Open
Cached
·
just now
19
Headers
HTTP Security Headers
Status
Strict-Transport-Security
Missing
Not configured
Content-Security-Policy
Missing
Not configured
X-Frame-Options
Good
SAMEORIGIN
X-Content-Type-Options
Good
nosniff
Referrer-Policy
Missing
Not configured
Permissions-Policy
Missing
Not configured
Recommendations
- • Add Strict-Transport-Security header with max-age of at least 1 year
- • Add Content-Security-Policy header to prevent XSS attacks
- • Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
- • Consider adding Permissions-Policy to control browser features
Performance Headers
2 headers
Connection
Performance
close
Vary
Performance
Accept-Encoding
Caching Headers
0 headers
No caching headers found
Content Headers
2 headers
Content-Length
Content
411556
Content-Type
Content
text/html; charset=utf-8
Server Headers
1 headers
X-Powered-By
Server
hydra
CORS Headers
0 headers
No CORS headers found
Cookies Headers
1 headers
Set-Cookie
Cookies
uc_pref_staging=%7B%22SELECTED_GEOGRAPHY%22%3A%22dc%22%7D; Domain=.compass.com; Path=/
Other Headers
10 headers
Content-Security-Policy-Report-Only
Other
base-uri 'self'; connect-src https: wss: blob:; default-src 'none'; font-src https: data:; frame-src https: blob:; img-src https: data: blob:; manifest-src 'self'; media-src https:; object-src 'none'; script-src 'report-sample' 'self' 'unsafe-inline' 'unsafe-eval' https://api-gamma.compass.com https://app-glide-staging.compass.com https://cdn.heapanalytics.com https://heapanalytics.com https://cdn.segment.com https://connect.facebook.net https://edge.fullstory.com/s/ https://maps.googleapis.com/maps/api/js/ https://static.zdassets.com/ekr/snippet.js https://static.filestackapi.com https://web-sdk.aptrinsic.com/api/aptrinsic.js https://www.datadoghq-browser-agent.com https://www.google-analytics.com https://www.googleadservices.com https://www.google.com/recaptcha/ https://maps.googleapis.com https://apis.google.com https://www.gstatic.com https://www.googletagmanager.com https://js.stripe.com https://stats.pusher.com https://widget.intercom.io https://js.intercomcdn.com https://boards.greenhouse.io https://siteintercept.qualtrics.com https://zn0feyon15oqdwcu1-compass.siteintercept.qualtrics.com https://www.youtube.com https://googleads.g.doubleclick.net https://snap.licdn.com https://js.hubspot.com https://js.hs-analytics.net https://js.hs-scripts.com https://js.hsadspixel.net https://js.hs-banner.com https://fast.wistia.com https://js.userpilot.io https://deploy.userpilot.io https://t.contentsquare.net https://consent.trustarc.com https://www.compass.com https://gamma.compass.com https://staging.compass.com https://api.compass.com https://ajax.googleapis.com https://cdnjs.cloudflare.com https://unpkg.com https://cdn.jsdelivr.net https://code.jquery.com https://beta.compass.com; script-src-elem 'report-sample' 'self' 'unsafe-inline' 'unsafe-eval' https://api-gamma.compass.com https://app-glide-staging.compass.com https://cdn.heapanalytics.com https://heapanalytics.com https://cdn.segment.com https://connect.facebook.net https://edge.fullstory.com/s/ https://maps.googleapis.com/maps/api/js/ https://static.zdassets.com/ekr/snippet.js https://static.filestackapi.com https://web-sdk.aptrinsic.com/api/aptrinsic.js https://www.datadoghq-browser-agent.com https://www.google-analytics.com https://www.googleadservices.com https://www.google.com/recaptcha/ https://maps.googleapis.com https://apis.google.com https://www.gstatic.com https://www.googletagmanager.com https://js.stripe.com https://stats.pusher.com https://widget.intercom.io https://js.intercomcdn.com https://boards.greenhouse.io https://siteintercept.qualtrics.com https://zn0feyon15oqdwcu1-compass.siteintercept.qualtrics.com https://www.youtube.com https://googleads.g.doubleclick.net https://snap.licdn.com https://js.hubspot.com https://js.hs-analytics.net https://js.hs-scripts.com https://js.hsadspixel.net https://js.hs-banner.com https://fast.wistia.com https://js.userpilot.io https://deploy.userpilot.io https://t.contentsquare.net https://consent.trustarc.com https://www.compass.com https://gamma.compass.com https://staging.compass.com https://api.compass.com https://ajax.googleapis.com https://cdnjs.cloudflare.com https://unpkg.com https://cdn.jsdelivr.net https://code.jquery.com https://beta.compass.com; style-src 'report-sample' 'self' 'unsafe-inline' https://uc-frontend-assets-staging.compass.com https://app-glide-staging.compass.com https://www.google-analytics.com https://www.googletagmanager.com https://fonts.googleapis.com https://static.filestackapi.com https://web-sdk.aptrinsic.com https://www.gstatic.com https://heapanalytics.com https://app-glide-staging.compass.com https://www.compass.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net https://compass.com https://gamma.compass.com https://staging.compass.com https://unpkg.com blob:; worker-src 'self' blob:; report-uri /csp-report/?key=new
Date
Other
Sun, 01 Feb 2026 14:04:21 GMT
Via
Other
1.1 ef81d2c0d5984a166a5467acd7c2d88a.cloudfront.net (CloudFront)
X-Amz-Cf-Id
Other
rlaQCoIpA0hWr4g2pwnh0mtbKr7TEFAl1rR0nEDzxHCd0xiDUp6TIA==
X-Amz-Cf-Pop
Other
IAD55-P8
X-Cache
Other
Miss from cloudfront
X-Compass-Request-Id
Other
463cdef5-12b5-4624-8a13-79d56f5501ef
X-Dns-Prefetch-Control
Other
off
X-Download-Options
Other
noopen
X-Robots-Tag
Other
noindex, nofollow
Recommendations
Enable compression (gzip/brotli) to improve performance
Add Cache-Control header to optimize caching
Consider removing X-Powered-By header to hide server technology