HTTP Headers Analysis for https://m.facebook.com

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=15552000; preload; includeSubDomains

Content-Security-Policy

Basic

default-src; script-src; style-src; +9 more

default-src blob: 'self' https://*.fbsbx.com *.facebook.com *.fbcdn.net;script-src *.facebook.com *.fbcdn.net *.facebook.net 127.0.0.1:* 'nonce-BUQyYUJy' blob: 'self' connect.facebook.net 'unsafe-eval' https://*.google-analytics.com *.google.com;style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline' https://fonts.googleapis.com;connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net wss://*.facebook.com:* wss://*.whatsapp.com:* wss://*.fbcdn.net attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ v.whatsapp.net *.fbsbx.com *.fb.com *.instagram.com https://*.google-analytics.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com https://fonts.gstatic.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net connect.facebook.net *.carriersignal.info blob: android-webview-video-poster: *.whatsapp.net *.fb.com *.oculuscdn.com *.tenor.co *.tenor.com *.giphy.com https://trustly.one/ https://*.trustly.one/ https://paywithmybank.com/ https://*.paywithmybank.com/ https://www.googleadservices.com https://googleads.g.doubleclick.net https://*.google-analytics.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data: *.tenor.co *.tenor.com https://*.giphy.com;child-src data: blob: 'self' https://*.fbsbx.com *.facebook.com *.fbcdn.net;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: www.instagram.com *.fbcdn.net accounts.meta.com *.accounts.meta.com https://trustly.one/ https://*.trustly.one/ https://paywithmybank.com/ https://*.paywithmybank.com/ https://www.googleadservices.com https://googleads.g.doubleclick.net https://www.google.com https://td.doubleclick.net *.google.com *.doubleclick.net;manifest-src data: blob: 'self' https://*.fbsbx.com *.facebook.com *.fbcdn.net;object-src data: blob: 'self' https://*.fbsbx.com *.facebook.com *.fbcdn.net;worker-src blob: *.facebook.com data:;

X-Frame-Options

Excellent

DENY

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

3 headers

Connection

Performance

close

Transfer-Encoding

Performance

chunked

Vary

Performance

Accept-Encoding

Caching Headers

3 headers

Cache-Control

Caching

private, no-cache, no-store, must-revalidate

Expires

Caching

Sat, 01 Jan 2000 00:00:00 GMT

Pragma

Caching

no-cache

Content Headers

1 headers

Content-Type

Content

application/xhtml+xml; charset=utf-8

Server Headers

0 headers

No server headers found

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

Cookies

datr=2NtnaXUALudAHZ8e4ZuFisk7; expires=Thu, 18-Feb-2027 18:09:28 GMT; Max-Age=34560000; path=/; domain=.facebook.com; secure; httponly

Other Headers

12 headers

Accept-Ch

Other

viewport-width,dpr,Sec-CH-Prefers-Color-Scheme,Sec-CH-UA-Full-Version-List,Sec-CH-UA-Platform-Version,Sec-CH-UA-Model

Accept-Ch-Lifetime

Other

4838400

Alt-Svc

Other

h3=":443"; ma=86400

Date

Other

Wed, 14 Jan 2026 18:09:28 GMT

Debug-Link

Other

https://www.meta.com/debug/?mid=ee38478ee76bf87e8ac9c166bf3b5cda

Document-Policy

Other

include-js-call-stacks-in-crash-reports

Error-Mid

Other

ee38478ee76bf87e8ac9c166bf3b5cda

Origin-Agent-Cluster

Other

?1

Report-To

Other

{"max_age":2592000,"endpoints":[{"url":"https:\/\/www.facebook.com\/browser_reporting\/coop\/?minimize=0"}],"group":"coop_report","include_subdomains":true}, {"max_age":259200,"endpoints":[{"url":"https:\/\/m.facebook.com\/ajax\/mtouch_error_reports\/?device_level=unknown&brsid=7595281017883728490&cpp=C3&cv=1031992593&st=1768414168487"}]}

Reporting-Endpoints

Other

coop_report="https://www.facebook.com/browser_reporting/coop/?minimize=0", default="https://m.facebook.com/ajax/mtouch_error_reports/?device_level=unknown&brsid=7595281017883728490&cpp=C3&cv=1031992593&st=1768414168487"

X-Fb-Connection-Quality

Other

EXCELLENT; q=0.9, rtt=21, rtx=0, c=10, mss=1368, tbw=3283, tp=-1, tpl=-1, uplat=146, ullat=0

X-Fb-Debug

Other

L8cfs0QVG6Pv6jML8hvFsburIQcSS5vMCr6NHrAGCU3KqYrnCZh2Xtb/k+YHsAnaLoG8h3Kge7JVNrXl/wtp2A==

Recommendations

Enable compression (gzip/brotli) to improve performance