HTTP Headers Analysis for https://mcp.padlet.com

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=15552000; includeSubDomains; preload

Content-Security-Policy

Missing

Not configured

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin-when-cross-origin

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Add Content-Security-Policy header to prevent XSS attacks
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Consider adding Permissions-Policy to control browser features

Performance Headers

3 headers

Connection

Performance

close

Transfer-Encoding

Performance

chunked

Vary

Performance

Accept-Encoding, Accept-Language

Caching Headers

1 headers

Cache-Control

Caching

no-cache

Content Headers

1 headers

Content-Type

Content

application/json; charset=utf-8

Server Headers

2 headers

Server

cloudflare

X-Runtime

Server

0.010397

CORS Headers

5 headers

Access-Control-Allow-Headers

Cors

Authorization

Access-Control-Allow-Methods

Cors

GET,OPTIONS

Access-Control-Allow-Origin

Cors

*

Access-Control-Expose-Headers

Cors

Etag,Content-Length,Last-Modified

Access-Control-Max-Age

Cors

3600

Cookies Headers

1 headers

Set-Cookie

Cookies

__cf_bm=yRiV5F5yl71O9i3YW1tizyL50nw7488.5baUVF.N8D8-1769284351-1.0.1.1-pPTOOnk8YkMV01JoK5lnqfEnLWSneJKfxFS82jLFu2sFrZiorCp5nk40QtXpTpBX9TrsCjHEBzXlDDgHYMOVW6NXHZBYI3gi1tJp8eJnpiArPsBSJKbRQt4yvagu8qI2; path=/; expires=Sat, 24-Jan-26 20:22:31 GMT; domain=.padlet.com; HttpOnly; Secure; SameSite=None

Other Headers

14 headers

Alt-Svc

Other

h3=":443"; ma=86400

Cf-Cache-Status

Other

DYNAMIC

Cf-Ray

Other

9c32125d4f8fd687-IAD

Content-Security-Policy-Report-Only

Other

script-src 'self' padlet.net maps.googleapis.com apis.google.com ta-echo.padlet.com api.commandbar.com cdn.commandbar.com app.getbeamer.com challenges.cloudflare.com embed.cloudflarestream.com cdn.usefathom.com blob: 'unsafe-inline' 'unsafe-eval'; style-src 'self' padlet.net fonts.googleapis.com cdn.commandbar.com app.getbeamer.com 'unsafe-inline'; font-src 'self' padlet.net fonts.gstatic.com data:; report-uri https://padlet.com/csp-report;

Date

Other

Sat, 24 Jan 2026 19:52:31 GMT

P3p

Other

CP="IDC DSP COR CURa ADMa OUR NOR ONL COM"

Via

Other

1.1 google

Ww-App-Version

Other

v-2601240654-6eb3c-production

Ww-Qt

Other

low

Www-Authenticate

Other

Bearer realm="padlet_mcp", error="invalid_token", error_description="Authorization header with Bearer token is required", as_uri="https://mcp.padlet.com/.well-known/oauth-authorization-server", resource_metadata="https://mcp.padlet.com/.well-known/oauth-protected-resource", resource="https://mcp.padlet.com"

X-Backend

Other

GKE-mozart-production

X-Permitted-Cross-Domain-Policies

Other

none

X-Request-Id

Other

56b61574-c906-454f-9020-034712d0edae

X-Robots-Tag

Other

noindex, nofollow