HTTP Headers Analysis for https://web.qa.order.mcd.com

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=15768000 ; includeSubDomains ; preload

Content-Security-Policy

Missing

Not configured

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Missing

Not configured

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Add Content-Security-Policy header to prevent XSS attacks
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Add X-Content-Type-Options: nosniff
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

3 headers

Connection

Performance

Transfer-Encoding

Performance

chunked

Vary

Performance

next-router-segment-prefetch

Caching Headers

1 headers

Cache-Control

Caching

private, no-cache, no-store, max-age=0, must-revalidate

Content Headers

1 headers

Content-Type

Content

text/html; charset=utf-8

Server Headers

1 headers

Server

istio-envoy

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

Cookies

gwa-session-id=6875ca04-9846-4ae0-b0bf-5668b4043bc6; Path=/; HttpOnly

Other Headers

12 headers

Akamai-Grn

Other

0.d968dc17.1766765709.50ede933

Date

Other

Fri, 26 Dec 2025 16:15:11 GMT

Link

Other

</_next/static/media/0cd789020465d21a-s.p.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2", </_next/static/media/2b242048f3361d9b-s.p.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2", </_next/static/media/2b3ead9924040b61-s.p.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2", </_next/static/media/3b2904002f7a7845-s.p.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2", </_next/static/media/3fe9d983e1693e8d-s.p.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2", </_next/static/media/709845008cc9c686-s.p.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2", </_next/static/media/cd2a9012501c1ae7-s.p.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2", </_next/static/media/e9b63c0869091c54-s.p.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2", </_next/static/media/f3d40a863e1df6ac-s.p.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2", </_next/static/css/8e04f1ba7a9a98ce.css>; rel=preload; as="style", </_next/static/css/f7d3ec4629c4457b.css>; rel=preload; as="style"

Server-Timing

Other

ak_p; desc="1766765709890_400320729_1357769011_173176_2700_0_11_-";dur=1

X-Akam-Sw-Version

Other

0.5.0

X-Akamai-Transformed

Other

9 - 0 pmb=mRUM,2

X-Envoy-Upstream-Service-Time

Other

43

X-Gwa-Current-Path

Other

/us/en-us

X-Gwa-Locale

Other

en-us

X-Gwa-Market-Code

Other

us

X-Gwa-Source

Other

GMA

X-Middleware-Rewrite

Other

/GMA/us/en-us

Recommendations

Enable compression (gzip/brotli) to improve performance