HTTP Headers Analysis for https://unthread.unthread.io

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=15552000; includeSubDomains; preload

Content-Security-Policy

Basic

report-to; report-uri; script-src; +14 more

report-to csp-endpoint;report-uri /csp-reports;script-src 'self' 'wasm-unsafe-eval' https://assets.unthread.io/assets/ 'nonce-b87c59b5eadac8479b6ff15bc21fd786c3f02490c29561415cbb111eda05f64f' https://unthread.unthread.io https://accounts.google.com https://*.googletagmanager.com https://www.google-analytics.com https://apis.google.com https://assets.customer.io https://editor.unlayer.com https://*.commandbar.com/ https://us.i.posthog.com https://us-assets.i.posthog.com;script-src-elem 'self' 'wasm-unsafe-eval' https://assets.unthread.io/assets/ 'nonce-b87c59b5eadac8479b6ff15bc21fd786c3f02490c29561415cbb111eda05f64f' https://unthread.unthread.io https://accounts.google.com https://*.googletagmanager.com https://www.google-analytics.com https://apis.google.com https://assets.customer.io https://editor.unlayer.com https://*.commandbar.com/ https://us.i.posthog.com https://us-assets.i.posthog.com;connect-src 'self' https://assets.unthread.io/assets/ https://auth.unthread.io https://unthread.unthread.io https://firebase.googleapis.com https://firestore.googleapis.com https://firebasestorage.googleapis.com https://firebaseinstallations.googleapis.com/v1/projects/trnout-co/ https://*.googletagmanager.com https://identitytoolkit.googleapis.com https://securetoken.googleapis.com https://*.google-analytics.com https://*.analytics.google.com https://api-js.mixpanel.com https://o563911.ingest.sentry.io wss://api.nango.dev https://*.commandbar.com/ https://cdn.jsdelivr.net/npm/@emoji-mart/data https://cdn.jsdelivr.net/npm/@emoji-mart/data@latest/sets/14/native.json https://us.i.posthog.com https://us-assets.i.posthog.com;frame-src 'self' blob: https://unthread.unthread.io https://auth.unthread.io https://editor.unlayer.com https://*.commandbar.com/ https://docs.google.com https://accounts.google.com;img-src 'self' data: http: blob:;font-src 'self' data: https://assets.unthread.io https://assets.unthread.io/assets/ https://fonts.gstatic.com https://netdna.bootstrapcdn.com;form-action 'self';media-src 'self' blob: https://*.slack.com/;style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://*.commandbar.com/;default-src 'self';base-uri 'self';frame-ancestors 'self';object-src 'none';script-src-attr 'none';upgrade-insecure-requests

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

3 headers

Connection

Performance

keep-alive

Transfer-Encoding

Performance

chunked

Vary

Performance

Accept-Encoding

Caching Headers

0 headers

No caching headers found

Content Headers

1 headers

Content-Type

Content

text/html; charset=utf-8

Server Headers

1 headers

Server

cloudflare

CORS Headers

0 headers

No CORS headers found

Cookies Headers

0 headers

No cookies headers found

Other Headers

8 headers

Alt-Svc

Other

h3=":443"; ma=86400

Cf-Apo-Via

Other

origin,host

Cf-Cache-Status

Other

DYNAMIC

Cf-Ray

Other

9a1c8dd3acc3c93b-IAD

Date

Other

Fri, 21 Nov 2025 01:53:32 GMT

Report-To

Other

{"group":"csp-endpoint","max_age":10886400,"endpoints":[{"url":"/csp-reports"}]}

Via

Other

1.1 google

X-Request-Id

Other

6208a01d-c965-473a-9fd5-25e80c47ed7f

Recommendations

Enable compression (gzip/brotli) to improve performance

Add Cache-Control header to optimize caching