HTTP Headers Analysis for https://hellosells.com

HTTP Security Headers

Status

Strict-Transport-Security

Excellent

max-age=31536000; includeSubDomains; preload

Content-Security-Policy

Basic

upgrade-insecure-requests; default-src; object-src; +11 more

upgrade-insecure-requests; default-src 'self'; object-src 'self'; sandbox allow-presentation allow-scripts allow-same-origin allow-popups allow-forms allow-popups-to-escape-sandbox allow-downloads; frame-ancestors 'none'; form-action https://www.facebook.com/tr/; base-uri 'self';img-src 'self' https://storage.googleapis.com/branddesignmanager/hellosells/images/ https://storage.chatsupport.co/files/ https://i.vimeocdn.com/video/ https://www.google-analytics.com/collect https://www.google.com/ads/ https://www.google.co.in/ads/ https://storage.googleapis.com/livesupport/chat/ https://hn.inspectlet.com/ https://avatar.anywhere.app/files/ https://px.ads.linkedin.com/ https://ssl.google-analytics.com/ https://p.adsymptotic.com/d/px/ https://www.google-analytics.com https://www.googletagmanager.com https://optimize.google.com https://storage.googleapis.com/clientaccess/ https://googleads.g.doubleclick.net/pagead/ https://www.google.co.in/pagead/ https://www.google.com/pagead/ https://*.chatsupport.co https: ;script-src 'self' 'nonce-426ac664d1c14ae8a36f532e23fdcdf2' 'unsafe-eval' https://storage.googleapis.com/clientaccess/ https://storage.googleapis.com/branddesignmanager/ https://player.vimeo.com/api/player.js https://unpkg.com/swiper@7/swiper-bundle.min.js https://unpkg.com/scroll-out/dist/scroll-out.min.js https://app.chatsupport.co/api/client/get/script/ https://www.googletagmanager.com/gtag/ https://www.google-analytics.com https://cdn.segment.com/analytics.js/v1/6yQQxLfVniv88puPdqepTzfgc17Cn7eh/analytics.min.js https://cdn.inspectlet.com/inspectlet.js https://accounts.google.com/gsi/client https://signup.staging.hellosells.com/leadRegistration https://signup.hellosells.com/ https://my.setmore.com/ https://ajax.googleapis.com/ https://hellosellssales.setmore.com/https://ssl.google-analytics.com/ga.js https://www.googletagmanager.com/gtm.js https://33939.tctm.co/t.js https://cdn.callrail.com/companies/181821283/b10acb52a47799c0bce1/12/swap.js https://b5a6f2843ca04ae683570ecd11c7a8f5.js.ubembed.com/ https://assets.ubembed.com/universalscript/releases/v0.179.0/bundle.js https://bat.bing.com/bat.js https://connect.facebook.net/en_US/fbevents.js https://d1l6p2sc9645hc.cloudfront.net/tracker.js https://www.clickcease.com/monitor/stat.js https://connect.facebook.net/signals/ https://data.gosquared.com/ https://chat.gosquared.com/chat https://data2.gosquared.com/ https://www.clickcease.com/monitor/cccontrack.js https://cdnjs.cloudflare.com/ajax/libs/dompurify/2.2.6/purify.min.js https://bat.bing.com/ https://*.smartlook.com https://*.smartlook.cloud https://js.callrail.com https://*.adroll.com https://d.adroll.mgr.consensu.org https://script.tapfiliate.com https://assets.ubembed.com/universalscript/releases/v0.179.1/bundle.js https://*.clarity.ms/ https://www.googletagmanager.com/debug/ https://www.googleanalytics.com https://www.googleoptimize.com https://*.microsoft.com/clarity/ https://*.clarity.ms/ https://*.googleadservices.com https://www.googleadservices.com/pagead/ https://googleads.g.doubleclick.net/pagead/ https://videoask.com/embed/embed.js https://snap.licdn.com/li.lms-analytics/insight.old.min.js https://widget.trustpilot.com/bootstrap/v5/tp.widget.bootstrap.min.js https://*.chatsupport.co https://assets.hellosells.com/common/js/ blob: https://js.sentry-cdn.com/ https://browser.sentry-cdn.com/ https://assets.setmore.com/ https://cdn.jsdelivr.net/npm/@fingerprintjs/fingerprintjs@3/dist/fp.min.js https://unpkg.com/@fingerprintjs/[email protected]/dist/fp.min.js ;frame-src 'self' https://player.vimeo.com/ https://veronicacontreras.setmore.com/ https://hellosellssales.setmore.com/ https://accounts.google.com/ https://www.googletagmanager.com/ https://cdnjs.cloudflare.com https://www.facebook.com/ https://optimize.google.com https://www.youtube.com/ https://*.setmore.com/ https://widget.trustpilot.com/ https://www.videoask.com/ https://join.hellosells.com/ ;connect-src 'self' https://www.google.com/ccm/ https://px.ads.linkedin.com/ https://o151188.ingest.us.sentry.io/ https://api.chatsupport.co/api/ wss://rtmserver.anywhereworks.com/ wss://ws.inspectlet.com/ https://*.google-analytics.com/ https://analytics.google.com/g/collect https://stats.g.doubleclick.net/ https://hellosellssales.setmore.com/ https://api.segment.io/v1/p https://hn.inspectlet.com/ https://api.segment.io/v1/m https://accounts.google.com/gsi/ https://hooks.zapier.com/hooks/catch/ https://bat.bing.com/actionp/ https://dc.ads.linkedin.com/collect/ https://monitor.clickcease.com/ https://signup.staging.hellosells.com https://signup.hellosells.com https://*.smartlook.com https://*.smartlook.cloud https://js.callrail.com https://www.youtube.com/ https://*.clarity.ms/ https://adservice.google.com/ https://www.google.com/pagead/ https://frstre.com/ https://api.videoask.com/forms/sharing/fxsjwe2j5 https://cdn.linkedin.oribi.io/partner/667882/domain/hellosells.com/token https://*.chatsupport.co https://storage.staging.hellosells.com/app https://storage.hellosells.com/app https://storage.googleapis.com/stag-fullstorage https://storage.googleapis.com/fullstorage wss://rtmserver.anywhereworks.com/ https://api.chatsupport.co/ wss://stagingrtm.anywhereworks.com https://o151188.ingest.sentry.io/ https://www.googletagmanager.com/ ;style-src 'self' 'unsafe-inline' https://storage.googleapis.com/branddesignmanager/hellosells/css/vendor/jquery.bxslider.css https://unpkg.com/swiper@7/swiper-bundle.min.css https://storage.googleapis.com/branddesignmanager/hellosells/css/vendor/jquery.bxslider.css https://fonts.googleapis.com/css https://storage.googleapis.com/branddesignmanager/hellosells/css/style-update.css https://storage.googleapis.com/branddesignmanager/hellosells/css/ https://accounts.google.com/gsi/style https://fonts.googleapis.com/ https://hellosellssales.setmore.com/ https://storage.googleapis.com/clientaccess/ https://www.googletagmanager.com/debug/ https://optimize.google.com https://fonts.googleapis.com https://my.setmore.com/ https://assets.setmore.com/;media-src 'self' https://storage.googleapis.com/livesupport/chat/sounds/new-incoming-chat.wav https://assets.hellosells.com/hellosells/website/audio/ https://assets.chatsupport.co/chat/sounds/new-incoming-chat.wav https://player.vimeo.com/external/363031257.hd.mp4 https://media.videoask.com/ https://*.chatsupport.co;font-src 'self' https://fonts.gstatic.com/s/ https://storage.googleapis.com/livesupport/ https://use.typekit.net https://assets.hellosells.com/hellosells/website/fonts/ https://fonts.gstatic.com data: ;

