HTTP Headers Analysis for https://mega.com.br

HTTP Security Headers

Status

Strict-Transport-Security

Good

max-age=31536000; includeSubDomains

Content-Security-Policy

Basic

default-src; script-src; script-src-elem; +10 more

default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.mega.com.br *.senior.com.br *.hotjar.com https://ajax.googleapis.com/ https://maps.googleapis.com https://cdn.jsdelivr.net/npm/choices.js@4/public/assets/scripts/choices.min.js https://connect.facebook.net https://d335luupugsy2.cloudfront.net https://googleads.g.doubleclick.net/pagead/ https://kit.fontawesome.com/81c7b4af9a.js https://snap.licdn.com/li.lms-analytics/insight.min.js https://www.google-analytics.com https://www.googleadservices.com/pagead/ https://tpc.googlesyndication.com/sodar/1s9mPOHO.js https://www.googletagmanager.com https://snap.licdn.com/li.lms-analytics/ https://platform.twitter.com https://platform.linkedin.com https://apis.google.com https://www.google.com/recaptcha/ https://static.ads-twitter.com/ https://www.gstatic.com/recaptcha/ https://cdnjs.cloudflare.com/ajax/libs/select2/ https://www.google.com/pagead/ https://www.googleadservices.com/pagead/ https://www.googleoptimize.com https://optimize.google.com https://s.yimg.com/wi/ytc.js https://sdk.amazonaws.com https://js.hs-scripts.com https://js.hsleadflows.net https://js.hs-banner.com https://js.hsadspixel.net https://js.hubspotfeedback.com https://js.usemessages.com https://js.hs-analytics.net https://js.hscollectedforms.net https://js.hsforms.net https://js-na1.hs-scripts.com https://forms.hsforms.com https://js.hscta.net https://cta-service-cms2.hubspot.com https://js.hubspot.com *.visualwebsiteoptimizer.com app.vwo.com cdn.pushcrew.com *.mida.so *.howuku.com *.bootstrapcdn.com https://cdnjs.cloudflare.com/ajax/libs/ https://code.jquery.com/ https://senior-mega.netlify.app; script-src-elem 'unsafe-eval' 'unsafe-inline' 'self' *.mega.com.br *.senior.com.br *.hotjar.com https://ajax.googleapis.com/ https://maps.googleapis.com https://cdn.jsdelivr.net/npm/choices.js@4/public/assets/scripts/choices.min.js https://connect.facebook.net https://d335luupugsy2.cloudfront.net https://googleads.g.doubleclick.net/pagead/ https://kit.fontawesome.com/81c7b4af9a.js https://snap.licdn.com/li.lms-analytics/insight.min.js https://www.google-analytics.com https://www.googleadservices.com/pagead/ https://tpc.googlesyndication.com/sodar/1s9mPOHO.js https://www.googletagmanager.com https://snap.licdn.com/li.lms-analytics/ https://platform.twitter.com https://platform.linkedin.com https://apis.google.com https://www.google.com/recaptcha/ https://static.ads-twitter.com/ https://www.gstatic.com/recaptcha/ https://cdnjs.cloudflare.com/ajax/libs/select2/ https://www.google.com/pagead/ https://www.googleadservices.com/pagead/ https://www.googleoptimize.com https://optimize.google.com https://s.yimg.com/wi/ytc.js https://sdk.amazonaws.com https://js.hs-scripts.com https://js.hsleadflows.net https://js.hs-banner.com https://js.hsadspixel.net https://js.hubspotfeedback.com https://js.usemessages.com https://js.hs-analytics.net https://js.hscollectedforms.net https://js.hsforms.net https://js-na1.hs-scripts.com https://forms.hsforms.com https://js.hscta.net https://cta-service-cms2.hubspot.com https://js.hubspot.com *.visualwebsiteoptimizer.com app.vwo.com cdn.pushcrew.com *.mida.so *.howuku.com *.bootstrapcdn.com https://cdnjs.cloudflare.com/ajax/libs/ https://code.jquery.com/ *.goadopt.io https://www.clarity.ms/tag/ https://senior-mega.netlify.app *.clarity.ms; style-src 'self' 'unsafe-inline' *.mega.com.br *.senior.com.br https://fonts.googleapis.com https://use.fontawesome.com/releases/ https://maxcdn.bootstrapcdn.com/font-awesome/ https://cdnjs.cloudflare.com/ajax/libs/select2/ https://optimize.google.com *.visualwebsiteoptimizer.com app.vwo.com cdn.pushcrew.com s3.amazonaws.com *.mida.so *.howuku.com *.bootstrapcdn.com https://cdnjs.cloudflare.com/ajax/libs/ https://unicons.iconscout.com https://seniormega.twic.pics https://senior-mega.netlify.app; object-src 'self'; base-uri 'self'; connect-src 'self' *.hotjar.com *.hotjar.io wss://ws7.hotjar.com/api/v2/client/ws https://api.github.com/repos/squadtecnologia/ https://cookies.senior.com.br https://www.google.com.br/ads/ https://google.com/pagead https://analytics.google.com https://ka-f.fontawesome.com https://www.rdstation.com.br https://pages.rdstation.com.br https://forms.rdstation.com.br https://app.rdstation.com.br https://pageview-notify.rdstation.com.br https://popups.rdstation.com.br https://www.google-analytics.com https://google.com/ccm https://stats.g.doubleclick.net https://storage.googleapis.com/br-com-mega-ecossistema-api/ https://adservice.google.com/ https://pagead2.googlesyndication.com/ https://s.yimg.com/wi/config/10168571.json *.amazonaws.com https://google.com/pagead/form-data/ https://google.com/ccm/form-data/ *.hubspot.com api.hubapi.com js.usemessages.com js.hsleadflows.net js.hs-banner.com js.hubspotfeedback.com js.hsadspixel.net js.hs-analytics.net js.hs-scripts.com forms.hsforms.com forms.hubspot.com hubspot-forms-static-embed.s3.amazonaws.com forms.hscollectedforms.net https://cdn.linkedin.oribi.io/ *.ads.linkedin.com wss://ws27.hotjar.com/api/v2/client/ws *.visualwebsiteoptimizer.com app.vwo.com *.mida.so *.howuku.com *.goadopt.io *.clarity.ms; font-src 'self' 'unsafe-inline' *.mega.com.br https://fonts.gstatic.com https://ka-f.fontawesome.com https://use.fontawesome.com/releases/ https://use.typekit.net https://maxcdn.bootstrapcdn.com/font-awesome/ https://cdnjs.cloudflare.com/ajax/libs/font-awesome/ https://senior-mega.netlify.app https://unicons.iconscout.com data:; frame-src 'self' *.hotjar.com https://marvelapp.com https://www.youtube.com https://www.facebook.com https://www.google.com https://platform.twitter.com https://apis.google.com https://accounts.google.com https://tpc.googlesyndication.com https://bid.g.doubleclick.net https://xd.adobe.com https://optimize.google.com *.hubspot.com forms.hsforms.com js.hsforms.net js.hsadspixel.net js.hscollectedforms.net js.usemessages.com https://td.doubleclick.net ; img-src 'self' 'unsafe-inline' data: *.mega.com.br *.cloudinary.com https://maps.googleapis.com https://maps.gstatic.com https://d335luupugsy2.cloudfront.net https://eye.rd.services https://dk9suync0k2va.cloudfront.net/js/rd/ https://lipis.github.io/flag-icon-css/flags/ *.ads.linkedin.com https://www.linkedin.com/px/ https://www.facebook.com https://www.google.com https://www.google.com.br/ads/ https://www.google.com.br/pagead/ https://www.google-analytics.com https://p.adsymptotic.com/d/px/ https://syndication.twitter.com https://t.co https://analytics.twitter.com/ https://googleads.g.doubleclick.net/pagead/ https://cdnjs.cloudflare.com/ajax/libs/select2/ https://i.ytimg.com https://validator.swagger.io https://www.googletagmanager.com https://www.google.com/pagead/ https://optimize.google.com https://www.gstatic.com https://fakeimg.pl https://sp.analytics.yahoo.com/sp.pl *.hubspot.com cdn2.hubspot.net *.hsforms.com *.googleadservices.com *.visualwebsiteoptimizer.com cdn.pushcrew.com chart.googleapis.com wingify-assets.s3.amazonaws.com app.vwo.com *.mida.so *.howuku.com https://seniormega.twic.pics; manifest-src 'self'; media-src 'self'; worker-src 'self' blob:;

