HTTP Headers Analysis for https://ppe.sds.microsoft.com

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=2592000

Content-Security-Policy

Strong

default-src; base-uri; script-src; +14 more

default-src 'none'; base-uri 'self'; script-src 'self' 'report-sample' 'nonce-D049xPQ+SjlKH/hOXN6QNg==' https://educdnppe.azureedge.net https://graph.microsoft.com https://res-1.cdn.office.net https://js.monitor.azure.com https://r4.res.office365.com https://amcdn.msauth.net https://amcdn.msftauth.net https://shell.cdn.office.net https://webshell.suite.office.com https://outlook.office.com https://web.vortex.data.microsoft.com; style-src 'self' 'report-sample' 'nonce-D049xPQ+SjlKH/hOXN6QNg==' 'sha256-WnYlf4sptvofAmLuSzc4I5AoL2p0tgh3zAhcB9i4jik=' 'sha256-JaeWdynp34yZFItR6NRzqQlLrmBPQ+OifbVpZ1yNVXg=' 'sha256-78mlrqYIBBCiN+RpcokpLFXVubwiyrzodb8eMOSQ4/c=' 'sha256-lRPq5UzwtkX96GmKv3caLPlHbEwm5fkIYZd2uJ5atTI=' 'sha256-XLNjfATk1/ozw+KgbXkG6BpZRxgXtF8vDBhNFLj/yBY=' 'sha256-2WQamnEPh84sQbUASktVCzKkl3Kf/KoGPTCDJ6qraUg=' 'sha256-7t4hvFH6TkqUWfUY0WRTP0kxg5g4L5vtrdGLJir+3e4=' 'sha256-JCyahuSyXGrkupW8aE+WS0CeZJR8EXOxAduAFkY4HPQ=' 'sha256-pYqPpWQ1wHqmCoi74xGAT/ALP85EZ9Sq0sjiIOYX1wo=' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-6eFVy/MgSOeHXEcsmQK8CXKSktICgwSkQL8tmiQkgvc=' https://educdnppe.azureedge.net https://www.microsoft.com https://shell.cdn.office.net https://res-1.cdn.office.net; font-src 'self' data: https://www.microsoft.com https://c.s-microsoft.com https://res.cdn.office.net https://res-1.cdn.office.net; img-src 'self' data: https://educdnppe.azureedge.net https://ow1.res.office365.com https://outlook.office.com https://shell.cdn.office.net https://res-1.cdn.office.net https://res.cdn.office.net https://outlook.cloud.microsoft; connect-src blob: 'self' https://localhost:3001 https://res.cdn.office.net https://graph.microsoft.com https://*.sds.microsoft.com https://sds.microsoft.com https://*.sds.edu.cloud.dev.microsoft https://sds.edu.cloud.dev.microsoft https://educdnppe.azureedge.net https://eduarprsppewus2uplstore.dfs.core.windows.net https://eduarprsppeweuuplstore.dfs.core.windows.net https://eduarprsppewus2uplstore.blob.core.windows.net https://eduarprsppeweuuplstore.blob.core.windows.net https://config.edge.skype.com https://ecs.office.com https://browser.pipe.aria.microsoft.com https://*.events.data.microsoft.com https://*.fp.measure.office.com https://uhf.microsoft.com https://res-1.cdn.office.net https://*.office.com https://shell.cdn.office.net https://login.microsoftonline.com https://pp1.prd.attend.teams.microsoft.com https://*.officeapps.live.com https://outlook.office365.com https://m365.cloud.microsoft https://*.config.skype.com; media-src https://educdnppe.azureedge.net; form-action 'none'; frame-src https://support.office.com https://webshell.suite.office.com https://shell.cdn.office.net https://amcdn.msftauth.net https://outlook.office.com; worker-src 'none'; object-src 'none'; manifest-src 'self' https://educdnppe.azureedge.net; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; report-uri https://csp.microsoft.com/report/SchoolDataSync-PPE;

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Missing

Not configured

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Add X-Content-Type-Options: nosniff
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

2 headers

Accept-Ranges

Performance

bytes

Connection

Performance

close

Caching Headers

3 headers

Cache-Control

Caching

no-store, no-cache, must-revalidate, max-age=0

Expires

Caching

0

Pragma

Caching

no-cache

Content Headers

2 headers

Content-Length

Content

3999

Content-Type

Content

text/html

Server Headers

0 headers

No server headers found

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

Cookies

ASLBSACORS=000305e55ec62ca6f4678ae0fc96fb2d1e4e4fc00aac20c9ff7975deb4c83b2c87c0; SameSite=none; Path=/; Secure; HttpOnly;

Other Headers

5 headers

Date

Other

Wed, 14 Jan 2026 01:00:24 GMT

X-Azure-Ref

Other

20260114T010022Z-17b7f96fb7c2t2hrhC1BL10u8000000003n0000000002xbf

X-Cache

Other

CONFIG_NOCACHE

X-Classroom-Correlation-Id

Other

355df16c-7109-46c3-bfdf-459ee47a2ccf

X-Robots-Tag

Other

noindex

Recommendations

Enable compression (gzip/brotli) to improve performance