HTTP Headers Analysis for https://m.cakemail.com

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=63072000; includeSubdomains; preload

Content-Security-Policy

Good

frame-ancestors; base-uri; connect-src; +11 more

frame-ancestors 'none'; base-uri 'self'; connect-src 'self' https://next-gen-app-prod.web.app https://cakemail-app-admin-prod.web.app *.linkedin.com https://*.verisoul.ai wss://*.verisoul.ai *.yapla.com https://app.posthog.com ssgtm.cakemail.com googletagmanager.com e.cakemail.com ph.cake.io plausible.io *.profitwell.com https://grsm.io *.appcues.net *.appcues.com wss://api.appcues.net *.googleapis.com/ *.sentry.io *.pagepeeker.com *.locize.app *.getbee.io shttps://formbuilder.online *.cloudfunctions.net http://io.v2.customerlabs.co *.google.com *.doubleclick.net *.tapfiliate.com https://api.segment.io https://cdnsegment.cakemail.com/ https://partnerlinks.io https://app.prismatic.io; default-src 'self' 'strict-dynamic'; font-src 'self' https://next-gen-app-prod.web.app https://cakemail-app-admin-prod.web.app *.gstatic.com *.typekit.net data:; frame-src 'self' *.youtube.com *.vimeo.com *.wistia.com *.twitch.tv *.dailymotion.com *.google.com https://ckm-billing-prod.web.app/ https://td.doubleclick.net https://billing.cakemail.com https://mfa-portal-prod.web.app *.getbee.io https://screenshots.wbsrvc.com/ https://screenshots2.wbsrvcx.com/ *.locize.app/ https://storage.googleapis.com https://app.prismatic.io/; img-src 'self' data: *; manifest-src 'self'; media-src 'self'; object-src 'self' storage.googleapis.com *.wbsrvc.com *.wbsrvcx.com; report-uri https://6006f1a2937fe147894b8afa.endpoint.csper.io/ ; script-src 'report-sample' 'self' 'sha256-ZeCnt8bZ9qSqr/Zd0/02k9v0GB7HFQPldIDNeYBFG8U=' 'sha256-ddB4/YVQb844ZjK77Gi4M3iOjDxMoI2ypHGQEGA3iV0=' 'sha256-4QE6hgBPiYkpNwiabEiKre/wrGwtcDpj805VAc3xKzk=' 'sha256-/6SBPqW+GW+//4nlXX6Y1nR9dWlh0gsQJ6KK71djH6A=' 'sha256-kiKyLAbN0l8y2ws4CiL02c3ujz1GnZ2jyhnWTprjvWk=' 'sha256-+x5IRx3ijDq/+Mk2KI/OQeCMglCK+dfJWu3g9WHsqmU=' 'sha256-fntHcnwlXlbMDL5TVRi/rYBRJ1Fj2S5m3UaBAZaugag=' 'sha256-chpkbWBm6lsvfOJangBMTRAvpFaTORIibZimwWygIqg=' 'sha256-VG6d8KWtRUwiI/6pfcf7p5xx3vJlHDRKtxSd1pdrU0I=' *.gstatic.com https://js.verisoul.ai https://stripe-interface-stg.web.app https://stripe-interface-prod.web.app https://next-gen-app-stg.web.app https://next-gen-app-prod.web.app https://cakemail-app-admin-prod.web.app https://www.google.com/ https://ckm-cdp-analytics-stg.web.app e.cakemail.com ph.cake.io *.googletagmanager.com *.ssgtm.cakemail.com plausible.io https://cdnsegment.cakemail.com https://public.profitwell.com https://assets.customer.io *.ckeditor.com/ *.getbee.io/ *.googleapis.com/ *.google.com/ *.google.ca/ *.tapfiliate.com *.typekit.net http://fast.appcues.com https://connect.facebook.net http://cdn.js.customerlabs.co https://snap.licdn.com https://stats.g.doubleclick.net https://app.posthog.com; style-src 'self' https://stripe-interface-stg.web.app https://stripe-interface-prod.web.app https://next-gen-app-stg.web.app https://next-gen-app-prod.web.app https://cakemail-app-admin-prod.web.app https://ckm-cdp-analytics-stg.web.app https://fast.appcues.com 'report-sample' 'unsafe-inline' *.typekit.net *.ckeditor.com *.googleapis.com; worker-src blob:;

X-Frame-Options

Excellent

DENY

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Strengthen CSP by removing 'unsafe-eval'
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

1 headers

Connection

Performance

close

Caching Headers

5 headers

Cache-Control

Caching

no-cache, no-store, must-revalidate

Etag

Caching

"ff1144b4b787dadbc8d6443ac8ebc4d5"

Expires

Caching

0

Last-Modified

Caching

Tue, 13 Jan 2026 15:27:58 GMT

Pragma

Caching

no-cache

Content Headers

2 headers

Content-Length

Content

1981

Content-Type

Content

text/html

Server Headers

1 headers

Server

AmazonS3

CORS Headers

0 headers

No CORS headers found

Cookies Headers

0 headers

No cookies headers found

Other Headers

5 headers

Date

Other

Wed, 14 Jan 2026 17:26:32 GMT

Via

Other

1.1 5072b2d5201c1f2f8d4d9135dcd39754.cloudfront.net (CloudFront)

X-Amz-Cf-Id

Other

D3XSNrzJxfFNUuqazKxkBpXcl_Vwo2fWC5-4ITE84fTPhd81VZyXFQ==

X-Amz-Cf-Pop

Other

IAD61-P6

X-Cache

Other

Miss from cloudfront

Recommendations

Enable compression (gzip/brotli) to improve performance