HTTP Headers Analysis for https://steam.tv

HTTP Security Headers

Status

Strict-Transport-Security

Missing

Not configured

Content-Security-Policy

Basic

default-src; script-src; object-src; +3 more

default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com https://www.youtube.com/iframe_api https://s.ytimg.com/yts/jsbin/ https://www.youtube.com/s/player/ wasm-eval; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060 wss://*.cm.steampowered.com:* https://*.cm.steampowered.com:* wss://*.steamserver.net:* https://*.steamserver.net:* ws://localhost:27062 https://* ; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.youtube-nocookie.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/ https://w.soundcloud.com https://codepen.io https://streamable.com/ https://player.twitch.tv/ https://clips.twitch.tv/ https://sketchfab.com/ https://open.spotify.com/; frame-ancestors 'self' https://steamloopback.host ;

X-Frame-Options

Excellent

DENY

X-Content-Type-Options

Missing

Not configured

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Add Strict-Transport-Security header with max-age of at least 1 year
• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Add X-Content-Type-Options: nosniff
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

1 headers

Connection

Performance

close

Caching Headers

2 headers

Cache-Control

Caching

no-cache

Expires

Caching

Mon, 26 Jul 1997 05:00:00 GMT

Content Headers

2 headers

Content-Length

Content

9860

Content-Type

Content

text/html; charset=UTF-8

Server Headers

1 headers

Server

nginx

CORS Headers

1 headers

Access-Control-Expose-Headers

Cors

X-BuildTimestamp, X-ForceUIUpdate

Cookies Headers

1 headers

Set-Cookie

Cookies

steamCountry=US%7C017db584b35060e6f6198b2319a80c9d; path=/; secure; HttpOnly; SameSite=None

Other Headers

2 headers

Date

Other

Sat, 17 Jan 2026 04:45:16 GMT

X-Buildtimestamp

Other

1768423651

Recommendations

Enable compression (gzip/brotli) to improve performance