firebaseio.com https://*.cookiebot.com https://*.google.com; report-to temp-csp-report;

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Missing

Not configured

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Add X-Content-Type-Options: nosniff
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

2 headers

Connection

Performance

close

Vary

Performance

rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch

Caching Headers

3 headers

Age

Caching

232

Cache-Control

Caching

public, max-age=0, must-revalidate

Etag

Caching

"pfip0qjiwt1iqk"

Content Headers

2 headers

Content-Length

Content

70940

Content-Type

Content

text/html; charset=utf-8

Server Headers

2 headers

Server

Vercel

X-Powered-By

Server

Next.js

CORS Headers

0 headers

No CORS headers found

Cookies Headers

0 headers

No cookies headers found

Other Headers

7 headers

Date

Other

Mon, 01 Dec 2025 02:44:06 GMT

Report-To

Other

{"group":"temp-csp-report","max_age":10886400,"endpoints":[{"url":"/api/temp-csp-report"}]}

X-Matched-Path

Other

/

X-Nextjs-Prerender

Other

1

X-Nextjs-Stale-Time

Other

300

X-Vercel-Cache

Other

HIT

X-Vercel-Id

Other

iad1::cle1::c4w9n-1764583179784-acd006eb7021

Recommendations

Enable compression (gzip/brotli) to improve performance

Consider removing X-Powered-By header to hide server technology