HTTP Headers Analysis for https://staging.mybinding.com

HTTP Security Headers

Status

Strict-Transport-Security

Missing

Not configured

Content-Security-Policy

Basic

font-src; form-action; frame-ancestors; +14 more

font-src fonts.gstatic.com use.typekit.net *.typekit.net *.gstatic.com maxcdn.bootstrapcdn.com *.klaviyo.com/ *.googleapis.com *.audioeye.com *.zohocdn.com https://www.shopperapproved.com *.userway.org *.cdn-apple.com *.fontawesome.com https://fonts.bunny.net *.cloudflare.com *.twitter.com *.twimg.com *.trustedshops.com *.versapay.com *.paynup.com data: 'self' 'unsafe-inline'; form-action geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com pilot-payflowlink.paypal.com www.paypal.com www.sandbox.paypal.com *.paypal.com www.apptrian.com facebook.com www.facebook.com connect.facebook.net graph.facebook.com *.cardinalcommerce.com 3ds-secure.cardcomplete.com www.clicksafe.lloydstsb.com pay.activa-card.com *.wirecard.com acs.sia.eu *.touchtechpayments.com www.securesuite.co.uk rsa3dsauth.com *.monzo.com *.arcot.com *.wlp-acs.com * *.twitter.com *.versapay.com *.paynup.com *.facebook.com 'self' 'unsafe-inline'; frame-ancestors 'self'; frame-src fast.amc.demdex.net *.adobe.com geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com bid.g.doubleclick.net *.youtube.com *.youtube-nocookie.com www.paypal.com www.sandbox.paypal.com pilot-payflowlink.paypal.com player.vimeo.com https://www.google.com/recaptcha/ *.braintreegateway.com *.paypal.com google.com *.google.com www.apptrian.com facebook.com www.facebook.com connect.facebook.net graph.facebook.com c.paypal.com checkout.paypal.com assets.braintreegateway.com pay.google.com *.cardinalcommerce.com * *.twitter.com *.paynup.com *.versapay.com *.weltpixel.com *.googletagmanager.com *.doubleclick.net www.xtento.com 'self' 'unsafe-inline'; img-src assets.adobedtm.com amcglobal.sc.omtrdc.net dpm.demdex.net cm.everesttech.net *.adobe.com widgets.magentocommerce.com 'self' data: www.googleadservices.com www.google-analytics.com googleads.g.doubleclick.net www.google.com bid.g.doubleclick.net analytics.google.com www.googletagmanager.com t.paypal.com www.paypal.com www.paypalobjects.com fpdbs.paypal.com fpdbs.sandbox.paypal.com *.vimeocdn.com i.ytimg.com *.youtube.com p.typekit.net *.paypal.com *.typekit.net *.gstatic.com validator.swagger.io *.ftcdn.net *.behance.net data: https://images.unsplash.com www.apptrian.com facebook.com www.facebook.com connect.facebook.net graph.facebook.com *.b0e8.com https://static.klaviyo.com https://static-forms.klaviyo.com https://fast.a.klaviyo.com https://static-tracking.klaviyo.com/ https://a.klaviyo.com/ https://telemetrics.klaviyo.com/ *.searchspring.io *.klaviyo.com/ *.mybinding.com https://mybinding.com/ *.google.co.in *.zohocdn.com *.justuno.com *.google.com *.audioeye.com *.zdassets.com *.zohopublic.com/ *.sproutvideo.com/ *.monthlywarranty.com https://cdn.ywxi.net/ https://creditkey-assets.s3-us-west-2.amazonaws.com/ https://bat.bing.com/ https://shopper.shop.pe/ *.creditkey.com https://media.mybinding.com/ *.zoho.com *.maillist-manage.net https://www.shopperapproved.com *.criteo.net *.userway.org *.cloudfront.net www.sandbox.paypal.com b.stats.paypal.com dub.stats.paypal.com assets.braintreegateway.com c.paypal.com checkout.paypal.com https://img.youtube.com https://firebasestorage.googleapis.com store.paradoxlabs.com https://redchamps.com *.cloudflare.com *.klarna.com *.googleadservices.com *.google-analytics.com *.twitter.com *.twimg.com *.ytimg.com *.lightemporium.com *.usercentrics.eu *.versapay.com *.paynup.com *.facebook.com *.reddit.com *.ads-twitter.com t.co *.bing.com *.bing.net *.klaviyo.com *.clarity.ms *.googletagmanager.com *.doubleclick.net www.xtento.com cdn.xtento.com data: 'self' 'unsafe-inline'; script-src assets.adobedtm.com *.adobe.com geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com www.googleadservices.com www.google-analytics.com googleads.g.doubleclick.net analytics.google.com www.googletagmanager.com *.commerce-payment-services.com www.paypal.com www.sandbox.paypal.com www.paypalobjects.com t.paypal.com s.ytimg.com www.googleapis.com vimeo.com www.vimeo.com *.vimeocdn.com *.youtube.com https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ amcglobal.sc.omtrdc.net *.magento-ds.com use.typekit.net *.typekit.net google.com *.google.com *.cdn-apple.com *.braintreegateway.com www.apptrian.com facebook.com www.facebook.com connect.facebook.net graph.facebook.com *.b0e8.com *.bc0a.com widget.freshworks.com m2epro.freshdesk.com https://static.klaviyo.com https://static-forms.klaviyo.com https://fast.a.klaviyo.com https://static-tracking.klaviyo.com/ https://a.klaviyo.com/ https://telemetrics.klaviyo.com/ s7.addthis.com *.searchspring.io *.mybinding.com *.justuno.com *.audioeye.com *.zdassets.com *.cloudinary.com *.googleapis.com https://www.monthlywarranty.com/ *.zohopublic.com *.searchspring.net https://shop.pe/ *.noibu.com *.pagesense.io https://bat.bing.com/ https://ca-eu.cookie-script.com/ *.zohocdn.com *.zohostatic.com https://cdn.jst.ai/ https://cdn.ywxi.net/ https://unpkg.com/ https://d2mjzob2nc713b.cloudfront.net/ *.jst.ai https://addshoppers.s3.amazonaws.com/ https://shopper.shop.pe/ https://www.trustedsite.com/ *.criteo.net https://sslwidget.criteo.com/ https://widget.us.criteo.com/ https://wsv3cdn.audioeye.com/ https://marvel-b2-cdn.bc0a.com/ *.wufoo.com *.zoho.com *.maillist-manage.net https://maillist-manage.net https://www.shopperapproved.com *.userway.org *.cloudfront.net https://payments-sdk.live.commerce-payment-services.com *.cookie-script.com js.braintreegateway.com assets.braintreegateway.com c.paypal.com pay.google.com api.braintreegateway.com api.sandbox.braintreegateway.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com *.paypal.com songbirdstag.cardinalcommerce.com *.avada.io *.authorize.net *.cloudflare.com *.twitter.com *.google-analytics.com *.twimg.com *.gstatic.com *.trustedshops.com *.usercentrics.eu *.fontawesome.com *.versapay.com *.paynup.com *.datadoghq.com *.googletagmanager.com *.googleadservices.com *.facebook.net *.redditstatic.com *.reddit.com *.tiktok.com *.ads-twitter.com *.bing.com *.clarity.ms *.klaviyo.com unpkg.com *.doubleclick.net *.maxmind.com www.xtento.com cdn.xtento.com 'self' 'unsafe-inline' 'unsafe-eval'; style-src *.adobe.com fonts.googleapis.com widget.freshworks.com m2epro.freshdesk.com https://static.klaviyo.com maxcdn.bootstrapcdn.com *.klaviyo.com/ *.monthlywarranty.com *.searchspring.net *.googleapis.com *.typekit.net *.zohocdn.com/ https://css.zohostatic.com/ *.zohopublic.com/ *.maillist-manage.net *.zoho.com *.userway.org *.shopperapproved.com unsafe-inline assets.braintreegateway.com *.fontawesome.com https://fonts.bunny.net *.cloudflare.com *.twitter.com *.twimg.com *.gstatic.com *.trustedshops.com *.usercentrics.eu *.versapay.com *.paynup.com *.tagmanager.google.com *.googletagmanager.com 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; media-src *.adobe.com www.apptrian.com facebook.com www.facebook.com connect.facebook.net graph.facebook.com 'self' 'unsafe-inline'; manifest-src 'self' 'unsafe-inline'; connect-src dpm.demdex.net amcglobal.sc.omtrdc.net geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com www.google-analytics.com www.googleadservices.com analytics.google.com www.googletagmanager.com vimeo.com www.sandbox.paypal.com www.paypalobjects.com www.paypal.com pilot-payflowlink.paypal.com *.adobe.io performance.typekit.net *.sentry.io *.paypal.com google.com *.google.com *.braintreegateway.com *.braintree-api.com www.apptrian.com facebook.com www.facebook.com connect.facebook.net graph.facebook.com widget.freshworks.com m2epro.freshdesk.com https://static.klaviyo.com https://static-forms.klaviyo.com https://fast.a.klaviyo.com https://static-tracking.klaviyo.com/ https://a.klaviyo.com/ https://telemetrics.klaviyo.com/ ekr.zdassets.com/ *.searchspring.io *.mybinding.com *.zohopublic.com *.googleapis.com wss://vts.zohopublic.com/ *.audioeye.com *.noibu.com wss://input.noibu.com/ *.zoho.com https://creditkey-assets.s3-us-west-2.amazonaws.com/ https://s3-us-west-2.amazonaws.com/ https://app.shop.pe/ https://shopper.shop.pe/ https://shop.pe/ *.shop.pe https://manage.safeopt.com/ https://aly.jst.ai/ *.criteo.com https://stats.g.doubleclick.net/ https://bat.bing.com/ https://www.google.co.in/ *.maillist-manage.net https://maillist-manage.net https://www.shopperapproved.com *.userway.org *.cdn-apple.com https://payments-sdk.live.commerce-payment-services.com *.cookie-script.com api.braintreegateway.com api.sandbox.braintreegateway.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com *.cardinalcommerce.com https://get.geojs.io *.avada.io *.authorize.net *.cloudflare.com *.twitter.com *.twimg.com *.versapay.com *.paynup.com *.datadoghq.com *.google-analytics.com *.analytics.google.com *.facebook.net *.redditstatic.com *.reddit.com *.tiktok.com *.ads-twitter.com *.bing.com *.bing.net *.klaviyo.com *.clarity.ms *.doubleclick.net *.run.app *.mmapiws.com 'self' 'unsafe-inline'; child-src assets.braintreegateway.com c.paypal.com *.paypal.com http: https: blob: 'self' 'unsafe-inline'; default-src 'self' 'unsafe-inline' 'unsafe-eval'; base-uri https://static.zohocdn.com 'self' 'unsafe-inline'; report-uri http://127.0.0.1/magento_os/; report-to report-endpoint;, upgrade-insecure-requests;

