Open
Cached
·
just now
23
Headers
HTTP Security Headers
Status
Strict-Transport-Security
Present
max-age=31557600
Content-Security-Policy
Good
default-src; frame-ancestors; object-src; +1 more
default-src 'self' https://support.theguardian.com https://td.doubleclick.net https://pagead2.googlesyndication.com https://ccpa-pm.sp-prod.net https://cdn.privacy-mgmt.com https://gdpr-tcfv2.sp-prod.net https://ccpa-service.sp-prod.net https://ccpa-notice.sp-prod.net https://sourcepoint.theguardian.com https://ccpa.sp-prod.net https://services.postcodeanywhere.co.uk https://stripe-intent.support.guardianapis.com members-data-api.theguardian.com metric-push-api-prod.support.guardianapis.com www.paypalobjects.com www.paypal.com t.paypal.com www.sandbox.paypal.com js.stripe.com ophan.theguardian.com j.ophan.co.uk media.guim.co.uk i.guim.co.uk uploads.guim.co.uk www.googletagmanager.com tagmanager.google.com assets.guim.co.uk www.googleadservices.com googleads.g.doubleclick.net www.google.com www.google.co.uk static.ads-twitter.com bat.bing.com bid.g.doubleclick.net t.co analytics.twitter.com stats.g.doubleclick.net www.youtube-nocookie.com connect.facebook.net www.facebook.com checkout.stripe.com fonts.googleapis.com ssl.gstatic.com www.gstatic.com fonts.gstatic.com sentry.io *.quantummetric.com blob: data: wss: 'unsafe-inline' q.stripe.com payment.guardianapis.com https://interactive.guim.co.uk/ https://www.theguardian.com/ https://theguardian.com/ https://tickets.theguardian.live/ https://www.tickettailor.com/ https://cdn.tickettailor.com/js/widgets/min/widget.js https://cdn.tickettailor.com/js/widgets/min/widget.css https://feast-events.guardianapis.com/web-vitals https://observer.co.uk/favicon.png https://observer.co.uk/favicon.ico https://profile.theguardian.com/; frame-ancestors https://theguardian.newspapers.com https://gnmtouchpoint--c.eu31.visual.force.com https://gnmtouchpoint.lightning.force.com https://www.theguardian.com https://gnmtouchpoint--c.vf.force.com; object-src 'none'; base-uri 'none'
X-Frame-Options
Excellent
DENY
X-Content-Type-Options
Good
nosniff
Referrer-Policy
Present
origin-when-cross-origin, strict-origin-when-cross-origin
Permissions-Policy
Missing
Not configured
Recommendations
- • Increase HSTS max-age to at least 1 year and add includeSubDomains
- • Strengthen CSP by removing 'unsafe-eval'
- • Consider adding Permissions-Policy to control browser features
Performance Headers
3 headers
Accept-Ranges
Performance
bytes
Connection
Performance
close
Vary
Performance
DNT,Origin, Accept-Encoding
Caching Headers
3 headers
Age
Caching
0
Cache-Control
Caching
max-age=60, stale-while-revalidate=6, stale-if-error=864000
Expires
Caching
Mon, 29 Dec 2025 06:25:57 GMT
Content Headers
2 headers
Content-Length
Content
103878
Content-Type
Content
text/html; charset=UTF-8
Server Headers
0 headers
No server headers found
CORS Headers
1 headers
Access-Control-Allow-Origin
Cors
*
Cookies Headers
1 headers
Set-Cookie
Cookies
GU_geo_country=US; path=/;
Other Headers
7 headers
Date
Other
Mon, 29 Dec 2025 06:24:57 GMT
Via
Other
1.1 varnish
X-Cache
Other
MISS
X-Cache-Hits
Other
0
X-Permitted-Cross-Domain-Policies
Other
master-only
X-Served-By
Other
cache-iad-kcgs7200051-IAD
X-Timer
Other
S1766989497.253690,VS0,VE578
Recommendations
Enable compression (gzip/brotli) to improve performance
Analysis completed in 1077ms