Open
Cached
·
just now
20
Headers
HTTP Security Headers
Status
Strict-Transport-Security
Missing
Not configured
Content-Security-Policy
Basic
default-src; child-src; connect-src; +8 more
default-src https 'self'; child-src * data: blob:; connect-src 'self' blob: www.dropbox.com api.dropboxapi.com s3.amazonaws.com/gumroad s3.amazonaws.com/gumroad/ s3.amazonaws.com/gumroad-public-storage s3.amazonaws.com/gumroad-public-storage/ gumroad-public-storage.s3.amazonaws.com gumroad-public-storage.s3.amazonaws.com/ www.google.com www.gstatic.com *.facebook.com *.facebook.net *.google-analytics.com *.g.doubleclick.net *.googletagmanager.com analytics.google.com *.analytics.google.com files.gumroad.com/ d1bdh6c3ceakz5.cloudfront.net/ *.braintreegateway.com www.paypalobjects.com *.paypal.com *.braintree-api.com iframe.ly help.gumroad.com gumroad.com wss://cable.gumroad.com assets.gumroad.com; font-src * data: blob:; frame-src * data: blob:; img-src * data: blob:; media-src * data: blob:; object-src * data: blob:; script-src 'self' 'unsafe-eval' ajax.cloudflare.com static.cloudflareinsights.com js.stripe.com api.stripe.com connect-js.stripe.com *.braintreegateway.com *.braintree-api.com www.paypalobjects.com *.paypal.com *.google-analytics.com *.googletagmanager.com optimize.google.com www.googleadservices.com www.google.com www.gstatic.com *.facebook.net *.facebook.com www.dropbox.com s.ytimg.com cdn.iframe.ly platform.twitter.com cdn.jwplayer.com *.jwpcdn.com gumroad.us3.list-manage.com analytics.twitter.com help.gumroad.com unpkg.com/@lottiefiles/lottie-player@latest/ gumroad.com assets.gumroad.com 'nonce-dMWIupPM9mq2vKJzXX52PkDavcOonCLbxe5sfl9UaZg=' 'unsafe-inline'; style-src 'self' 'unsafe-inline' s.ytimg.com optimize.google.com fonts.googleapis.com assets.gumroad.com; worker-src * data: blob:
X-Frame-Options
Missing
Not configured
X-Content-Type-Options
Good
nosniff
Referrer-Policy
Missing
Not configured
Permissions-Policy
Missing
Not configured
Recommendations
- • Add Strict-Transport-Security header with max-age of at least 1 year
- • Improve CSP by adding more specific directives and removing 'unsafe-inline'
- • Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
- • Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
- • Consider adding Permissions-Policy to control browser features
Performance Headers
2 headers
Connection
Performance
close
Vary
Performance
Origin
Caching Headers
2 headers
Cache-Control
Caching
max-age=0, private, must-revalidate
Etag
Caching
W/"6b3b4b736c5e2f44c2c8e7071e63b84e"
Content Headers
2 headers
Content-Length
Content
97050
Content-Type
Content
text/html; charset=utf-8
Server Headers
2 headers
Server
Server
openresty/1.19.9.1
X-Runtime
Server
3.497914
CORS Headers
0 headers
No CORS headers found
Cookies Headers
1 headers
Set-Cookie
Cookies
XSRF-TOKEN=IlcGvZ8B-QAGN9uCY8vFdgG82xndKE9iPV5ATxTttUljRGlLwP8xlHqu_-qirpTGIhYJ5K-BOBgVd5T16e_dAg; path=/; samesite=lax; HttpOnly
Other Headers
8 headers
Date
Other
Sun, 11 Jan 2026 16:37:25 GMT
Link
Other
<https://assets.gumroad.com/packs/css/design-374d0d48.css>; rel=preload; as=style; crossorigin=anonymous; nopush,<https://assets.gumroad.com/assets/application-cbf244e9109e70d7b04497041636f00173a1e588f9b879b3a3ef11f8dfb86e5c.js>; rel=preload; as=script; nopush
X-Download-Options
Other
noopen
X-Gr
Other
PROD
X-Original-Headers-Class
Other
Rack::Headers
X-Permitted-Cross-Domain-Policies
Other
none
X-Request-Id
Other
1dc09fb3-866c-4777-9423-408e81991b4e
X-Revision
Other
24fad8579dd6
Recommendations
Enable compression (gzip/brotli) to improve performance