HTTP Headers Analysis for https://mail.superhuman.com

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=31536000; includeSubdomains

Content-Security-Policy

Good

object-src; worker-src; frame-ancestors; +9 more

object-src blob: https://media.superhumanapp.com https://media.superhuman.com; worker-src 'self' data: blob: https://mail.superhuman.com https://assets.mail.superhuman.com; frame-ancestors 'none'; default-src 'none'; manifest-src 'none'; script-src 'self' https://assets.mail.superhuman.com 'sha256-KZNf0Dw+P2+V7eMf/C62X/JFPdtVY2HsIwirp2JD1Es=' 'sha256-CKIAuKpRNZ4koXzMVEbikDsE3y9VNCyooraCCCUWC6A=' https://api.commandbar.com https://frames-commandbar-prod.commandbar.com https://cdn.commandbar.com https://edge.fullstory.com https://cdn.lrkt-in.com https://js.hsforms.net https://*.amplitude.com; style-src 'self' data: 'unsafe-inline' https://cdn.commandbar.com https://media.superhumanapp.com https://media.superhuman.com https://assets.mail.superhuman.com https://*.amplitude.com; connect-src blob: https://assets.mail.superhuman.com https://media.superhumanapp.com https://media.superhuman.com https://mail.superhuman.com chrome-extension://dcgcnpooblobhncpnddnhoendgbnglpn chrome-extension://eobaknjeikpchflggmklgggcodjgbagl superhuman-app://production https://accounts.superhuman.com https://www.google.com/m8/feeds/ https://people.googleapis.com/ https://places.googleapis.com/ https://gmail.googleapis.com/ https://content.googleapis.com https://www.googleapis.com/plus/ https://storage.googleapis.com/inbox-zero/2880x/ https://storage.googleapis.com/powerup-assets/ https://storage.googleapis.com/chrome-extension.superhuman.com/ https://greenhouse-powerup.herokuapp.com https://notify.bugsnag.com https://sessions.bugsnag.com https://graph.microsoft.com https://login.microsoftonline.com https://app.launchdarkly.com https://events.launchdarkly.com/ https://clientstream.launchdarkly.com https://api.commandbar.com https://t.commandbar.com https://edge.fullstory.com https://rs.fullstory.com https://r.lrkt-in.com https://forms.hsforms.com https://forms-na2.hsforms.com https://forms.hubspot.com https://hubspot-forms-static-embed.s3.amazonaws.com https://*.amplitude.com; font-src 'self' data: blob: https://media.superhumanapp.com https://media.superhuman.com https://assets.mail.superhuman.com; frame-src 'self' blob: https://media.superhumanapp.com https://media.superhuman.com superhuman: https://headway-widget.net https://frames-commandbar-prod.commandbar.com https://frames-editor-prod.commandbar.com https://api.commandbar.com https://forms.hsforms.com https://forms-na2.hsforms.com; img-src 'self' data: blob: https://media.superhumanapp.com https://media.superhuman.com https://assets.mail.superhuman.com https://docs.google.com https://drive.google.com https://*.googleusercontent.com https://storage.googleapis.com/inbox-zero/2880x/ https://storage.googleapis.com/powerup-assets/ https://notify.bugsnag.com https://sessions.bugsnag.com https://cdn.commandbar.com https://files.commandbar.com https://forms.hsforms.com https://forms-na2.hsforms.com https://*.amplitude.com; media-src 'self' data: blob: https://media.superhumanapp.com https://media.superhuman.com https://assets.mail.superhuman.com https://storage.googleapis.com/inbox-zero/ https://storage.googleapis.com/email-assets.superhuman.com/ https://*.amplitude.com;

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Strengthen CSP by removing 'unsafe-eval'
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

2 headers

Connection

Performance

close

Transfer-Encoding

Performance

chunked

Caching Headers

1 headers

Cache-Control

Caching

no-store

Content Headers

1 headers

Content-Type

Content

text/html

Server Headers

0 headers

No server headers found

CORS Headers

0 headers

No CORS headers found

Cookies Headers

0 headers

No cookies headers found

Other Headers

4 headers

Alt-Svc

Other

h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

Date

Other

Fri, 16 Jan 2026 03:57:06 GMT

Service-Worker-Allowed

Other

/

Via

Other

1.1 google

Recommendations

Enable compression (gzip/brotli) to improve performance