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Add Strict-Transport-Security header with max-age of at least 1 year
• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

3 headers

Connection

Performance

close

Transfer-Encoding

Performance

chunked

Vary

Performance

Accept-Encoding

Caching Headers

3 headers

Cache-Control

Caching

max-age=0, must-revalidate, no-cache, no-store

Expires

Caching

Thu, 16 Jan 2025 19:52:56 GMT

Pragma

Caching

no-cache

Content Headers

1 headers

Content-Type

Content

text/html; charset=UTF-8

Server Headers

1 headers

Server

cloudflare

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

Cookies

PHPSESSID=92b8a7a27657da7c604b99113784ac57; expires=Sat, 17-Jan-2026 23:39:36 GMT; Max-Age=100000; path=/; domain=staging.mybinding.com; secure; HttpOnly; SameSite=Lax

Other Headers

8 headers

Alt-Svc

Other

h3=":443"; ma=86400

Cf-Cache-Status

Other

DYNAMIC

Cf-Ray

Other

9bf027f43a39d6f8-IAD

Date

Other

Fri, 16 Jan 2026 19:53:01 GMT

Report-To

Other

{"group":"report-endpoint","max_age":10886400,"endpoints":[{"url":"http:\/\/127.0.0.1\/magento_os\/"}]}

X-Built-With

Other

Hyva Themes

X-Served-By

Other

gpc127-dev1

X-Ua-Compatible

Other

IE=edge

Recommendations

Enable compression (gzip/brotli) to improve performance