X-Frame-Options

Good

sameorigin

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

2 headers

Connection

Performance

close

Vary

Performance

Accept-Encoding, User-Agent

Caching Headers

3 headers

Cache-Control

Caching

private

Expires

Caching

Thu, 01 Jan 1970 00:00:00 GMT

Last-Modified

Caching

Fri Jan 16 12:41:55 UTC 2026

Content Headers

3 headers

Content-Language

Content

en-US

Content-Length

Content

210122

Content-Type

Content

text/html;charset=iso-8859-1

Server Headers

1 headers

Server

Google Frontend

CORS Headers

3 headers

Access-Control-Allow-Headers

Cors

Origin, Content-Type, Accept, sentry-trace, baggage

Access-Control-Allow-Methods

Cors

GET

Access-Control-Allow-Origin

Cors

https://www.hellosells.com

Cookies Headers

1 headers

Set-Cookie

Cookies

JSESSIONID=4TWnyPBo1TE0JRywErjYqA; Path=/; Secure

Other Headers

5 headers

Date

Other

Fri, 16 Jan 2026 12:41:56 GMT

Reflected-Xss

Other

0

Resp-Time

Other

1768567315967

X-Cloud-Trace-Context

Other

5165ceca7e04fc090f1f7df177571e0d;o=1

X-Permitted-Cross-Domain-Policies

Other

none

Recommendations

Enable compression (gzip/brotli) to improve performance