HTTP Headers Analysis for https://ondmarc.com

HTTP Security Headers

Status

Strict-Transport-Security

Excellent

max-age=63072000; includeSubDomains; preload

Content-Security-Policy

Basic

child-src; default-src; font-src; +9 more

child-src blob:; default-src 'self' data: https://*.redsift.com https://red-sift.prismic.io/ https://*.internal.prismic.io/* https://hook.integromat.com/ https://sentry.io/ https://*.ingest.sentry.io/ https://consentcdn.cookiebot.com/ https://*.wistia.com https://*.wistia.net; font-src 'self' https://*.redsift.com https://fonts.gstatic.com/ data: chrome-extension: moz-extension: safari-web-extension: https://*.hotjar.com https://*.wistia.com; img-src 'self' data: https: https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://*.g.doubleclick.net https://ssl.gstatic.com https://www.gstatic.com https://*.google.co.uk https://googleads.g.doubleclick.net https://googletagmanager.com https://www.google-analytics.com https://www.google.com https://google.com https://*.google.com https://*.hotjar.com https://images.prismic.io https://*.internal.prismic.io/* https://*.wistia.com https://*.wistia.net https://embedwistia-a.akamaihd.net; media-src 'self' blob: data: https://*.wistia.com https://*.wistia.net https://embedwistia-a.akamaihd.net https://red-sift.cdn.prismic.io https://images.prismic.io; script-src 'self' blob: 'unsafe-inline' 'unsafe-eval' https://*.redsift.com https://*.googletagmanager.com https://googletagmanager.com https://tagmanager.google.com https://*.googlesyndication.com https://www.googleadservices.com https://googleads.g.doubleclick.net https://www.google-analytics.com https://ssl.google-analytics.com https://www.google.com https://www.gstatic.com/recaptcha/ https://static.cdn.prismic.io/ https://prismic.io https://*.internal.prismic.io/* https://consent.cookiebot.com https://consentcdn.cookiebot.com/ https://munchkin.marketo.net/ https://www.redditstatic.com/ads/pixel.js https://snap.licdn.com https://tag.clearbitscripts.com/v1/pk_0c2cfaf8152eb3a2b07abfd53b7e6d22/tags.js https://reveal.clearbit.com/v1/companies/reveal https://x.clearbitjs.com/v2/pk_0c2cfaf8152eb3a2b07abfd53b7e6d22/destinations.min.js https://x.clearbitjs.com/v2/pk_0c2cfaf8152eb3a2b07abfd53b7e6d22/tracking.min.js https://secure.oita4bali.com/js/151998.js https://secure.oita4bali.com/Track/Capture.aspx https://*.hotjar.com https://static.hotjar.com/c/hotjar-3150796.js https://j.6sc.co/j/80f37845-a767-46c9-9ad5-abb58133cf39.js https://j.6sc.co/6si.min.js https://*.wistia.com https://*.wistia.net https://src.litix.io https://js.driftt.com https://widget.drift.com https://js.sentry-cdn.com https://challenges.cloudflare.com https://js.zi-scripts.com https://ws.zoominfo.com https://tags.clickagy.com https://cdn.jsdelivr.com https://cdn.jsdelivr.net; style-src 'self' blob: 'unsafe-inline' https://*.redsift.com https://googletagmanager.com https://tagmanager.google.com https://www.googletagmanager.com https://fonts.googleapis.com https://*.hotjar.com https://fast.wistia.com; frame-src 'self' https://*.googlesyndication.com https://td.doubleclick.net https://www.googletagmanager.com https://bid.g.doubleclick.net https://consentcdn.cookiebot.com https://red-sift.prismic.io/ https://*.internal.prismic.io/* https://www.youtube.com https://www.google.com https://*.hotjar.com https://fast.wistia.com https://fast.wistia.net https://js.driftt.com https://widget.drift.com https://challenges.cloudflare.com https://hemsync.clickagy.com; connect-src https://radar-lite.redsift.cloud 'self' https://*.redsift.com https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://*.g.doubleclick.net https://google.com https://*.googlesyndication.com https://www.googleadservices.com https://www.google-analytics.com https://*.google.com https://*.google.de https://*.google.no https://*.google.ca https://*.google.ch https://*.google.es https://*.google.it https://*.google.co.uk https://*.google.co.nz https://*.google.co.au https://*.google.nl https://*.google.fr https://*.google.be https://*.google.se https://*.google.pt https://images.prismic.io https://red-sift.cdn.prismic.io https://red-sift.cdn.prismic.io/api/v2 https://red-sift.cdn.prismic.io/api/v2/documents/search https://*.internal.prismic.io/* https://cdn.linkedin.oribi.io https://px.ads.linkedin.com/wa/ https://px.ads.linkedin.com https://px.ads.linkedin.com/attribution_trigger https://hook.integromat.com/ https://api-eu.customer.io/v1/webhook/40a4a49d472519b0 https://webto.salesforce.com https://api.github.com/repos/redsift/red-sift-website/dispatches https://*.mktoresp.com https://*.mktoutil.com https://*.ondmarc.com https://ondmarc.com https://ipforensics-svc.redsift.io/graphql https://*.ingest.sentry.io/ https://consentcdn.cookiebot.com/ https://app.clearbit.com/v1/p https://*.hotjar.com https://*.hotjar.io wss://*.hotjar.com https://secure.adnxs.com/getuidj https://*.litix.io https://*.wistia.com https://embedwistia-a.akamaihd.net https://*.algolia.net https://api.ipify.org wss://presence.api.drift.com https://aorta.clickagy.com https://hemsync.clickagy.com https://js.zi-scripts.com https://ws.zoominfo.com https://data.hockeystack.com https://cdn.jsdelivr.net https://challenges.cloudflare.com https://browser-intake-datadoghq.com; worker-src 'self' blob:; frame-ancestors 'self' https://*.redsift.com https://app.drift.com; report-uri https://o177043.ingest.sentry.io/api/1306227/security/?sentry_key=860eaee6b9674db6ac8d51d87a14fd84

