HTTP Headers Analysis for https://help.gyazo.com

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=63072000; preload

Content-Security-Policy

Basic

connect-src; default-src; font-src; +7 more

connect-src 'self' https://storage.googleapis.com www.google-analytics.com https://o22822.ingest.sentry.io https://analytics.google.com https://*.helpfeel.com https://helpfeel.com wss://*.intercom.io https://*.intercom.io https://uploads.intercomcdn.com https://uploads.intercomusercontent.com https://cf.channel.io https://api.channel.io wss://ws.channel.io https://bs.nakanohito.jp http://cs.nakanohito.jp https://collect.ptengine.jp https://*.force.com https://stats.g.doubleclick.net https://mirror2.karte.io wss://mirror-socket2.karte.io https://forms.hubspot.com *.karte.io https://ekr.zdassets.com https://static.zdassets.com https://okage.zendesk.com;default-src 'self';font-src 'self' data: https://fonts.gstatic.com https://js.intercomcdn.com https://c1.sfdcstatic.com https://fonts.googleapis.com;form-action 'self' *;frame-src 'self' www.google.com www.youtube.com player.vimeo.com https://helpfeel.com https://pdfjs.helpfeel.com faq.sonysonpo.co.jp https://share.intercom.io https://intercom-sheets.com https://www.intercom-reporting.com https://fast.wistia.net https://platform.twitter.com https://social-plugins.line.me https://connect.facebook.net https://www.facebook.com https://bid.g.doubleclick.net https://service.force.com *.karte.io;img-src * data: blob:;media-src *;script-src 'self' www.google-analytics.com www.google.com www.gstatic.com maps.googleapis.com https://storage.googleapis.com/helpfeel-custom-projects/ https://custom-assets.helpfeel.com/ browser.sentry-cdn.com www.googletagmanager.com https://analytics.google.com https://helpfeel.com 'unsafe-inline' 'unsafe-inline' *.karte.io 'unsafe-eval' https://*.intercom.io https://js.intercomcdn.com https://platform.twitter.com https://d.line-scdn.net https://connect.facebook.net cdn.channel.io https://www.youtube.com https://s.ytimg.com http://www.googleadservices.com https://googleads.g.doubleclick.net http://connect.facebook.net http://s.yimg.jp http://cs.nakanohito.jp http://js.ptengine.jp https://b97.yahoo.co.jp https://static.ads-twitter.com https://analytics.twitter.com https://*.salesforceliveagent.com https://*.my.salesforce.com https://static.lightning.force.com https://*.force.com https://cache.dga.jp https://www.iyobank.co.jp https://i39.dga.jp http://js.hs-scripts.com https://js.hsleadflows.net https://js.hs-banner.com https://js.hs-analytics.net https://js.hscollectedforms.net b92.yahoo.co.jp *.sync.usonar.jp mk.desknets.com mk.chatluck.com pi.pardot.com https://static.zdassets.com https://info.stanby.com/;style-src 'self' 'unsafe-inline' https://storage.googleapis.com/helpfeel-custom-projects/ https://custom-assets.helpfeel.com/ https://fonts.googleapis.com https://*.force.com https://cache.dga.jp *.karte.io;worker-src 'self'

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin-when-cross-origin

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Consider adding Permissions-Policy to control browser features

Performance Headers

3 headers

Connection

Performance

close

Transfer-Encoding

Performance

chunked

Vary

Performance

Accept-Encoding

Caching Headers

2 headers

Cache-Control

Caching

public, max-age=60, stale-while-revalidate=30

Etag

Caching

W/"e932-EBktvjZtTMaiZSuGLtSKaM9oge8"

Content Headers

1 headers

Content-Type

Content

text/html; charset=utf-8

Server Headers

1 headers

Server

cloudflare

CORS Headers

0 headers

No CORS headers found

Cookies Headers

0 headers

No cookies headers found

Other Headers

7 headers

Cf-Cache-Status

Other

HIT

Cf-Ray

Other

9bd383ba7a3fea22-IAD

Date

Other

Tue, 13 Jan 2026 08:27:27 GMT

Nel

Other

{"report_to":"heroku-nel","response_headers":["Via"],"max_age":3600,"success_fraction":0.01,"failure_fraction":0.1}

Report-To

Other

{"group":"heroku-nel","endpoints":[{"url":"https://nel.heroku.com/reports?s=%2FZrpq2LkCZVLtFnASIUbCdW6epMtXjd7ltMqZ2jy6p0%3D\u0026sid=67ff5de4-ad2b-4112-9289-cf96be89efed\u0026ts=1768242353"}],"max_age":3600}

Reporting-Endpoints

Other

heroku-nel="https://nel.heroku.com/reports?s=%2FZrpq2LkCZVLtFnASIUbCdW6epMtXjd7ltMqZ2jy6p0%3D&sid=67ff5de4-ad2b-4112-9289-cf96be89efed&ts=1768242353"

Via

Other

1.1 heroku-router

Recommendations

Enable compression (gzip/brotli) to improve performance