HTTP Headers Analysis for https://perf.lowes.com

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=31536000

Content-Security-Policy

Basic

frame-ancestors; upgrade-insecure-requests; script-src; +4 more

frame-ancestors 'self'; upgrade-insecure-requests; script-src 'self' 'unsafe-inline' 'unsafe-eval' 3lift.com a.wishabi.com ad.doubleclick.net adnxs.com ads.nextdoor.com adservice.google.com adsrvr.org agkn.com alb.reddit.com analytics.google.com analytics.tiktok.com analytics.twitter.com api.bazaarvoice.com apply.syf.com approve.me apps.bazaarvoice.com aq.flippenterprise.net assets.adobedtm.com assets.revlifter.io b.va.us.criteo.com bat.bing.com bing.com c.go-mpulse.net casalemedia.com cdn.480app.com cdn.flippenterprise.net cdn-gateflipp.flippback.com cdn-scripts.signifyd.com cm.g.doubleclick.net cobrowse.screenmeet.com colrep.sitelabweb.com commercial.syf.com connect.facebook.net consent.trustarc.com content.syndigo.com conversions-config.reddit.com corp.flipp.com corporate.lowes.com criteo.com csi.gstatic.com ct.pinterest.com d.agkn.com d.us.criteo.com dam.flippenterprise.net demdex.net dev.lowescdn.com dotomi.com doubleclick.net dpm.demdex.net edge.fullstory.com event.syndigo.cloud f.wishabi.net fdz.flashtalking.com flashtalking.com flask.nextdoor.com flipp.com fonts.googleapis.com fonts.gstatic.com googleads.g.doubleclick.net gs.nmgassets.com hb.yahoo.net hc.lowes.com ib.adnxs.com igodigital.com imgs.signifyd.com imrworldwide.com insight.adsrvr.org jdl.nmgplatform.com jobs.lowes.com js.adsrvr.org krxd.net linkedin.com login.dotomi.com lowes.app.link lowes.com lowes.ecorebates.com lowes.sjv.io lowes.syf.com lowesnp500z.btttag.com lowespreload.com ls.chatid.com lwscomsit4.lowes.com maps.google.com maps.googleapis.com mobileimages.lowes.com mookie1.com multi-item-broker.flippback.com nebula-cdn.kampyle.com network-a.bazaarvoice.com ojrq.net p.flipp.com pdf.lowes.com perf.lowes.com phx.corporate-ir.net piefesperf.lowes.com pinterest.com pixel.rubiconproject.com ppmobileimages.lowes.com reports.sdiapi.com rs.fullstory.com s.go-mpulse.net s.pinimg.com s.yimg.com salsify-ecdn.com securepubads.g.doubleclick.net secureweb.infotrac.net servedby.flashtalking.com services.sdiapi.com sharethrough.com simage2.pubmatic.com sjv.io sp.analytics.yahoo.com stage.carbon.gcp.lowes.com static.ads-twitter.com static.ecorebates.com stats.g.doubleclick.net storage.googleapis.com t.co tiktok.com tpc.googlesyndication.com truoptik.com twitter.com udc-neb.kampyle.com ups.analytics.yahoo.com utt.impactcdn.com uwww.setpay.com vice1.lowes.com www.americanexpress.com www.facebook.com www.google.com www.google-analytics.com www.googletagmanager.com www.googletagservices.com www.lowes.com www.lowescdn.com www.ojrq.net www.redditstatic.com www.wearegenerationt.com x.bidswitch.net yahoo.com *.akamaihd.net *.akstat.io *.reflectiz.net google.com; connect-src 'self' *.480app.com *.adnxs.com *.adobedtm.com *.ads-twitter.com *.adsrvr.org *.agkn.com *.akamaihd.net *.akstat.io *.bing.com *.btttag.com *.demdex.net *.dotomi.com *.doubleclick.net *.facebook.com *.facebook.net *.flashtalking.com *.flipp.com *.flippback.com *.flippenterprise.net *.fullstory.com *.go-mpulse.net *.google-analytics.com *.google.com *.googleapis.com *.googletagmanager.com *.googletagservices.com *.gstatic.com *.igodigital.com *.impactcdn.com *.kampyle.com *.lowes.com *.lowescdn.com *.nextdoor.com *.nmgassets.com *.nmgplatform.com *.ojrq.net *.pinimg.com *.pinterest.com *.pubmatic.com *.reddit.com *.redditstatic.com *.revlifter.io *.screenmeet.com *.sdiapi.com *.signifyd.com *.sitelabweb.com *.sjv.io *.tiktok.com *.trustarc.com *.twitter.com *.wishabi.com *.wishabi.net *.yahoo.com *.yahoo.net *.yimg.com 5983add9a93ca3df5bac945ad7b37728.safeframe.googlesyndication.com google.com t.co tpc.googlesyndication.com adnxs.com adsrvr.org 3lift.com agkn.com api.bazaarvoice.com apply.syf.com approve.me apps.bazaarvoice.com b.va.us.criteo.com bing.com casalemedia.com commercial.syf.com content.syndigo.com criteo.com d.us.criteo.com demdex.net dotomi.com doubleclick.net event.syndigo.cloud flashtalking.com flipp.com igodigital.com imrworldwide.com krxd.net linkedin.com lowes.app.link lowes.com lowes.ecorebates.com lowes.syf.com lowespreload.com ls.chatid.com mookie1.com network-a.bazaarvoice.com ojrq.net phx.corporate-ir.net pinterest.com pixel.rubiconproject.com salsify-ecdn.com secureweb.infotrac.net sharethrough.com sjv.io static.ecorebates.com tiktok.com truoptik.com twitter.com uwww.setpay.com www.americanexpress.com www.wearegenerationt.com x.bidswitch.net yahoo.com; object-src 'none'; base-uri 'self'; worker-src data: blob: ;

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Missing

Not configured

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Add X-Content-Type-Options: nosniff
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

1 headers

Connection

Performance

close

Caching Headers

1 headers

Expires

Caching

Mon, 02 Feb 2026 09:23:29 GMT

Content Headers

2 headers

Content-Length

Content

368

Content-Type

Content

text/html

Server Headers

1 headers

Server

AkamaiGHost

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

Cookies

akaalb_perf_dual=1770110609~op=PERF_GCP_EAST_CTRL_DFLT:PERF_DEFAULT_EAST|~rv=72~m=PERF_DEFAULT_EAST:0|~os=14462d161d8526f3cd10bd3164564690~id=413fa32e1d8507daed97f0de4c6f4e6f; path=/; Expires=Tue, 03 Feb 2026 09:23:29 GMT; HttpOnly; Secure; SameSite=None