X-Frame-Options

Excellent

deny

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Present

origin

Permissions-Policy

Missing

Not configured

Recommendations

• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Consider adding Permissions-Policy to control browser features

Performance Headers

1 headers

Connection

Performance

close

Caching Headers

3 headers

Age

Caching

299713

Cache-Control

Caching

s-maxage=31536000, stale-while-revalidate=2592000

Etag

Caching

"se8k2u6rtt9u77"

Content Headers

2 headers

Content-Length

Content

459342

Content-Type

Content

text/html; charset=utf-8

Server Headers

1 headers

X-Powered-By

Server

Next.js

CORS Headers

0 headers

No CORS headers found

Cookies Headers

0 headers

No cookies headers found

Other Headers

13 headers

Date

Other

Thu, 08 Jan 2026 16:52:46 GMT

Nel

Other

{"report_to":"default","max_age":604800,"include_subdomains":true,"success_fraction":0.05}

Report-To

Other

{"group":"default","max_age":604800,"endpoints":[{"url":"https://redsift.reporting.hardenize.com"}],"include_subdomains":true}

Via

Other

1.1 e6b4dbead926e5325f87837a8678a68a.cloudfront.net (CloudFront)

X-Amz-Cf-Id

Other

0s_-3Ri6FO72SOy2Da7oL222XB7dQOf9yJoF1hS_3wp4aMjlOw2Y0Q==

X-Amz-Cf-Pop

Other

JFK52-P2

X-Amzn-Remapped-Content-Length

Other

459342

X-Amzn-Requestid

Other

43c213ff-64bd-4085-989e-250d07395b08

X-Amzn-Trace-Id

Other

Root=1-695fe0dd-7bc41cf4647b72196d6a821a;Parent=1e1578cae18b0484;Sampled=0;Lineage=1:add19190:0

X-Cache

Other

Hit from cloudfront

X-Download-Options

Other

noopen

X-Nextjs-Cache

Other

HIT

X-Opennext

Other

1

Recommendations

Enable compression (gzip/brotli) to improve performance

Consider removing X-Powered-By header to hide server technology