HTTP Headers Analysis for https://my.dev.firstdollar.com

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=31556926

Content-Security-Policy

Good

default-src; base-uri; block-all-mixed-content; +12 more

default-src 'self' cdn.plaid.com; base-uri 'none'; block-all-mixed-content; connect-src 'self' https://consumer.api.dev.firstdollar.com https://first-dollar-app-dev.appspot.com sandbox.plaid.com https://widgets-sandbox.marqeta.com https://api.stripe.com https://api.iterable.com www.google.com *.googleapis.com api-iam.intercom.io wss://nexus-websocket-a.intercom.io wss://nexus-websocket-b.intercom.io wss://primary-realtime.intercom-messenger.com uploads.intercomcdn.com sentry.io *.sentry.io https://api.iterable.com; frame-ancestors 'self' https://widgets.dev.firstdollar.com https://widgets.stg.firstdollar.com https://widgets.firstdollar.com https://developer.firstdollar.com https://first-dollar-developer.web.app https://first-dollar-developer-dev.web.app https://participant.ddevserv10.dev.benefitresource.com https://participant.ddevserv01.dev.benefitresource.com https://participant.ddevserv14.dev.benefitresource.com https://participant.ddevserv15.dev.benefitresource.com https://participant.dbriweb01.dev.benefitresource.com http://participant.localhost https://*.dev.financialhealthwallet.com https://*.financialhealthwallet.com https://*.zizzlhealth.com https://*.zizzlhealthdemo.com https://*.zizzlhealthdev.com http://localhost:* http://*.localhost:*; form-action 'self' consumer.api.dev.firstdollar.com intercom.help *.intercom.io *.statuspage.io; child-src 'self'; frame-src 'self' blob: https://verify.stripe.com https://js.stripe.com https://hooks.stripe.com https://widgets.marqeta.com https://widgets-sandbox.marqeta.com https://intercom-sheets.com intercom-sheets.com https://www.google.com cdn.plaid.com firebasestorage.googleapis.com https://first-dollar-app-dev.storage.googleapis.com https://first-dollar-app.storage.googleapis.com; img-src 'self' blob: https://www.google.com assets-global.website-files.com https://uat-drivewealth.imgix.net syscdn.drivewealth.net d3an3cesqmrf1x.cloudfront.net https://drivewealth.imgix.net data: *.intercom.io static.intercomassets.com *.intercomcdn.com first-dollar.intercom-attachments-5.com first-dollar.intercom-attachments-1.com firebasestorage.googleapis.com https://first-dollar-app-dev.storage.googleapis.com https://first-dollar-app.storage.googleapis.com; media-src 'self' js.intercomcdn.com; object-src 'self' blob: https://firebasestorage.googleapis.com https://first-dollar-app-dev.storage.googleapis.com https://first-dollar-app.storage.googleapis.com; script-src 'self' 'sha256-LS6mawHTGJzVAO6diFEPo1LfVR/ARli3Fg9ydRed7Yg=' 'sha256-aIrIqSQxotoOXF25OIjYIjPot6K/xGLNdyewnUoIXfI=' 'sha256-XNORTO2kINoWE2ij0/rG/Eig0roe1GyRyrAqsqcQApk=' 'sha256-VnKBsWlW5LYtvchHVwZtSkI5E9jcNUUn3skoMCfOZzI=' 'sha256-ZdDTEfl8xrGn7iZ/2mMDizDIe6JRmep2vz9STHJi4Zs=' 'sha256-AdrKFRwbXYnt+NArcWuOA3p5Uu+OM2x5iXbnbok+VTg=' 'sha256-Uz0yn00PqpvyPuK+MptaAirzRCPwuCU4Vhj/iAbfJxk=' 'sha256-2LjWgFlionHbs9uurvaAwYDJQpT4QuchPDHFnoeeG0g=' 'sha256-HPWqnjtxlF7Jrts3buMC+bSE+BWrE9QZGTXQsnFsXlI=' 'sha256-9UUoc2F0aeQNM/1w/0MyfzK9ocjaPer/cAGZMUw1YHs=' 'sha256-WFHcs3IC9BsLZet1ga3z73q48mpf33c9Sjjia1N3jkE=' https://js.stripe.com https://widgets.marqeta.com https://widgets-sandbox.marqeta.com https://www.google.com https://www.gstatic.com apis.google.com cdn.plaid.com 'sha256-DV/iinpNag4xVnPS7WJb4QjhUpGuaoz3oxPEBKUbyl0=' widget.intercom.io js.intercomcdn.com; style-src 'self' 'unsafe-inline' fonts.intercomcdn.com; font-src 'self' data: js.intercomcdn.com fonts.intercomcdn.com; report-uri https://o338933.ingest.sentry.io/api/5185078/security/?sentry_key=2e56ee6fabfa4e4bbc843185673016b1&sentry_environment=development;

X-Frame-Options

Excellent

DENY

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin-when-cross-origin

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Strengthen CSP by removing 'unsafe-eval'
• Consider adding Permissions-Policy to control browser features

Performance Headers

3 headers

Connection

Performance

close

Transfer-Encoding

Performance

chunked

Vary

Performance

x-fh-requested-host, accept-encoding

Caching Headers

2 headers

Cache-Control

Caching

no-cache

Last-Modified

Caching

Wed, 14 Jan 2026 23:40:07 GMT

Content Headers

1 headers

Content-Type

Content

text/html; charset=utf-8

Server Headers

1 headers

Server

cloudflare

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

Cookies

__cf_bm=mbHmFFRC8YpzBJmykPSYaKEr8IJ0dTV9sBJSnBqSlfs-1768439351-1.0.1.1-qAu.rfEJKhXcbCwdPu3OdFnM9FMYv2M31k8Mq0qAntN3IYfpPUfF2CMKK.qkT732QTyRy628A92suvbx7HCMKVc7gVY_0V9MMSl95jz1eSE; path=/; expires=Thu, 15-Jan-26 01:39:11 GMT; domain=.dev.firstdollar.com; HttpOnly; Secure; SameSite=None

Other Headers

7 headers

Cf-Cache-Status

Other

DYNAMIC

Cf-Ray

Other

9be17c7b8d17e5f6-IAD

Date

Other

Thu, 15 Jan 2026 01:09:11 GMT

X-Cache

Other

MISS

X-Cache-Hits

Other

0

X-Served-By

Other

cache-iad-kiad7000117-IAD

X-Timer

Other

S1768439352.733843,VS0,VE147

Recommendations

Enable compression (gzip/brotli) to improve performance