HTTP Headers Analysis for https://hiboop.com

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=2592000; includeSubDomains; preload

Content-Security-Policy

Basic

default-src; script-src; style-src; +8 more

default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://js.hsforms.net https://js.hs-scripts.com https://js.hs-analytics.net https://static.hsappstatic.net https://www.googletagmanager.com https://www.google-analytics.com https://www.gstatic.com https://www.google.com https://analytics.google.com https://snap.licdn.com https://www.clarity.ms https://scripts.clarity.ms https://assets.apollo.io https://googleads.g.doubleclick.net https://js.hubspot.com https://js.hsadspixel.net https://js.hscollectedforms.net https://js.hs-banner.com https://connect.facebook.net https://www.facebook.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://static.hsappstatic.net; img-src 'self' data: blob: https://cdn.sanity.io https://*.web.app https://track.hubspot.com https://forms.hsforms.com https://static.hsappstatic.net https://www.google-analytics.com https://www.google.com https://www.google.ca https://px.ads.linkedin.com https://perf-na1.hsforms.com https://c.clarity.ms https://www.facebook.com; font-src 'self' https://fonts.gstatic.com https://static.hsappstatic.net; connect-src 'self' https://forms.hubspot.com https://api.hubapi.com https://track.hubspot.com https://forms.hsforms.com https://api.hsforms.com https://forms.hscollectedforms.net https://cta-service-cms2.hubspot.com https://calendar.google.com ws://localhost:* wss://localhost:* https://*.api.sanity.io https://*.apicdn.sanity.io https://*.sanity.studio wss://*.api.sanity.io wss://*.apicdn.sanity.io wss://*.sanity.studio https://www.googletagmanager.com https://www.google-analytics.com https://analytics.google.com https://www.google.com https://stats.g.doubleclick.net https://px.ads.linkedin.com https://snap.licdn.com https://aplo-evnt.com https://static.hsappstatic.net https://connect.facebook.net https://www.facebook.com https://*.clarity.ms https://v.clarity.ms https://www.clarity.ms; frame-src 'self' https://forms.hsforms.com https://meetings.hubspot.com https://calendar.google.com https://www.youtube.com; frame-ancestors 'self' https://*.sanity.studio http://localhost:3333; base-uri 'self'; form-action 'self' https://forms.hsforms.com https://api.hsforms.com; upgrade-insecure-requests

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin-when-cross-origin

Permissions-Policy

Present

camera=(), microphone=(), geolocation=()

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Improve CSP by adding more specific directives and removing 'unsafe-inline'

Performance Headers

4 headers

Accept-Ranges

Performance

bytes

Connection

Performance

close

Transfer-Encoding

Performance

chunked

Vary

Performance

cookie,need-authorization, x-fh-requested-host, accept-encoding

Caching Headers

1 headers

Cache-Control

Caching

private

Content Headers

1 headers

Content-Type

Content

text/html;charset=utf-8

Server Headers

2 headers

Server

cloudflare

X-Powered-By

Server

Nuxt

CORS Headers

0 headers

No CORS headers found

Cookies Headers

0 headers

No cookies headers found

Other Headers

14 headers

Alt-Svc

Other

h3=":443"; ma=86400

Cf-Cache-Status

Other

DYNAMIC

Cf-Ray

Other

9c43f6626e311366-IAD

Date

Other

Mon, 26 Jan 2026 23:59:09 GMT

Nel

Other

{"report_to":"cf-nel","success_fraction":0.0,"max_age":604800}

Report-To

Other

{"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=eQ97374EXs%2BdeREfX7E5%2BDrMgcgSdWdey6OEH9VTaLyfb8UtRkTUbSY4g%2Bq%2BLo5Ar0EUSc5TKn68izbBFYw4aMJJ26mC8U%2BC"}]}

Server-Timing

Other

cfEdge;dur=13,cfOrigin;dur=263

X-Cache

Other

MISS

X-Cache-Hits

Other

0

X-Cloud-Trace-Context

Other

48203fe0d5b0ba5124c6dfc9bce175ed;o=1

X-Country-Code

Other

US

X-Robots-Tag

Other

index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1

X-Served-By

Other

cache-iad-kiad7000110-IAD

X-Timer

Other

S1769471949.202363,VS0,VE258

Recommendations

Enable compression (gzip/brotli) to improve performance

Consider removing X-Powered-By header to hide server technology