HTTP Headers Analysis for https://server.h5p.com

HTTP Security Headers

Status

Strict-Transport-Security

Excellent

max-age=31536000; includeSubDomains; preload

Content-Security-Policy

Basic

default-src; connect-src; img-src; +8 more

default-src 'self' https://eu-west-1.cdn.h5p.com https://c.h5p.io; connect-src 'self' https://eu-west-1.cdn.h5p.com *.h5p.com https://c.h5p.io https://h5p.zendesk.com/ https://ekr.zdassets.com/ https://checkout.stripe.com/ https://*.hotjar.com https://*.hotjar.io wss://*.hotjar.com https://www.wiris.net/ https://api.h5p.org/v1/licenses/ vimeo.com/api/ wss://multiplayer-eu-west-1.h5p.com hub-api.h5p.org https://*.google-analytics.com/ https://cdn.linkedin.oribi.io/partner/ https://analytics.google.com https://*.analytics.google.com https://*.googletagmanager.com https://*.g.doubleclick.net https://data.wiris.cloud/telemetry/v1 https://*.userpilot.io wss://*.userpilot.io; img-src * data: blob: https://*.userpilot.io; media-src * blob:; frame-src * blob:; object-src 'none'; child-src 'self' https://eu-west-1.cdn.h5p.com https://c.h5p.io blob: *.vimeo.com vimeo.com; script-src 'self' https://eu-west-1.cdn.h5p.com https://c.h5p.io 'unsafe-inline' 'unsafe-eval' blob: https://*.hotjar.com static.zdassets.com www.youtube.com gdata.youtube.com/feeds/api/ https://s.ytimg.com/yts/jsbin/ https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://js.stripe.com/v3/ https://checkout.stripe.com/ en.wikipedia.org/w/api.php api.flickr.com/services/rest/ soundcloud.com/oembed https://developers.panopto.com/ https://www.wiris.net/ https://player.vimeo.com https://www.vimeo.com https://f.vimeocdn.com https://connect.facebook.net/ https://snap.licdn.com/li.lms-analytics/ https://*.googletagmanager.com https://*.userpilot.io; style-src 'self' https://eu-west-1.cdn.h5p.com https://c.h5p.io 'unsafe-inline' https://checkout.stripe.com/ https://fonts.googleapis.com/css https://fonts.googleapis.com/css2 https://cdnjs.cloudflare.com/ajax/libs/font-awesome/ https://*.hotjar.com https://www.wiris.net/ https://*.userpilot.io; font-src 'self' https://eu-west-1.cdn.h5p.com https://c.h5p.io data: https://fonts.gstatic.com https://cdnjs.cloudflare.com/ https://*.hotjar.com https://www.wiris.net/; frame-ancestors 'none';

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

2 headers

Connection

Performance

close

Transfer-Encoding

Performance

chunked

Caching Headers

1 headers

Cache-Control

Caching

no-cache, private

Content Headers

1 headers

Content-Type

Content

text/html; charset=UTF-8

Server Headers

1 headers

Server

Apache

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

Cookies

CloudFront-Key-Pair-Id=APKAIOPYPI3F2N2UIDSQ; path=/; domain=h5p.com; secure; httponly; samesite=none

Other Headers

3 headers

Date

Other

Thu, 01 Jan 2026 09:36:58 GMT

X-Ratelimit-Limit

Other

300

X-Ratelimit-Remaining

Other

299

Recommendations

Enable compression (gzip/brotli) to improve performance