HTTP Headers Analysis for https://whatsapp.com

HTTP Security Headers

Status

Strict-Transport-Security

Excellent

max-age=31536000; preload; includeSubDomains

Content-Security-Policy

Good

default-src; script-src; style-src; +11 more

X-Frame-Options

Excellent

DENY

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Present

accelerometer=(), attribution-reporting=(), autoplay=(), bluetooth=(), camera=(), ch-device-memory=(), ch-downlink=(), ch-dpr=(), ch-ect=(), ch-rtt=(), ch-save-data=(), ch-ua-arch=(), ch-ua-bitness=(), ch-viewport-height=(), ch-viewport-width=(), ch-width=(), clipboard-read=(), clipboard-write=(), compute-pressure=(), display-capture=(), encrypted-media=(), fullscreen=(self), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), private-state-token-issuance=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), shared-storage=(), shared-storage-select-url=(), private-state-token-redemption=(), usb=(), unload=(self), window-management=(), xr-spatial-tracking=();report-to="permissions_policy"

Recommendations

• Strengthen CSP by removing 'unsafe-eval'
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)

Performance Headers

3 headers

Connection

Performance

keep-alive

Transfer-Encoding

Performance

chunked

Vary

Performance

Accept-Encoding

Caching Headers

3 headers

Cache-Control

Caching

private, no-cache, no-store, must-revalidate

Expires

Caching

Sat, 01 Jan 2000 00:00:00 GMT

Pragma

Caching

no-cache

Content Headers

1 headers

Content-Type

Content

text/html; charset="utf-8"

Server Headers

0 headers

No server headers found

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

Cookies

wa_ul=7b93efe9-a5d8-40fb-8a52-a225d9eea9a9; expires=Sun, 01-Feb-2026 02:00:45 GMT; Max-Age=7776000; path=/; domain=.www.whatsapp.com; secure; httponly; SameSite=Lax

Other Headers

9 headers

Alt-Svc

Other

h3=":443"; ma=86400

Cross-Origin-Embedder-Policy-Report-Only

Other

require-corp;report-to="coep_report"

Date

Other

Mon, 03 Nov 2025 02:00:46 GMT

Document-Policy

Other

include-js-call-stacks-in-crash-reports

Origin-Agent-Cluster

Other

?1

Report-To

Other

{"max_age":2592000,"endpoints":[{"url":"https:\/\/www.facebook.com\/browser_reporting\/coop\/?minimize=0"}],"group":"coop_report","include_subdomains":true}, {"max_age":86400,"endpoints":[{"url":"https:\/\/www.facebook.com\/browser_reporting\/coep\/?minimize=0"}],"group":"coep_report"}, {"max_age":259200,"endpoints":[{"url":"https:\/\/www.whatsapp.com\/whatsapp_browser_error_reports\/?device_level=unknown&brsid=7568313248874502148&cpp=C3&cv=1029289649&st=1762135245978"}]}, {"max_age":21600,"endpoints":[{"url":"https:\/\/www.whatsapp.com\/whatsapp_browser_error_reports\/"}],"group":"permissions_policy"}

Reporting-Endpoints

Other

coop_report="https://www.facebook.com/browser_reporting/coop/?minimize=0", coep_report="https://www.facebook.com/browser_reporting/coep/?minimize=0", default="https://www.whatsapp.com/whatsapp_browser_error_reports/?device_level=unknown&brsid=7568313248874502148&cpp=C3&cv=1029289649&st=1762135245978", permissions_policy="https://www.whatsapp.com/whatsapp_browser_error_reports/"

X-Fb-Connection-Quality

Other

EXCELLENT; q=0.9, rtt=15, rtx=0, c=13, mss=1368, tbw=3218, tp=-1, tpl=-1, uplat=403, ullat=0

X-Fb-Debug

Other

xY5G8jhxuCcivNKdnFp6OfJPAmKC5C70V5muXDKA0LwgEgaaaTZI8+kvhQhohhoTjQkPR/u/dhqV82yYjDTVqw==

Recommendations

Enable compression (gzip/brotli) to improve performance