Open
Cached
·
just now
20
Headers
HTTP Security Headers
Status
Strict-Transport-Security
Missing
Not configured
Content-Security-Policy
Basic
default-src; child-src; connect-src; +8 more
default-src https 'self'; child-src * data: blob:; connect-src 'self' blob: www.dropbox.com api.dropboxapi.com s3.amazonaws.com/gumroad s3.amazonaws.com/gumroad/ s3.amazonaws.com/gumroad-public-storage s3.amazonaws.com/gumroad-public-storage/ gumroad-public-storage.s3.amazonaws.com gumroad-public-storage.s3.amazonaws.com/ www.google.com www.gstatic.com *.facebook.com *.facebook.net *.google-analytics.com *.g.doubleclick.net *.googletagmanager.com analytics.google.com *.analytics.google.com files.gumroad.com/ d1bdh6c3ceakz5.cloudfront.net/ *.braintreegateway.com www.paypalobjects.com *.paypal.com *.braintree-api.com iframe.ly help.gumroad.com gumroad.com wss://cable.gumroad.com assets.gumroad.com; font-src * data: blob:; frame-src * data: blob:; img-src * data: blob:; media-src * data: blob:; object-src * data: blob:; script-src 'self' 'unsafe-eval' ajax.cloudflare.com static.cloudflareinsights.com js.stripe.com api.stripe.com connect-js.stripe.com *.braintreegateway.com *.braintree-api.com www.paypalobjects.com *.paypal.com *.google-analytics.com *.googletagmanager.com optimize.google.com www.googleadservices.com www.google.com www.gstatic.com *.facebook.net *.facebook.com www.dropbox.com s.ytimg.com cdn.iframe.ly platform.twitter.com cdn.jwplayer.com *.jwpcdn.com gumroad.us3.list-manage.com analytics.twitter.com help.gumroad.com unpkg.com/@lottiefiles/lottie-player@latest/ gumroad.com assets.gumroad.com 'nonce-ZtDHCqWW3Q4+JeTnuSnCSy8dLmNKppTVf1y+Dlw3RCw=' 'unsafe-inline'; style-src 'self' 'unsafe-inline' s.ytimg.com optimize.google.com fonts.googleapis.com assets.gumroad.com; worker-src * data: blob:
X-Frame-Options
Missing
Not configured
X-Content-Type-Options
Good
nosniff
Referrer-Policy
Missing
Not configured
Permissions-Policy
Missing
Not configured
Recommendations
- • Add Strict-Transport-Security header with max-age of at least 1 year
- • Improve CSP by adding more specific directives and removing 'unsafe-inline'
- • Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
- • Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
- • Consider adding Permissions-Policy to control browser features
Performance Headers
2 headers
Connection
Performance
close
Vary
Performance
Origin
Caching Headers
2 headers
Cache-Control
Caching
max-age=0, private, must-revalidate
Etag
Caching
W/"91991bbe3fc5c204cf329f1f06ecd7dd"
Content Headers
2 headers
Content-Length
Content
9304
Content-Type
Content
text/html; charset=utf-8
Server Headers
2 headers
Server
Server
openresty/1.19.9.1
X-Runtime
Server
0.041007
CORS Headers
0 headers
No CORS headers found
Cookies Headers
1 headers
Set-Cookie
Cookies
XSRF-TOKEN=aKhvucMDPFFVs7H7CfPsn7vK_T7W_V5B1Fvl7WjDIdi_lU2O8BCNFWw_mWaPwQIJY2B8_PsKAojum12nXbMyog; path=/; samesite=lax; HttpOnly
Other Headers
8 headers
Date
Other
Thu, 15 Jan 2026 14:12:38 GMT
Link
Other
<https://assets.gumroad.com/packs/css/design-5d6d6ab3.css>; rel=preload; as=style; crossorigin=anonymous; nopush,<https://assets.gumroad.com/assets/application-cbf244e9109e70d7b04497041636f00173a1e588f9b879b3a3ef11f8dfb86e5c.js>; rel=preload; as=script; nopush
X-Download-Options
Other
noopen
X-Gr
Other
PROD
X-Original-Headers-Class
Other
Rack::Headers
X-Permitted-Cross-Domain-Policies
Other
none
X-Request-Id
Other
fd155dd4-039d-437e-a1f1-61c6b6628f57
X-Revision
Other
fbf50eb3d2e7
Recommendations
Enable compression (gzip/brotli) to improve performance