HTTP Headers Analysis for https://support.code.dev-theguardian.com

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=300

Content-Security-Policy

Good

default-src; frame-ancestors; object-src; +1 more

default-src 'self' https://support.code.dev-theguardian.com https://td.doubleclick.net https://pagead2.googlesyndication.com https://ccpa-pm.sp-prod.net https://cdn.privacy-mgmt.com https://gdpr-tcfv2.sp-prod.net https://ccpa-service.sp-prod.net https://ccpa-notice.sp-prod.net https://sourcepoint.theguardian.com https://ccpa.sp-prod.net https://services.postcodeanywhere.co.uk https://stripe-intent-code.support.guardianapis.com www.paypalobjects.com t.paypal.com/ members-data-api.code.dev-theguardian.com metric-push-api-code.support.guardianapis.com www.paypal.com www.sandbox.paypal.com js.stripe.com ophan.theguardian.com j.ophan.co.uk media.guim.co.uk i.guim.co.uk uploads.guim.co.uk www.googletagmanager.com tagmanager.google.com assets.guim.co.uk www.googleadservices.com googleads.g.doubleclick.net www.google.com www.google.co.uk static.ads-twitter.com bat.bing.com bid.g.doubleclick.net t.co analytics.twitter.com stats.g.doubleclick.net www.youtube-nocookie.com connect.facebook.net www.facebook.com checkout.stripe.com fonts.googleapis.com ssl.gstatic.com www.gstatic.com fonts.gstatic.com sentry.io *.quantummetric.com blob: data: wss: 'unsafe-inline' q.stripe.com payment.code.dev-guardianapis.com https://interactive.guim.co.uk/ https://www.theguardian.com/ https://theguardian.com/ https://tickets.theguardian.live/ https://www.tickettailor.com/ https://cdn.tickettailor.com/js/widgets/min/widget.js https://cdn.tickettailor.com/js/widgets/min/widget.css https://feast-events.guardianapis.com/web-vitals https://observer.co.uk/favicon.png https://observer.co.uk/favicon.ico https://profile.code.dev-theguardian.com/; frame-ancestors https://theguardian.newspapers.com https://gnmtouchpoint--dev1--c.cs88.visual.force.com https://gnmtouchpoint--dev1.lightning.force.com https://m.code.dev-theguardian.com https://gnmtouchpoint--dev1--c.sandbox.vf.force.com https://gnmtouchpoint--dev1.sandbox.lightning.force.com; object-src 'none'; base-uri 'none'

X-Frame-Options

Excellent

DENY

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Present

origin-when-cross-origin, strict-origin-when-cross-origin

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Strengthen CSP by removing 'unsafe-eval'
• Consider adding Permissions-Policy to control browser features

Performance Headers

3 headers

Accept-Ranges

Performance

bytes

Connection

Performance

close

Vary

Performance

Origin, Accept-Encoding

Caching Headers

1 headers

Cache-Control

Caching

no-cache, private

Content Headers

2 headers

Content-Length

Content

140817

Content-Type

Content

text/html; charset=UTF-8

Server Headers

0 headers

No server headers found

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

Cookies

GU_geo_country=US; path=/;

Other Headers

8 headers

Alt-Svc

Other

h3=":443";ma=86400,h3-29=":443";ma=86400,h3-27=":443";ma=86400

Date

Other

Fri, 02 Jan 2026 03:59:51 GMT

Via

Other

1.1 varnish

X-Cache

Other

MISS

X-Cache-Hits

Other

0

X-Permitted-Cross-Domain-Policies

Other

master-only

X-Served-By

Other

cache-pdk-kfty8610093-PDK

X-Timer

Other

S1767326391.686935,VS0,VE681

Recommendations

Enable compression (gzip/brotli) to improve performance