HTTP Headers Analysis for https://new.expensify.com

HTTP Security Headers

Status

Strict-Transport-Security

Excellent

max-age=31536000; includeSubDomains; preload

Content-Security-Policy

Basic

default-src; script-src; connect-src; +7 more

default-src 'self' https://assets.onfido.com; script-src 'self' 'nonce-MDg1MGY3MDQ2MG/MDZmMDRkMGE0MGYwZmYwNzYwN2M=' 'sha256-hK550RmP3t+9myNCpVty39wCs9CDUTXjWUP30rrXvD0=' 'unsafe-eval' https://polyfill.io https://cdn.plaid.com https://www.woopra.com https://assets.onfido.com https://sdk.onfido.com https://sentry.io https://*.sentry.io https://*.sardine.ai/ https://appleid.cdn-apple.com https://googletagmanager.com https://*.googletagmanager.com https://tagmanager.google.com https://web-sdk.smartlook.com https://edge.fullstory.com https://rs.fullstory.com https://api.mapbox.com https://api.openai.com https://*.convertexperiments.com https://accounts.google.com/gsi/client https://cdn.expensify.com; connect-src 'self' https://*.pusher.com wss://*.pusher.com https://*.pusherapp.com https://secure.expensify.com https://www.expensify.com https://accounts.google.com/gsi/ wss://sync.onfido.com https://telephony.onfido.com blob: *.onfido.com wss://*.onfido.com https://www.woopra.com https://sentry.io https://*.sentry.io https://*.tiles.mapbox.com https://api.mapbox.com https://api.openai.com https://*.googleusercontent.com https://*.smartlook.cloud https://events.mapbox.com https://edge.fullstory.com https://rs.fullstory.com https://*.googleapis.com https://*.convertexperiments.com https://google-analytics.com https://*.google-analytics.com https://analytics.google.com https://*.analytics.google.com https://googletagmanager.com https://*.googletagmanager.com https://*.doubleclick.net https://www.google.com/measurement/ data: https://cdn.expensify.com; img-src * blob: data: https://rs.fullstory.com https://googletagmanager.com https://*.googletagmanager.com https://google-analytics.com https://*.google-analytics.com https://ssl.gstatic.com https://www.gstatic.com; style-src 'self' 'unsafe-inline' https://assets.onfido.com https://sdk.onfido.com https://accounts.google.com/gsi/style https://googletagmanager.com https://tagmanager.google.com https://fonts.googleapis.com; font-src data: https://new.expensify.com https://www.expensify.com https://fonts.gstatic.com; frame-src 'self' https://cdn.plaid.com https://www.expensify.com https://secure.expensify.com https://sdk.onfido.com https://*.sardine.ai/ https://accounts.google.com/gsi/ https://www.googletagmanager.com https://td.doubleclick.net https://app.storylane.io https://expensify.navattic.com new-expensify://new.expensify.com https://eu.id.group-ib.com https://hooks.stripe.com; worker-src 'self' blob:; child-src 'self' blob:; media-src blob: https://www.expensify.com https://d2k5nsl2zxldvw.cloudfront.net https://assets.onfido.com;

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Present

origin-when-cross-origin

Permissions-Policy

Missing

Not configured

Recommendations

• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Consider adding Permissions-Policy to control browser features

Performance Headers

4 headers

Accept-Ranges

Performance

bytes

Connection

Performance

close

Transfer-Encoding

Performance

chunked

Vary

Performance

Accept-Encoding

Caching Headers

5 headers

Age

Caching

7018

Cache-Control

Caching

public, max-age=86400

Etag

Caching

"e486e9a06535819662c17e7ca93f78d0"

Expires

Caching

Sat, 31 Jan 2026 21:43:07 GMT

Last-Modified

Caching

Wed, 28 Jan 2026 22:53:51 GMT

Content Headers

1 headers

Content-Type

Content

text/html

Server Headers

1 headers

Server

cloudflare

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

Cookies

_cfuvid=mYvVTKx81A6WZLcAwKPrSHXgd5eoQ7rjD4G_QEw3gcc-1769809386.9873862-1.0.1.1-9xXz7rIFdInarCzY.sxmukSTKTlzfgbCgmCPDSZCb9g; HttpOnly; SameSite=None; Secure; Path=/; Domain=new.expensify.com

Other Headers

11 headers

Alt-Svc

Other

h3=":443"; ma=86400

Cf-Cache-Status

Other

HIT

Cf-Ray

Other

9c64249cafcefe99-IAD

Date

Other

Fri, 30 Jan 2026 21:43:07 GMT

Document-Policy

Other

js-profiling

Via

Other

1.1 d00cb503b8007a39957751dcef3d0ff6.cloudfront.net (CloudFront)

X-Amz-Cf-Id

Other

EcpPaENkEGjyC28kPRQX27XKqVhNZUNBwJZP5Y2OhcP2YbljxHFgPg==

X-Amz-Cf-Pop

Other

ORD58-P16

X-Amz-Server-Side-Encryption

Other

AES256

X-Amz-Version-Id

Other

Eg5foQj6OdLeAcJm2ENBRoGWWxBgdgpH

X-Cache

Other

Miss from cloudfront

Recommendations

Enable compression (gzip/brotli) to improve performance