HTTP Headers Analysis for https://onenote.cloud.microsoft

HTTP Security Headers

Status

Strict-Transport-Security

Good

max-age=31536000; includeSubDomains

Content-Security-Policy

Basic

script-src; style-src; default-src; +15 more

script-src 'report-sample' 'self' 'unsafe-eval' 'unsafe-inline' 'wasm-unsafe-eval' *.cdn.office.net *.public.onecdn.static.microsoft *.office.com aadcdn.msauth.net aadcdn.msftauth.net blob: https: https://a-ring.msedge.net https://amcdn.msauth.net https://amcdn.msftauth.net https://b-ring.msedge.net https://graph.microsoft.com https://gtm-dyn-direct.office365.com https://js.monitor.azure.com https://k-ring.msedge.net https://outlook.live.com https://outlook.office.com https://ow1.res.office365.com https://partner.dev.oasis.microsoft.com https://r4.res.office365.com https://s-ring.msedge.net https://web.vortex.data.microsoft.com https://webshell.suite.office.com https://webshell.suite.officeppe.com res.cdn.office.net;style-src 'report-sample' 'self' 'unsafe-inline' *.cdn.office.net *.fluidpreview.office.net *.microsoft.com https://www.microsoft.com/ res-dev.cdn.officeppe.net res.public.onecdn.static.microsoft;default-src 'self' *.cdn.office.net *.public.onecdn.static.microsoft cdn.fluidpreview.office.net https://midgardbranches.blob.core.windows.net res-dev.cdn.officeppe.net res.cdn.office.net res.public.onecdn.static.microsoft;img-src 'self' *.augloop.svc.cloud.microsoft *.cdn.office.net *.clipchamp.com *.create.microsoft.com *.loki.delve.office.com *.oasis.microsoft.com *.onecdn.static.microsoft *.osi.office.net *.osi.officeppe.net *.public.onecdn.static.microsoft *.s-microsoft.com *.sharepointonline.com *.svc.ms aadcdn.msftauthimages.net az787822.vo.msecnd.net blob: browser.events.data.microsoft.com cdn.create.microsoft.com cdn.designerapp.osi.office.net cdn.hubblecontent.osi.office.net clipchamp.df.onecdn.static.microsoft clipchamp.public.onecdn.static.microsoft content.lifecycle.office.net content.lifecycle.officeppe.net content.powerapps.com copilotstudio.preview.microsoft.com data: designer.cloud.microsoft designer.microsoft.com designerapp.edog.officeapps.live.com designerapp.officeapps.live.com forms.office.com https://outlook.office.com https://sdfpilot.outlook.com https://webshell.suite.office.com m365.cloud.microsoft measure.office.com media.licdn.com outlook-1.cdn.office.net pmservices.cp.microsoft.com powerautomate.microsoft.com preview.content.powerapps.com prod.msocdn.com prodapiicons.cdn.powerappscdn.net res-1.cdn.office.net res-dev.cdn.officeppe.net res.cdn.office.net res.public.onecdn.static.microsoft.com secure.aadcdn.microsoftonline-p.com spoprod-a.akamaihd.net static2.sharepointonline.com staticresources.payments.microsoft.com statics.teams.cdn.office.net substrate.office.com tip1apiicons.cdn.powerappscdn.net tip2apiicons.cdn.powerappscdn.net www.microsoft365.com;connect-src 'self' *.augloop.svc.cloud.microsoft *.cdn.office.net *.collabhubrtc.officeapps.live.com *.public.onecdn.static.microsoft *.microsoft.com *.office.com *.office365.com *.officeapps.live.com *.rtc.svc.cloud.microsoft *.sharepoint-df.com *.sharepoint.com *.svc.ms arc-emea.msn.com arc.msn.com blob: data: https: https://admin.microsoft.com https://api.onedrive.com https://artifacts.dev.azure.com https://browser.events.data.microsoft.com https://browser.pipe.aria.microsoft.com https://cdn.config.centro.core.microsoft https://clients.config.gcc.office.net https://clients.config.office.net https://config.edge.skype.com https://config.edge.skype.net https://consentreceiverfd-prod.azurefd.net https://eu-mobile.events.data.microsoft.com https://eu-office.events.data.microsoft.com https://graph.microsoft.com https://login.microsoftonline.com https://my.microsoftpersonalcontent.com https://nleditor.osi.officeppe.net https://odc.edog.officeapps.live.com https://outlook.cloud.microsoft https://petrol-int.office.microsoft.com https://petrol.office.microsoft.com https://pp1.prd.bmc.teams.microsoft.com https://teams.cloud.microsoft https://titles.prod.mos.microsoft.com res-dev.cdn.officeppe.net res.cdn.office.net wss: wss://*.augloop.office.com wss://*.augloop-gcc.office.com wss://*.dogfood.augloop.svc.cloud.microsoft wss://*.gcc.augloop.svc.cloud.microsoft wss://*.trouter.teams.microsoft.com wss://augloop.office.com wss://augloop.svc.cloud.microsoft wss://gcc.augloop.svc.cloud.microsoft wss://substrate.office.com;font-src 'self' 'unsafe-inline' *.azureedge.net *.cdn.office.net *.public.onecdn.static.microsoft *.fluidpreview.office.net *.sharepointonline.com cdn.create.microsoft.com data: fs.microsoft.com https://c.s-microsoft.com prod.msocdn.com res-dev.cdn.officeppe.net res.cdn.office.net res.public.onecdn.static.microsoft sharepointonline.com spoprod-a.akamaihd.net;frame-ancestors 'self' data: https://support.office.com;frame-src 'self' * *.cdn.office.net *.oasis.microsoft.com *.office.com *.officeapps.live.com *.sharepoint-df.com *.sharepoint.com blob: https://amcdn.msftauth.net https://create.cloud.microsoft https://create.microsoft.com https://login.live.com https://login.microsoftonline.com https://microsoft-onmicrosoft-com.access.mcas.ms https://my.microsoftpersonalcontent.com https://onedrive.live.com https://webshell.suite.officeppe.com https://www.odwebp.svc.ms ms-excel: ms-powerpoint: ms-word: onenote:;upgrade-insecure-requests;media-src 'self' https://*.sharepoint-df.com https://*.sharepoint.com blob: data: *.cdn.office.net *.azureedge.net *.core.windows.net *.clipchamp.com *.oasis.microsoft.com *.create.microsoft.com;manifest-src 'self';child-src blob:;object-src 'none';form-action https://*;worker-src 'self' blob:;trusted-types 'allow-duplicates' 1DSScriptURL @1js/midgard-trusted-types @azure/ms-rest-js#xml.browser @centro/floodgate @centro/hvc-loader @fluidx/loop @fluidx/loop#loop-app @fluidx/loop#loop-page-container @fluidx/loop#odsp-driver @fluidx/loop#office-fluid-container @microsoft/1ds-getcollectorurlsnippet-js#sanitize-html @msstream/azuremediaplayer#worker-noop @msstream/one-player#noop-create-html @msstream/one-player#sanitize-html MeControlScriptURL cdn-url#oneshell default domPurifyHTML domUtilsTrustedTypePolicy dompurify html2canvas html2canvas-feedback nextjs nextjs#bundler ocvPolicy officebrowserfeedback#domUtils safe-xml#oneshell sccChatTrustedTypesPolicy sccEntityDrawerTrustedTypesPolicy script-url#webpack shellInfoPolicy;report-uri https://csp.microsoft.com/report/OfficeAppHome-PROD;report-to AppHomeReportToEndpoint

