HTTP Headers Analysis for https://opensea.io

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=15552000; includeSubDomains; preload

Content-Security-Policy

Basic

default-src; script-src; style-src; +11 more

default-src 'self'; script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval' https://www.googletagmanager.com https://www.google-analytics.com https://os2-fqbf8.quill.run https://widget.intercom.io/widget/rws4jyr5 https://js.intercomcdn.com https://static.moonpay.com https://static.seadn.io/os2/tv_library/charting_library/; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://static.seadn.io/os2/tv_library/charting_library/; connect-src 'self' data: wss://os2-wss.prod.privatesea.io wss://api.hyperliquid.xyz https://api.hyperliquid.xyz https://gql.opensea.io https://features.opensea.io https://static.seadn.io https://i2.seadn.io https://*.mux.com *.openseaprorelayproxy.com https://api.amplitude.com https://api2.amplitude.com https://sr-client-cfg.amplitude.com https://o406206.ingest.sentry.io https://www.googletagmanager.com https://www.google-analytics.com https://region1.google-analytics.com/ https://os2-fqbf8.quill.run https://api.mainnet.abs.xyz https://arb1.arbitrum.io/rpc https://nova.arbitrum.io/rpc https://eth.merkle.io https://api.avax.network/ext/bc/C/rpc https://api.avax-test.network/ext/bc/C/rpc https://rpc.blast.io https://56.rpc.thirdweb.com https://mainnet.evm.nodes.onflow.org https://public-en-cypress.klaytn.net https://polygon-rpc.com https://rpc-amoy.polygon.technology https://mainnet.base.org https://sepolia.base.org https://sepolia.drpc.org https://rpc.zora.energy https://evm-rpc.sei-apis.com/ https://rpc.berachain.com https://api.roninchain.com/rpc https://rpc.soneium.org https://mainnet.shape.network https://mainnet.unichain.org/ https://mainnet-rpc.b3.fun/http https://cloudflare-eth.com https://mainnet.infura.io https://*.llamarpc.com https://*.g.alchemy.com https://*.quiknode.pro https://rpc.monad.xyz https://rpc.hyperliquid.xyz/evm https://thrumming-blue-uranium.solana-mainnet.quiknode.pro wss://thrumming-blue-uranium.solana-mainnet.quiknode.pro https://rpc.gunzchain.io https://api.infra.mainnet.somnia.network https://auth-api.infra.mainnet.somnia.network https://swr.xnftdata.com/rpc-proxy/ https://mainnet.megaeth.com/rpc https://wallets.opensea.io/ https://www.walletlink.org wss://www.walletlink.org https://pulse.walletconnect.org https://api.web3modal.org wss://relay.walletconnect.org https://metamask-sdk.api.cx.metamask.io https://mm-sdk-analytics.api.cx.metamask.io wss://metamask-sdk.api.cx.metamask.io https://chain-proxy.wallet.coinbase.com https://cca-lite.coinbase.com https://*.intercom.io https://*.intercomcdn.com https://*.intercomassets.com wss://*.intercom.io https://prod-mainnet-temp-uploads.s3.us-east-1.amazonaws.com https://api.moonpay.com https://moonpay.com https://auth.privy.io https://seadn-original-media.s3.us-east-1.amazonaws.com https://vitals.vercel-insights.com; img-src 'self' blob: data: https://opensea.io https://static.opensea.io https://*.featurebase-attachments.com https://fb-usercontent.fra1.cdn.digitaloceanspaces.com https://static.seadn.io https://raw2.seadn.io https://i2.seadn.io https://i2c.seadn.io https://image.mux.com https://stream.mux.com https://*.canarytokens.org/ https://canarytokens.org/ https://*.intercomcdn.com https://*.intercomassets.com https://cdnjs.cloudflare.com/ajax/libs/twemoji/ https://cdn.prod.website-files.com https://media.veefriends.com/ https://i.ibb.co/ https://app.hyperliquid.xyz/coins/; media-src 'self' blob: data: https://raw2.seadn.io https://static.seadn.io https://i2.seadn.io https://i2c.seadn.io https://image.mux.com https://stream.mux.com; font-src 'self' https://fonts.gstatic.com https://static.seadn.io/os2/tv_library/charting_library/; object-src 'none'; base-uri 'self' https://static.seadn.io/os2/tv_library/charting_library/; form-action 'self'; frame-ancestors 'self' https://wallets.opensea.io/ https://privy.wallets.opensea.io; frame-src 'self' https://wallets.opensea.io/ https://privy.wallets.opensea.io https://auth.privy.io https://*.moonpay.com https://i2.seadn.io https://i2c.seadn.io https://static.seadn.io https: blob:; block-all-mixed-content; upgrade-insecure-requests;

