HTTP Headers Analysis for https://tiktok.com

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=31536000; includeSubdomains

Content-Security-Policy

Basic

report-uri; report-to; upgrade-insecure-requests; +4 more

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin-when-cross-origin

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Consider adding Permissions-Policy to control browser features

Performance Headers

2 headers

Connection

Performance

Transfer-Encoding

Performance

chunked

Caching Headers

3 headers

Cache-Control

Caching

max-age=0, no-cache, no-store

Expires

Caching

Tue, 04 Nov 2025 12:54:38 GMT

Pragma

Caching

no-cache

Content Headers

1 headers

Content-Type

Content

text/html; charset=utf-8

Server Headers

2 headers

Server

nginx

X-Powered-By

Server

Goofy Node

CORS Headers

1 headers

Access-Control-Expose-Headers

Cors

x-tt-traceflag,x-tt-logid

Cookies Headers

1 headers

Set-Cookie

Cookies

tt_chain_token=4+Y+8kjeZyR8RgOqA9vs8A==; path=/; expires=Sun, 03 May 2026 12:54:38 GMT; domain=.tiktok.com; secure; httponly

Other Headers

18 headers

Date

Other

Tue, 04 Nov 2025 12:54:38 GMT

Feature-Policy

Other

microphone 'none'; geolocation 'none'

Reporting-Endpoints

Other

csp-endpoint="https://mon16-normal-useast5.tiktokv.us/monitor_browser/collect/batch/security/?bid=tiktok_pns"

Server-Timing

Other

inner; dur=142

X-Akamai-Request-Id

Other

96d0bdec.ae60a671

X-Bytefaas-Execution-Duration

Other

140.57

X-Bytefaas-Request-Id

Other

2025110412543823839A4C19C409017D7E

X-Cache

Other

TCP_MISS from a23-33-21-24.deploy.akamaitechnologies.com (AkamaiGHost/22.3.1-beec7c8e6b19d04c9cf512962152fd16) (-)

X-Cache-Remote

Other

TCP_MISS from a23-50-129-202.deploy.akamaitechnologies.com (AkamaiGHost/22.3.1-beec7c8e6b19d04c9cf512962152fd16) (-)

X-Download-Options

Other

noopen

X-Gw-Dst-Psm

Other

serverless.tiktok.desktop

X-Origin-Response-Time

Other

160,23.50.129.202

X-Parent-Response-Time

Other

178,23.33.21.24

X-Pumbaa-Web-Avail

Other

1

X-Tt-Logid

Other

2025110412543823839A4C19C409017D7E

X-Tt-Trace-Host

Other

01cde7d8b6e11aa1722b23de49ba50771a771f894ea21b7b4e9ab33c3bbef3fd29c5a9b10cc1d4c190c88d64b1f22b13fcf652f179e99e1f36cde3a4250cb0eeeee0f4696ff51d04a8fdb31b88e02afe3cbc23d8218dc837d7ca5730bbada07062b6001bf3d64e1e877e56c69c80ec823e

X-Tt-Trace-Id

Other

00-25110412543823839A4C19C409017D7E-738F4D4403CE6409-00

X-Tt-Trace-Tag

Other

id=16;cdn-cache=miss;type=dyn

Recommendations

Enable compression (gzip/brotli) to improve performance

Consider removing X-Powered-By header to hide server technology