HTTP Headers Analysis for https://m.gem.com

HTTP Security Headers

Status

Strict-Transport-Security

Excellent

max-age=63072000; includeSubDomains; preload

Content-Security-Policy

Good

default-src; script-src; style-src; +12 more

default-src 'self' https://static.zensourcer.com/scripts/ https://static.gem.com/; script-src https://cdnjs.cloudflare.com/ https://www.amcharts.com/lib/ https://maxcdn.bootstrapcdn.com/bootstrap/ https://fullstory.com/s/ https://edge.fullstory.com/s/ https://rs.fullstory.com/ https://cdn.ravenjs.com/ https://cdn.jsdelivr.net/npm/[email protected]/ https://cdn.jsdelivr.net/npm/[email protected]/ https://cdn.jsdelivr.net/npm/[email protected]/ https://d2yyd1h5u9mauk.cloudfront.net/integrations/web/v1/library/ https://analytics.gem.com/analytics.js/v1/ https://analytics.gem.com/analytics-next/bundles/ https://analytics.gem.com/next-integrations/integrations/ https://analytics.gem.com/next-integrations/actions/ https://analytics.gem.com/v1/projects/JKD3SUhVtD793LSLlVwMceRSpf5j9NOe/settings https://boards.greenhouse.io/ https://data.nuxguides.gem.com/ https://content.nuxguides.gem.com/ https://pendo-io-static.storage.googleapis.com https://pendo-static-5669404840427520.storage.googleapis.com https://static.zdassets.com/ https://widget-mediator.zopim.com/ https://www.googletagmanager.com/ https://cdn.amplitude.com/ https://app.getmacha.com https://connect.facebook.net/en_US/sdk.js https://static.zensourcer.com/scripts/ https://static.gem.com/ 'nonce-OCnXA4hpSRRWQsj2yM6gERkn5UBGoVOE7qFELA0R7ZMgQuZpb1LdbLRDAp3Ix3QT57XvBlggC0r6qA1wxFH4MA' about: 'report-sample' https://hcaptcha.com https://*.hcaptcha.com https://js.hs-scripts.com/ https://js.hs-analytics.net/ https://js.hsadspixel.net/fb.js https://snap.licdn.com/li.lms-analytics/insight.min.js https://connect.facebook.net/ https://cdnjs.cloudflare.com/ https://www.google-analytics.com/ https://a.omappapi.com; style-src https://cdnjs.cloudflare.com/ https://maxcdn.bootstrapcdn.com/ https://fonts.googleapis.com/ https://www.amcharts.com/lib/ https://unpkg.com/ https://use.fontawesome.com/releases/ https://cdn.jsdelivr.net/npm/[email protected]/ https://data.nuxguides.gem.com/ https://content.nuxguides.gem.com/ https://pendo-static-5669404840427520.storage.googleapis.com https://www.googletagmanager.com/ https://app.getmacha.com/app/styles.css https://usercontent.zscdn.net/fonts/ https://static.zensourcer.com/scripts/ https://static.gem.com/ 'unsafe-inline' https://hcaptcha.com https://*.hcaptcha.com https://cdnjs.cloudflare.com/; img-src 'self' https: data: blob:; font-src 'self' https://static.gem.com/ https://maxcdn.bootstrapcdn.com/ 'self' https://fonts.gstatic.com/ https://use.fontawesome.com/releases/ https://usercontent.zscdn.net/fonts/ data:; connect-src https: wss://widget-mediator.zopim.com/ https://data.nuxguides.gem.com/ https://pendo-static-5669404840427520.storage.googleapis.com http://www.testglobal.net/ data: blob: https://hcaptcha.com https://*.hcaptcha.com; frame-src 'self' https://hire.lever.co https://*.avature.net https://boards.greenhouse.io/ https://hcaptcha.com https://*.hcaptcha.com https://bid.g.doubleclick.net/; manifest-src 'self' https://static.zensourcer.com/scripts/ https://static.gem.com/; media-src https://static.zensourcer.com/scripts/ https://static.gem.com/ https://static.zdassets.com/web_widget/; worker-src blob: https://static.zensourcer.com/scripts/ https://static.gem.com/; report-uri /api/csp_log; child-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self' https://*.linkedin.com

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Missing

Not configured

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Strengthen CSP by removing 'unsafe-eval'
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Add X-Content-Type-Options: nosniff
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

1 headers

Connection

Performance

close

Caching Headers

0 headers

No caching headers found

Content Headers

2 headers

Content-Length

Content

13285

Content-Type

Content

text/html; charset=utf-8

Server Headers

1 headers

Server

Heroku

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

Cookies

session=LgbJN1F_4_jvwSDAJQAs4s9OaXRgcln2ox6z5J42tKYQf35RZ0pnL-ldL6o-RcJc8UMd5altMIkeXOhcKo_NNQ; Expires=Fri, 30 Jan 2026 04:43:49 GMT; Secure; HttpOnly; Path=/; SameSite=None

Other Headers

6 headers

Date

Other

Wed, 31 Dec 2025 04:43:49 GMT

Nel

Other

{"report_to":"heroku-nel","response_headers":["Via"],"max_age":3600,"success_fraction":0.01,"failure_fraction":0.1}

Report-To

Other

{"group":"heroku-nel","endpoints":[{"url":"https://nel.heroku.com/reports?s=FdzX2QBKIqzLpU4Q5yhur13rg7vrr3VVBieiuHLR55w%3D\u0026sid=1b10b0ff-8a76-4548-befa-353fc6c6c045\u0026ts=1767156229"}],"max_age":3600}

Reporting-Endpoints

Other

heroku-nel="https://nel.heroku.com/reports?s=FdzX2QBKIqzLpU4Q5yhur13rg7vrr3VVBieiuHLR55w%3D&sid=1b10b0ff-8a76-4548-befa-353fc6c6c045&ts=1767156229"

Via

Other

1.1 heroku-router

X-Request-Id

Other

93406fc0-8117-5dcf-ca32-f71f3529825b

Recommendations

Enable compression (gzip/brotli) to improve performance

Add Cache-Control header to optimize caching