HTTP Headers Analysis for https://hotels.airnewzealand.com.au

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=7776000; includeSubDomains;

Content-Security-Policy

Weak

frame-ancestors

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Significantly strengthen CSP directives
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

4 headers

Connection

Performance

Transfer-Encoding

Content-Encoding

Performance

gzip

Transfer-Encoding

Performance

chunked

Vary

Performance

accept-encoding

Caching Headers

1 headers

Cache-Control

Caching

no-cache, no-store, must-revalidate

Content Headers

3 headers

Content-Encoding

Content

gzip

Content-Language

Content

en-AU

Content-Type

Content

text/html; charset=utf-8

Server Headers

1 headers

Server

istio-envoy

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

Cookies

bm_so=2554449CABF4EC894572213DA67C073287CF03EA9EC380794C5C80889A9EE8A9~YAAQUcgwFwvIkzeaAQAAMa+RXwWPk4ASP77XtdJaVG57gLF7t+0CFKIzGx04boW4up/veP8tjs/cHaxc3QquzuHwoLIJRDHPBuzixkD0yQ/Fgs01mXeAlzDT8TDxai6XpQXyCYzU/+tJgnXC+VuRsXPIlc3zGWTuGr7V8pF0MLa7ZntsjUf1I1sFEtrBw3DIHXVxyfn7Wy2mAakduoAHNSpKz6mWM+MiFsUQSwNSUn/iodMLm5tYw70Cm48nNsZunufu3c0p7o155UpCdRPpnh5u2F6wNMThP54a8Gej9PYHG9VabRXXWtrXWQGX+vJcdaQMF6uSecWFK0F6992las7I0Ww00sgjHreQA2ZFAFGv7eYGP2SNC6VY6x58K7IPhExm9IqlmWcq8NJHip10h14x/5/EBUf6XDsZP4OIHVBtvkWAD8Q8wxBAkgVc1sOJmXn92lL0ntzDQqGHRXGcjDMJMih/0JQ=; Domain=.airnewzealand.com.au; Path=/; Expires=Sat, 08 Nov 2025 18:26:14 GMT; Max-Age=86400; Secure

Other Headers

12 headers

Ctx-View-Id

Other

918deb10-6234-4a58-a870-14d58c1959a2

Date

Other

Fri, 07 Nov 2025 18:26:14 GMT

Trace-Id

Other

efcf8662-77e6-4401-b376-c06be1311fdb

X-Akamai-Reference-Id

Other

0.51c83017.1762539974.79a8efe1

X-App-Info

Other

captcha-pwa,3ee2ad6f4236b3f9f6a59005e94d20264a7b6f0b

X-B3-Traceid

Other

efcf866277e64401b376c06be1311fdb

X-Cgp-Info

Other

noJvmRouteSet;3e427110-bc07-11f0-b467-0242bbf55ef9

X-Download-Options

Other

noopen

X-Envoy-Upstream-Service-Time

Other

28

X-Hcom-Origin-Id

Other

wildcard-challenge-handler

X-Page-Id

Other

wildcard-challenge-handler

X-Permitted-Cross-Domain-Policies

Other

none

Recommendations

No recommendations at this time