HTTP Headers Analysis for https://language.azure.com

HTTP Security Headers

Status

Strict-Transport-Security

Good

max-age=31536000; includeSubDomains

Content-Security-Policy

Good

base-uri; default-src; frame-ancestors; +11 more

base-uri 'none';default-src 'none';frame-ancestors 'self'; frame-src 'self' https://login.microsoftonline.com/;form-action 'none';upgrade-insecure-requests;style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net/npm/[email protected]/min/vs/editor/editor.main.css;script-src 'self' 'nonce-MjYxODUyMjExNjcxMjA2ODI0MjYwNzIxNjQyMzQyNDcxMDcxMTk4ODM3' 'report-sample' 'unsafe-inline' *.azurewebsites.net https://cdn.jsdelivr.net/npm/[email protected]/min/vs/base/worker/workerMain.js https://cdn.jsdelivr.net/npm/[email protected]/min/vs/loader.js https://cdn.jsdelivr.net/npm/[email protected]/min/vs/editor/editor.main.js https://cdn.jsdelivr.net/npm/[email protected]/min/vs/editor/editor.main.nls.js https://cdn.jsdelivr.net/npm/[email protected]/min/vs/basic-languages/csharp/csharp.js;font-src 'self' * data: https://cdn.jsdelivr.net/npm/[email protected]/min/vs/base/browser/ui/codicons/codicon/codicon.ttf https://spoppe-b.azureedge.net/files/fabric-cdn-prod_20210407.001/assets/icons/fabric-icons-13-c3989a02.woff https://spoppe-b.azureedge.net/files/fabric-cdn-prod_20210407.001/assets/icons/fabric-icons-3-089e217a.woff https://spoppe-b.azureedge.net/files/fabric-cdn-prod_20210407.001/assets/icons/fabric-icons-8-6fdf1528.woff;img-src * data:;connect-src *.exp-tas.com *.azure.com *.cognitive.microsofttranslator.com *.microsoft.com *.microsoftonline.com *.blob.core.windows.net management.azure.com consentreceiverfd-prod.azurefd.net dc.services.visualstudio.com *.luis.ai language.azure.com language.cognitive.azure.com *.cognitive.microsoft.com *.cognitiveServices.azure.com https://cdn.jsdelivr.net/npm/[email protected]/min/vs/loader.js *.cognitiveservices.azure.com;media-src 'self';script-src-elem 'self' 'nonce-MjYxODUyMjExNjcxMjA2ODI0MjYwNzIxNjQyMzQyNDcxMDcxMTk4ODM3' 'report-sample' *.azurewebsites.net *.googleapis.com https://cdn.jsdelivr.net/npm/[email protected]/min/vs/base/worker/workerMain.js https://cdn.jsdelivr.net/npm/[email protected]/min/vs/loader.js https://cdn.jsdelivr.net/npm/[email protected]/min/vs/editor/editor.main.js https://cdn.jsdelivr.net/npm/[email protected]/min/vs/editor/editor.main.nls.js https://cdn.jsdelivr.net/npm/[email protected]/min/vs/basic-languages/csharp/csharp.js;worker-src 'self' 'nonce-MjYxODUyMjExNjcxMjA2ODI0MjYwNzIxNjQyMzQyNDcxMDcxMTk4ODM3' 'report-sample' * blob: https://cdn.jsdelivr.net/npm/[email protected]/min/vs/loader.js https://cdn.jsdelivr.net/npm/[email protected]/min/vs/editor/editor.main.js https://cdn.jsdelivr.net/npm/[email protected]/min/vs/editor/editor.main.nls.js https://cdn.jsdelivr.net/npm/[email protected]/min/vs/basic-languages/csharp/csharp.js

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Consider adding 'preload' to HSTS for maximum security
• Strengthen CSP by removing 'unsafe-eval'
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

2 headers

Connection

Performance

close

Transfer-Encoding

Performance

chunked

Caching Headers

0 headers

No caching headers found

Content Headers

1 headers

Content-Type

Content

text/html; charset=utf-8

Server Headers

0 headers

No server headers found

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

Cookies

ARRAffinitySameSite=251713a3670669a2347c83bc0d84771de48ec74a2bdedef060afe0819af03e24;Path=/;HttpOnly;SameSite=None;Secure;Domain=language.cognitive.azure.com