HTTP Headers Analysis for https://notebooks.aha.io

HTTP Security Headers

Status

Strict-Transport-Security

Excellent

max-age=63072000; includeSubDomains; preload

Content-Security-Policy

Basic

default-src; script-src; worker-src; +9 more

default-src 'self' https://cdn.aha.io; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.aha.io https://aha.io https://push-iad-prod1.aha.io https://push-iad-prod1.aha.io https://push-iad-prod2.aha.io https://push-iad-prod3.aha.io https://push-iad-prod100.aha.io https://push-dub-prod4.aha.io https://www.google.com https://www.gstatic.com https://js.recurly.com https://www.googletagmanager.com https://www.googleadservices.com https://apis.google.com ; worker-src blob: https://cdn.aha.io; style-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.aha.io https://aha.io https://secure.aha.io https://push-iad-prod1.aha.io https://www.google.com https://ajax.googleapis.com https://www.gstatic.com; connect-src 'self' https://aha.io https://push-iad-prod1.aha.io wss://push-iad-prod1.aha.io https://push-iad-prod1.aha.io https://push-iad-prod2.aha.io https://push-iad-prod3.aha.io https://push-iad-prod100.aha.io https://push-dub-prod4.aha.io wss://push-iad-prod1.aha.io wss://push-iad-prod2.aha.io wss://push-iad-prod3.aha.io wss://push-iad-prod100.aha.io wss://push-dub-prod4.aha.io https://secure.aha.io https://cdn.aha.io wss://cdn.aha.io https://accounts.google.com https://sentry.io https://rum-http-intake.logs.datadoghq.com https://browser-intake-datadoghq.com https://api.recurly.com https://www.googletagmanager.com https://stats.g.doubleclick.net https://api.atlassian.com https://dev.azure.com https://app.vssps.visualstudio.com https://api.miro.com https: https://*.shared.aha.io:443 https://big.aha.io https://aha-iad-prod1-files.s3.us-east-1.amazonaws.com https://aha-iad-prod1-files.s3.amazonaws.com; frame-src 'self' https://www.aha.io https://docs.google.com https://app.box.com https://api.recurly.com https://big.ideas.aha.io https://big.aha.io https://fast.wistia.net https://view.officeapps.live.com https://support.aha.io https://www.youtube.com https://m.youtube.com https://www.youtu.be https://m.youtu.be https://player.vimeo.com https://www.loom.com https://www.figma.com https://figma.com https://gist.github.com https://*.duosecurity.com https://www.aha.io https://*.ideas.aha.io https://secure.aha.io:443 https://*.ahausercontent.com; img-src 'self' data: blob: https: https://aha.io https://secure.aha.io https://cdn.aha.io; media-src 'self' data: https: *.aha.io https://aha.io https://secure.aha.io https://cdn.aha.io; font-src 'self' data: https://aha.io https://cdn.aha.io https://fonts.gstatic.com; object-src 'self' https://www.gstatic.com; frame-ancestors 'self'; report-uri /csp_report;

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin-when-cross-origin

Permissions-Policy

Present

geolocation=(), microphone=(), payment=()

Recommendations

• Improve CSP by adding more specific directives and removing 'unsafe-inline'

Performance Headers

2 headers

Connection

Performance

close

Transfer-Encoding

Performance

chunked

Caching Headers

4 headers

Cache-Control

Caching

no-store

Etag

Caching

W/"a42b290a2ac1c7b7284fb442c69ea1a7"

Expires

Caching

Fri, 01 Jan 1970 00:00:00 GMT

Pragma

Caching

no-cache

Content Headers

1 headers

Content-Type

Content

text/html; charset=utf-8

Server Headers

2 headers

Server

openresty

X-Runtime

Server

0.206148

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

Cookies

_aha_app_2=eLgeYGGtaRYpTVUv%2BKDB8fdEAG%2B1Tgl5Q6X0yIwttNRZS27eFDKFo9VH9FXQmOg%2BXTzLwAjyTfjEubmtLny%2B%2BR4iMGYTsEUuoR3XnG6bJZSy6yT40jkRrIW9LxKDsqdlbiVbMUHz09DUJch1p4T4k6ke%2FgimXyccT7xVoscA2wxQcJHcIcSE2c8DF4Ejwa9ydRXPSdIHx4qEYTmXLB0DfHmqpBmKIcjLILz3GP0NZRN1nSp1ivDJU9C0VPzTuV0hfxGXhSMDIPzQ0QZdCOHGryMz--eHzVax0uuWBDasEF--MXqN2nA%2B2A1vAiPOH4kFXQ%3D%3D; path=/; secure; HttpOnly; SameSite=Lax

Other Headers

6 headers

Date

Other

Fri, 30 Jan 2026 19:20:28 GMT

Feature-Policy

Other

geolocation 'none'; microphone 'none'; payment 'none'

Link

Other

<https://cdn.aha.io/assets/application_library_styles-v2-4f9e64b5adf54d994d2241f51a8cde80.css>; rel=preload; as=style; nopush,<https://cdn.aha.io/assets/application-v2-b2f97269badc11aa12fa8c9601d4568e.css>; rel=preload; as=style; nopush,<https://cdn.aha.io/assets/runtime-v2-e9a911642944e35e01c1c061adb13dcf.js>; rel=preload; as=script; nopush,<https://cdn.aha.io/assets/vendor-v2-293da6da4776292faeaa6dd52cfcbc6e.js>; rel=preload; as=script; nopush,<https://cdn.aha.io/assets/external_app-v2-bd42d3b49a0335833ef37d486f3d53d6.js>; rel=preload; as=script; nopush

X-Permitted-Cross-Domain-Policies

Other

none

X-Request-Id

Other

f6460a57-4f50-4cd3-a0be-eb193e798041

X-Robots-Tag

Other

noindex,nofollow

Recommendations

Enable compression (gzip/brotli) to improve performance