HTTP Headers Analysis for https://maze.co

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=31536000

Content-Security-Policy

Basic

default-src; script-src; style-src; +10 more

default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' 'wasm-unsafe-eval' https://*.maze.co https://cdn-cookieyes.com https://cdn.amplitude.com https://cdn.segment.com https://www.google-analytics.com https://*.googletagmanager.com https://pagead2.googlesyndication.com https://googleads.g.doubleclick.net https://www.googleadservices.com https://connect.facebook.net https://*.clickagy.com https://*.cdnjs.network https://bat.bing.com https://static.ads-twitter.com https://snap.licdn.com https://*.twitter.com https://*.zoominfo.com https://js.zi-scripts.com https://extend.vimeocdn.com https://*.chilipiper.com https://mazedesign.widget.insent.ai https://*.cloudfront.net *.hs-scripts.com *.hsadspixel.net *.hs-analytics.net js.hscta.net *.hubspot.com *.hubspot.net static.hsappstatic.net *.usemessages.com *.hs-banner.com *.hscollectedforms.net *.hsleadflows.net *.hsforms.net *.hsforms.com *.hubspotfeedback.com feedback.hubapi.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://code.tidio.co https://widget-v4.tidiochat.com https://app.spara.co https://*.arcade.software https://*.apollo.io https://netlify-cdp-loader.netlify.app blob:; style-src 'self' 'unsafe-inline' https://*.maze.co https://googletagmanager.com https://tagmanager.google.com https://fonts.googleapis.com cdn2.hubspot.net; connect-src 'self' https://*.maze.co https://www.datocms-assets.com https://stream.mux.com https://image.mux.com https://inferred.litix.io https://static.hsappstatic.net https://*.mux.com https://*.cookieyes.com https://cdn-cookieyes.com https://js.zi-scripts.com https://ws.zoominfo.com https://api.schedule.zoominfo.com https://*.clickagy.com https://*.chilipiper.com https://api.amplitude.com https://cdn.segment.com https://api.segment.io https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://pagead2.googlesyndication.com https://www.googleadservices.com https://*.g.doubleclick.net https://*.google.com https://*.facebook.com https://*.goldcast.io https://px.ads.linkedin.com *.hubapi.com js.hscta.net *.hubspot.com *.hs-banner.com *.hscollectedforms.net *.hsforms.com *.hsappstatic.net sentry-new.tidio.co socket.tidio.co api-v2.tidio.co https://cdn.simplecast.com https://*.outgrow.us https://app.spara.co https://*.arcade.software https://*.arcade.show https://*.apollo.io https://aplo-evnt.com https://api.country.is https://unpkg.com/@rive-app/[email protected]/rive.wasm https://cdn.jsdelivr.net/npm/@rive-app/[email protected]/rive_fallback.wasm wss:; font-src 'self' data: https://*.maze.co https://fonts.gstatic.com https://*.chilipiper.com https://www.youtube.com https://*.arcade.software; frame-src 'self' https://*.maze.co https://*.spotify.com https://player.simplecast.com https://www.youtube.com https://player.vimeo.com https://*.outgrow.us https://*.clickagy.com https://mazedesign.widget.insent.ai https://*.chilipiper.com https://www.facebook.com https://platform.twitter.com https://www.googletagmanager.com https://td.doubleclick.net https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/ *.hubspot.com *.hubspot.net *.hs-sites.com play.hubspotvideo.com *.hsforms.net *.hsforms.com https://app.spara.co https://*.arcade.software https://*.apollo.io https://*.aplo-evnt.com https://app.netlify.com; img-src 'self' https://*.maze.co https://placehold.co https://www.datocms-assets.com https://image.mux.com https://cdn-cookieyes.com https://*.chilipiper.com https://*.rlcdn.com https://*.clickagy.com https://bat.bing.com https://*.linkedin.com https://px.ads.linkedin.com https://px4.ads.linkedin.com https://analytics.twitter.com https://*.google-analytics.com https://*.analytics.google.com https://*.doubleclick.net https://*.g.doubleclick.net https://*.google.com https://*.google.fr https://pagead2.googlesyndication.com https://www.googleadservices.com https://ssl.gstatic.com https://www.gstatic.com https://*.googletagmanager.com https://t.co https://i.vimeocdn.com https://i.ytimg.com https://*.facebook.com cdnjs.cloudflare.com no-cache.hubspot.com js.hscta.net *.hubspot.com *.hubspot.net cdn2.hubspot.net *.hsforms.net *.hsforms.com https://app.spara.co https://spara-prod.s3.amazonaws.com https://*.arcade.software https://*.apollo.io blob: data:; media-src 'self' https://*.maze.co https://*.mux.com https://rvlstudio.s3.eu-west-3.amazonaws.com https://cdn.simplecast.com https://*.scdn.co https://*.arcade.software widget-v4.tidiochat.com blob:; frame-ancestors 'self' https://mazedesign.widget.insent.ai; object-src 'none'; base-uri 'self'; manifest-src 'self'; worker-src 'self' blob:;

X-Frame-Options

Excellent

DENY

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Present

same-origin

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Consider adding Permissions-Policy to control browser features

Performance Headers

2 headers

Accept-Ranges

Performance

bytes

Connection

Performance

close

Caching Headers

3 headers

Age

Caching

3538

Cache-Control

Caching

public,max-age=0,must-revalidate

Etag

Caching

"d37fb57520cfbf758b6ed535cf8308b3-ssl"

Content Headers

2 headers

Content-Length

Content

323505

Content-Type

Content

text/html; charset=UTF-8

Server Headers

1 headers

Server

Netlify

CORS Headers

0 headers

No CORS headers found

Cookies Headers

0 headers

No cookies headers found

Other Headers

9 headers

Alt-Svc

Other

h3=":443"; ma=86400

Cache-Status

Other

"Netlify Edge"; hit

Date

Other

Tue, 09 Dec 2025 08:37:33 GMT

Via

Other

1.1 64c95802ff188dd41dd32c313bef089c.cloudfront.net (CloudFront)

X-Amz-Cf-Id

Other

FXyy4NfE_aUjOFvEcdxCWgeS7TR3PuoUK07xH1CmZO2raG40aCbyOg==

X-Amz-Cf-Pop

Other

IAD61-P1

X-Cache

Other

Miss from cloudfront

X-Nf-Request-Id

Other

01KC144EAMT5HHAQ31455VGQ2V

X-Permitted-Cross-Domain-Policies

Other

none

Recommendations

Enable compression (gzip/brotli) to improve performance