HTTP Headers Analysis for https://smallbizhacktoronto.com

Open Cached · just now

26 Headers

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=31536000

Content-Security-Policy

Missing

Not configured

X-Frame-Options

Excellent

DENY

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Add Content-Security-Policy header to prevent XSS attacks
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

2 headers

Connection

Performance

Vary

Performance

Accept-Encoding

Caching Headers

4 headers

Cache-Control

Caching

private,no-cache,no-store,pre-check=0,post-check=0,must-revalidate

Etag

Caching

W/"33d24-J8S9XPRxwog1fCbCpLyJP2fNEv4"

Expires

Caching

-1

Pragma

Caching

no-cache

Content Headers

2 headers

Content-Length

Content

212260

Content-Type

Content

text/html; charset=utf-8

Server Headers

2 headers

Server

istio-envoy

X-Powered-By

Server

Express

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

hosted-shell=%7B%22clientId%22%3A%22b2054dcb-4f66-4576-88fd-459857618a8c%22%7D; Path=/; Expires=Fri, 18 Jan 2036 00:16:29 GMT; HttpOnly; Secure

Other Headers

11 headers

Content-Security-Policy-Report-Only

Other

base-uri 'self' https://www.reddit.com/ https://*.intuitcdn.net/; block-all-mixed-content; connect-src https://ipv4.icanhazip.com/ 'self' https://*.smartystreets.com/ https://tl.ytlogs.ru/ https://translate.googleapis.com/ https://*.algolianet.com/ https://*.rsc.cdn77.org/ https://cdn.segment.com/ https://cdn.shopimgs.com/ https://consent.intuit.tsheets.com/ https://plugin-localhost.intuitcdn.net:* https://fonts.gstatic.com/ https://w88p9x.com/ https://*.google.com/ https://github.com/ wss://developer-stage.intuit.com:9001/ https://fcgt742.com/ https://www.google.co.nz/ https://*.algolia.net/ https://consent.www.firmofthefuture.com/ https://api.ipify.org/ https://local.adblock360.com/ https://edge.microsoft.com/ https://consent.intuit.apps.com/ https://stats.g.doubleclick.net/ https://vimeo.com/ https://www.sandbox.paypal.com/ https://*.execute-api.us-east-1.amazonaws.com/ wss://plugin.intuitcdn.net/ https://www.google-analytics.com/ https://raw.githubusercontent.com/ https://siteintercept.qualtrics.com/ https://hm.baidu.com/ https://my.productfruits.com/ https://meetlookup.com/ https://www.google.com.br/ https://consent.couriermedia.com/ wss://plugin-localhost.intuitcdn.net:* https://*.cardinalcommerce.com/ https://*.intuitcdn.net/ https://consent.mailchimp.com/ https://api.segment.io/ https://cdnmd.global-cache.online/ wss://eventinggateway.api.intuit.com/ https://clientstream.launchdarkly.com/ https://get663.com/ https://www.google.com.lb/ https://*.intuit.com/ data: https://www.google.co.in/ https://c61c36fe-1105-4900-b8a9-df08930951d0.mock.pstmn.io/ https://consent.intuit.quickbooksconnect.com/; font-src https://cdnjs.cloudflare.com/ https://fonts.gstatic.com/ https://use.typekit.net/ https://cdn.jsdelivr.net/ 'self' https://fonts.cdnfonts.com/ https://*.intuitcdn.net/ https://cdn.scite.ai/ https://qncdn.aoscdn.com/ https://stylesheets.pixiebrix.com/ https://static.designmanager.com/ https://static.hsappstatic.net/ https://static2.sharepointonline.com/ https://migaku-public-data.migaku.com/ https://ncspublicasset.s3.eu-west-3.amazonaws.com/ https://r2cdn.perplexity.ai/ https://s3.amazonaws.com/ https://static.preply.com/ https://unpkg.com/ https://use.fontawesome.com/ https://cdn.megabonus.com/ https://static.zohocdn.com/ https://www.slant.co/ data:; frame-ancestors 'self' https://*.intuit.com/; frame-src 'self' https://*.cardinalcommerce.com/ https://*.kaptcha.com/ https://*.google.com/ https://*.intuitcdn.net/ https://1.a79ab95c1589a13f8a4cab612bc71f9f7.com/ https://1.b406929acabac9b095f124c81bdfcf57f.com/ https://clcktrck.com/ https://player.vimeo.com/ https://*.paymentech.com/ https://*.paypal.com/ https://h.online-metrix.net/ https://*.youtube.com/ https://authenticate.ibotta.com/ https://*.intuit.com/ https://1.c81358859121583b7adf2ace89cb39f44.com/; img-src https://i.ytimg.com/ 'self' https://joko-mobile-app-media.s3.eu-west-1.amazonaws.com/ https://i.vimeocdn.com/ https://*.baidu.com/ https://favicon.yandex.net/ https://*.paymentech.com/ https://d201kpdrh73vuz.cloudfront.net/ https://*.qualtrics.com/ https://run.pstmn.io/ https://translate.googleapis.com/ https://*.gstatic.com/ https://ssl.google-analytics.com/ https://ssl.kaptcha.com/ https://www.google.com.pk/ https://www.googletagmanager.com/ https://*.online-metrix.net/ https://my.productfruits.com/ https://plugin-localhost.intuitcdn.net:* https://*.intuitcdn.net/ https://mc.yandex.ru/ blob: https://privacy-policy.truste.com/ https://img.youtube.com/ https://yt3.ggpht.com/ https://*.paypal.com/ https://www.google.co.nz/ https://www.google.com/ https://*.intuit.com/ https://uploads-ssl.webflow.com/ data: https://www.google.co.in/; media-src https://app.guidemaker.com/ https://ssl.gstatic.com/ https://audiocdn.lingualeo.com/ https://d4qgj78fzsl5j.cloudfront.net/ data:; object-src 'self'; report-uri https://csp.intuit.com/v2/r/e8db2e7e57de16dccde6c9df3fd05a8f64f5b0e6; script-src https://lottingem.com/ https://cdnjs.cloudflare.com/ 'unsafe-inline' https://cdn.jsdelivr.net/ 'self' https://*.qualtrics.com/ https://run.pstmn.io/ https://*.algolianet.com/ https://www.gstatic.com/ https://pagead2.googlesyndication.com/ https://www.googletagmanager.com/ https://cdn.segment.com/ https://www.youtube.com/ https://www.dropbox.com/ https://connect.facebook.net/ https://plugin-localhost.intuitcdn.net:* https://*.google-analytics.com/ https://*.cardinalcommerce.com/ https://apis.google.com/ https://*.intuitcdn.net/ https://secured-pixel.com/ https://bcdn-god.we-stats.com/ https://*.googleapis.com/ https://*.paypal.com/ https://unpkg.com/ https://h64.online-metrix.net/ https://*.algolia.net/ https://*.intuit.com/ 'unsafe-eval'; style-src https://static.hsappstatic.net/ https://www.gstatic.com/ 'unsafe-inline' https://cdn.jsdelivr.net/ 'self' https://use.fontawesome.com/ https://fonts.googleapis.com/ https://*.intuitcdn.net/ https://uxfabric.dev-intuitcdn.a.intuit.com/ data: https://p.typekit.net/; worker-src 'self' blob:;

Date

Other

Tue, 20 Jan 2026 00:16:30 GMT

Intuit_tid

Other

1-696ec95d-70d483387e2cdca25148ea64

Server-Timing

Other

pluginConfigs;dur=1.83,appMw;dur=0.03,ixpAssignments;dur=0.04,appPostAuthMw;dur=0.02,shellServiceMw;dur=88.01,totalMwExecTime;dur=182.71

X-Amzn-Trace-Id

Other

Root=1-696ec95d-70d483387e2cdca25148ea64

X-Dns-Prefetch-Control

Other

off

X-Download-Options

Other

noopen

X-Envoy-Upstream-Service-Time

Other

206

X-Intuit-Upstream-Locality-Region

Other

us-west-2

X-Request-Id

Other

1-696ec95d-70d483387e2cdca25148ea64

X-Spanid

Other

703ad5c4-2f8b-68bc-805a-83e956077590

Recommendations

Enable compression (gzip/brotli) to improve performance

Consider removing X-Powered-By header to hide server technology