X-Frame-Options

Excellent

DENY

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Consider adding Permissions-Policy to control browser features

Performance Headers

3 headers

Connection

Performance

close

Transfer-Encoding

Performance

chunked

Vary

Performance

rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch, Accept-Encoding

Caching Headers

1 headers

Cache-Control

Caching

public, max-age=0, must-revalidate

Content Headers

1 headers

Content-Type

Content

text/html; charset=utf-8

Server Headers

2 headers

Server

cloudflare

X-Powered-By

Server

Next.js

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

Cookies

__cf_bm=gQYK_o8wntpeZh4bcqA_Gj5FdocGFX0Ybvg1gRwjQn8-1768350496-1.0.1.1-91hk0HK4.Hwc_CsYBUkCNMTf0bF7KBFmbw7XQdnzXkc8q8zK_jlvDefwl1APrhPbb5g5OTKH3Xz5.sAa11_Gyqf8PpUNV0rSkTP6Nap.NU8; path=/; expires=Wed, 14-Jan-26 00:58:16 GMT; domain=.opensea.io; HttpOnly; Secure; SameSite=None

Other Headers

12 headers

Cf-Cache-Status

Other

MISS

Cf-Placement

Other

local-IAD

Cf-Ray

Other

9bd903284c1ad6df-IAD

Date

Other

Wed, 14 Jan 2026 00:28:16 GMT

Link

Other

<https://os2-fut.prod.privatesea.io/crypto/collector/discover/collections/open/table>; rel="alternate"; hreflang="en-US", <https://os2-fut.prod.privatesea.io/es/crypto/collector/discover/collections/open/table>; rel="alternate"; hreflang="es", <https://os2-fut.prod.privatesea.io/de-DE/crypto/collector/discover/collections/open/table>; rel="alternate"; hreflang="de-DE", <https://os2-fut.prod.privatesea.io/fr/crypto/collector/discover/collections/open/table>; rel="alternate"; hreflang="fr", <https://os2-fut.prod.privatesea.io/ja/crypto/collector/discover/collections/open/table>; rel="alternate"; hreflang="ja", <https://os2-fut.prod.privatesea.io/zh-CN/crypto/collector/discover/collections/open/table>; rel="alternate"; hreflang="zh-CN", <https://os2-fut.prod.privatesea.io/zh-TW/crypto/collector/discover/collections/open/table>; rel="alternate"; hreflang="zh-TW", <https://os2-fut.prod.privatesea.io/crypto/collector/discover/collections/open/table>; rel="alternate"; hreflang="x-default"

X-Dns-Prefetch-Control

Other

on

X-Matched-Path

Other

/en-US/crypto/collector/discover/collections/open/table

X-Nextjs-Prerender

Other

1

X-Nextjs-Stale-Time

Other

300

X-Permitted-Cross-Domain-Policies

Other

none

X-Vercel-Cache

Other

HIT

X-Vercel-Id

Other

iad1::iad1::frn54-1768350496084-52abb2d4e287

Recommendations

Enable compression (gzip/brotli) to improve performance

Consider removing X-Powered-By header to hide server technology