HTTP Headers Analysis for https://moonpay.com

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=63072000

Content-Security-Policy

Missing

Not configured

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Missing

Not configured

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Add Content-Security-Policy header to prevent XSS attacks
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Add X-Content-Type-Options: nosniff
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

3 headers

Connection

Performance

close

Transfer-Encoding

Performance

chunked

Vary

Performance

accept-encoding

Caching Headers

2 headers

Age

Caching

33291

Cache-Control

Caching

public, max-age=0, must-revalidate

Content Headers

2 headers

Content-Disposition

Content

inline

Content-Type

Content

text/html; charset=utf-8

Server Headers

1 headers

Server

cloudflare

CORS Headers

1 headers

Access-Control-Allow-Origin

Cors

*

Cookies Headers

1 headers

Set-Cookie

Cookies

_cfuvid=a2j_iH7DmN4g_oxqrORaCWU_yLlIvxsqge2oiZNDGfk-1768610069591-0.0.1.1-604800000; path=/; domain=.moonpay.com; HttpOnly; Secure; SameSite=None

Other Headers

7 headers

Cf-Cache-Status

Other

DYNAMIC

Cf-Ray

Other

9bf1c4669dca81f4-IAD

Content-Security-Policy-Report-Only

Other

default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn-ukwest.onetrust.com/scripttemplates/ https://websdk.appsflyer.com/ https://www.google.com/recaptcha/enterprise.js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://cdn.segment.com https://static.moonpay.com https://www.googletagmanager.com; style-src 'self' 'unsafe-inline'; object-src 'none'; base-uri 'self'; connect-src 'self' https://www.moonpay.com https://api.moonpay.com https://api.coingecko.com https://cdn-ukwest.onetrust.com https://*.launchdarkly.com https://geolocation.onetrust.com https://vitals.vercel-insights.com https://*.google-analytics.com https://*.analytics.google.com https://logs.browser-intake-datadoghq.com https://cdn.segment.com https://otel-collector.moonpay.com https://otel-collector.moonpaycloud.com https://otel-collector.moonpay-staging.com; font-src 'self' https://static.moonpay.com; frame-src 'self' https://buy.moonpay.com https://sell.moonpay.com https://www.google.com https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/; img-src 'self' https://cdn-ukwest.onetrust.com https://images.ctfassets.net https://payload-marketing.moonpay.com https://staging.moonpay-marketing-c337344.payloadcms.app https://static.moonpay.com; manifest-src 'self'; media-src 'self' https://payload-marketing.moonpay.com https://staging.moonpay-marketing-c337344.payloadcms.app; worker-src 'self'; frame-ancestors 'none'; report-uri https://csp-report.browser-intake-datadoghq.com/api/v2/logs?dd-api-key=pub4f9819648cf6c369f00daa5b3a3a0ea7&dd-evp-origin=content-security-policy&ddsource=csp-report

Date

Other

Sat, 17 Jan 2026 00:34:29 GMT

X-Matched-Path

Other

/en

X-Vercel-Cache

Other

HIT

X-Vercel-Id

Other

iad1::txwbc-1768610069554-a23722919bf7

Recommendations

Enable compression (gzip/brotli) to improve performance