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Consider adding 'preload' to HSTS for maximum security
• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

0 headers

No performance headers found

Caching Headers

1 headers

Cache-Control

Caching

no-cache, private

Content Headers

2 headers

Content-Length

Content

87360

Content-Type

Content

text/html; charset=UTF-8

Server Headers

2 headers

Server

X-Powered-By

Server

ASP.NET

CORS Headers

1 headers

Access-Control-Max-Age

Cors

86400

Cookies Headers

1 headers

Set-Cookie

Cookies

mega_session=eyJpdiI6InZrUHBFUWlNb2JLTnJpa2UvZ0VOYlE9PSIsInZhbHVlIjoicExId1NXZE85VTFnYnd3OUtJM2pwb3dSbmFwbWQ1d3l3MkZBL1JjcTFBRFRsUldUTjVwRWdsaWZFY0VMSFhka05ZT3dlaTNPWENsNHU0emhSa2NsWTVoMnF2cGpPQVllT1NvaFpiVXJCb2EwNitTMCsyWFhLUFJ5RUtjM2NENW0iLCJtYWMiOiJmMWI1MDhiOGRiMzk4MmI3YjJhZGUyZGQ2NGY0MDUxZmNkNzZmOTFiZTVmY2ZmYzk0YTBhZjcyY2FhYzFlOGMzIiwidGFnIjoiIn0%3D; expires=Tue, 25 Nov 2025 02:02:21 GMT; Max-Age=7200; path=/; secure; httponly; samesite=lax; HttpOnly

Other Headers

2 headers

Date

Other

Tue, 25 Nov 2025 00:02:21 GMT

X-Permitted-Cross-Domain-Policies

Other

*.mega.com.br

Recommendations

Enable compression (gzip/brotli) to improve performance

Consider removing X-Powered-By header to hide server technology