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Missing

Not configured

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Consider adding 'preload' to HSTS for maximum security
• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Add X-Content-Type-Options: nosniff
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

2 headers

Connection

Performance

close

Transfer-Encoding

Performance

chunked

Caching Headers

2 headers

Cache-Control

Caching

max-age=300

Last-Modified

Caching

Wed, 14 Jan 2026 23:18:45 GMT

Content Headers

1 headers

Content-Type

Content

text/html

Server Headers

0 headers

No server headers found

CORS Headers

2 headers

Access-Control-Allow-Origin

Cors

*

Access-Control-Expose-Headers

Cors

date,Akamai-Request-BC,X-Cdn-Provider,X-Ms-Request-Id

Cookies Headers

0 headers

No cookies headers found

Other Headers

13 headers

Ak-Network

Other

FF

Akamai-Cache-Status

Other

Hit from child

Akamai-Request-Bc

Other

[a=23.1.97.13,b=1614223433,c=g,n=US_NJ_EDISON,o=20940]

Date

Other

Thu, 15 Jan 2026 04:15:51 GMT

Nel

Other

{"report_to":"NelM365CDNUpload1","max_age":604800,"include_subdomains":true,"failure_fraction":1.0,"success_fraction":0.01}

Report-To

Other

{"group":"NelM365CDNUpload1","max_age":604800,"endpoints":[{"url":"https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=EDISON&ASN=20940&Country=US&Region=NJ&RequestIdentifier=0.0d610117.1768450552.60371849&TotalRTCDNTime=7&CompressionType=gzip&FileSize="}],"include_subdomains ":true}

Reporting-Endpoints

Other

AppHomeReportToEndpoint=&#34https://csp.microsoft.com/report/OfficeAppHome-PROD&#34

Server-Timing

Other

clientrtt; dur=7, clienttt; dur=, origin; dur=0 , cdntime; dur=0

Timing-Allow-Origin

Other

*

X-Cache

Other

CONFIG_NOCACHE

X-Cdn-Provider

Other

Akamai

X-Ms-Request-Id

Other

d1d4fab0-701e-004b-30d4-8503c4000000

X-Msedge-Ref

Other

Ref A: F633CF5923A84995A42E23C9ADA37F9C Ref B: BL2AA2010201003 Ref C: 2026-01-15T04:15:52Z

Recommendations

Enable compression (gzip/brotli) to improve performance