HTTP Headers Analysis for https://matillion.com

HTTP Security Headers

Status

Strict-Transport-Security

Good

max-age=31536000; includeSubDomains

Content-Security-Policy

Missing

Not configured

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Consider adding 'preload' to HSTS for maximum security
• Add Content-Security-Policy header to prevent XSS attacks
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

3 headers

Connection

Performance

close

Transfer-Encoding

Performance

chunked

Vary

Performance

Accept-Encoding

Caching Headers

1 headers

Cache-Control

Caching

public, s-maxage=31536000, max-age=0

Content Headers

1 headers

Content-Type

Content

text/html; charset=UTF-8

Server Headers

2 headers

Server

cloudflare

X-Powered-By

Server

Blitz

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

Cookies

__cf_bm=zITOvZDEA_PLyPIq9brlYwfLDDywHX2nfJv2a0Qlk_Y-1768593582-1.0.1.1-pkOitS2kTRkar86_v44_jAOTeACbjETyEfAvB5gff89oukJ7UXL9FWWkqVXEu1V3TBWnn18Dob1ROKxaRYBZiMpDveaxDITyqrw4BKTBjAU; path=/; expires=Fri, 16-Jan-26 20:29:42 GMT; domain=.www.matillion.com; HttpOnly; Secure; SameSite=None

Other Headers

5 headers

Alt-Svc

Other

h3=":443"; ma=86400

Cf-Cache-Status

Other

DYNAMIC

Cf-Ray

Other

9bf031e22b0afc57-IAD

Content-Security-Policy-Report-Only

Other

base-uri 'none'; default-src 'self'; script-src 'report-sample' 'self' 'unsafe-inline' https://cdn.heapanalytics.com https://distillery.wistia.com/x https://matillion.ddev.site:3000/ wss://matillion.ddev.site:3000 https://fast.wistia.com https://www.googletagmanager.com https://cdn.heapanalytics.com/js/heap-1873293713.js https://cdn.iubenda.com/cs/iubenda_cs.js https://connect.facebook.net/en_US/fbevents.js https://content.cdntwrk.com/components/website-widget/v1/118604/widget.js https://fast.wistia.com/assets/external/E-v1.js https://googleads.g.doubleclick.net/pagead/viewthroughconversion/848565924/ https://in.ml314.com/ud.ashx https://js.driftt.com/include/1688577300000/vh948h8ntehg.js https://js.intercomcdn.com/vendor-modern.255c4d36.js https://lift-ai-js.marketlinc.com/www.matillion.com/deployment.js https://ml314.com/tag.aspx https://munchkin.marketo.net/munchkin.js https://okt.to/ping https://pages.matillion.com/js/forms2/js/forms2.min.js https://script.hotjar.com/modules.832d10fb416834285523.js https://snap.licdn.com/li.lms-analytics/insight.beta.min.js https://static.ads-twitter.com/uwt.js https://static.hotjar.com/c/hotjar-2386626.js https://static.oktopost.com/oktrk.js https://tag.demandbase.com/00a4b81bfa345e5b.min.js https://tracking.g2crowd.com/attribution_tracking/conversions/5351.js https://widget.intercom.io/widget/rjk6vrpn https://www.google-analytics.com/analytics.js https://www.googleadservices.com/pagead/conversion/848565924/ https://www.googletagmanager.com/gtag/js https://www.iubenda.com/cookie-solution/confs/js/48216078.js https://www.redditstatic.com/ads/pixel.js; style-src 'self' 'unsafe-inline' https://p.typekit.net https://pages.matillion.com https://use.typekit.net; img-src 'self' data: 'self' data: https://alb.reddit.com https://analytics.twitter.com https://embed-ssl.wistia.com https://fast.wistia.com https://googleads.g.doubleclick.net https://heapanalytics.com https://id.rlcdn.com https://insight.adsrvr.org https://pubads.g.doubleclick.net https://px.ads.linkedin.com https://t.co https://www.facebook.com https://www.google-analytics.com https://www.google.com; connect-src 'self' https://992-uiw-731.mktoresp.com https://analytics.google.com https://api-iam.intercom.io https://api.company-target.com https://content.hotjar.io https://distillery.wistia.com https://fast.wistia.com https://fg8vvsvnieiv3ej16jby.litix.io https://google.com https://hits-i.iubenda.com https://in.hotjar.com https://metrics.hotjar.io https://stats.g.doubleclick.net https://tag-logger.demandbase.com https://v2.api.uberflip.com https://visitor-scoring-c.marketlinc.com https://www.google-analytics.com https://www.google.com wss://nexus-websocket-a.intercom.io wss://ws.hotjar.com; font-src 'self' 'self' data: https://fast.wistia.com https://use.typekit.net; media-src 'self' blob:; frame-src 'self' 'self' https://12420912.fls.doubleclick.net https://js.driftt.com https://pages.matillion.com https://s.company-target.com https://www.facebook.com;

Date

Other

Fri, 16 Jan 2026 19:59:42 GMT

Recommendations

Enable compression (gzip/brotli) to improve performance

Consider removing X-Powered-By header to hide server technology