HTTP Headers Analysis for https://www.iovation.com

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=15768000; includeSubDomains

Content-Security-Policy

Basic

default-src; script-src; child-src; +7 more

default-src 'self' fonts.gstatic.com cdn-app.pathfactory.com *.lpsnmedia.net *.stackadapt.com *.ifgza3.net *.ojrq.net *.tapad.com *.loggly.com *.rlcdn.com *.impactradius-event.com *.teads.tv *.passage.ai wss://tars-prod.passage.ai *.evenfinancial.com *.taboola.com *.quantcount.com *.transunion.com *.transunion.ca *.vols7feed.com *.addthis.co *.amazon-adsystem.com *.youtube.com *.doubleclick.net *.company-target.com *.brightcove.com *.brightcovecdn.com *.prod.boltdns.net *.adsrvr.org dmtry.com *.dmtry.com *.quantserve.com *.bluekai.com *.facebook.com *.demandbase.com doubleclick.net *.trustev.com *.yahoo.com *.atedra.com *.twitter.com *.bing.com crwdcntrl.net c.rstg.io cdn.nextinsure.com *.jquery.com cloudfront.net *.googleapis.com *.adnxs.com *.rlcdn.com investis.com adsrvr.org sharethrough.com adroll.com yimg.com amazonaws.com *.fastclick.net secure.leadback.advertising.com google-analytics.com *.ads-twitter.com *.openx.net *.zencdn.net googleadservices.com gstatic.com bidswitch.net *.media6degrees.com googletagmanager.com *.siteintercept.qualtrics.com *.qualtrics.com; script-src 'self' c.amazon-adsystem.com *.pathfactory.com *.onetrust.com *.trustarc.com *.truste.com action.dstillery.com a.smtrk.net tracker.pixeltracker.co *.kampyle.com *.medallia.com cdn.inpwrd.net content.inpwrd.net *.adobedtm.com *.liveperson.net https://sc-static.net *.lpsnmedia.net https://siteimproveanalytics.com *.kore.ai *.b0e8.com *.bc0a.com *.stackadapt.com *.thebrighttag.com *.btstatic.com *.hifiona.com *.impactradius-event.com *.teads.tv *.passage.ai *.evenfinancial.com *.taboola.com *.quantcount.com *.dotomi.com *.transunion.com *.transunion.ca *.mxpnl.com *.vols7feed.com *.addthis.com *.googletagmanager.com *.optimizely.com *.pingdom.com *.cloudflare.com *.googleadservices.com *.youtube.com *.doubleclick.net *.google-analytics.com *.quantserve.com *.g.3gl.net *.eloqua.com *.crwdcntrl.net *.googleapis.com *.investis.com *.amazonaws.com *.cloudfront.net *.nextinsure.com *.lendingtree.com *.mediaplex.com *.demandbase.com *.jquery.com *.gstatic.com *.bing.com *.3gl.net *.yourscoreonline.com *.gofreecredit.com *.creditcheckingtoday.com *.naturaltracking.com *.credit.com *.facebook.com *.yimg.com *.ytimg.com *.quora.com *.ensighten.com *.d39se0h2uvfakd.cloudfront.net *.linkedin.com *.adsprotection.com *.brightcove.com *.hotjar.com *.adroll.com *.brightcove.net *.en25.com *.adsrvr.org *.abmr.net *.mathtag.com t2.rstg.io px.ads.linkedin.com vjs.zencdn.net *.twitter.com iad-login.dotomi.com snap.licdn.com sp.analytics.yahoo.com unpkg.com *.myfonts.net *.en25.com *.addthisedge.com *.zencdn.com *.s3.amazonaws.com cdn.ampproject.org *.company-target.com *.media6degrees.com *.ads-twitter.com cdn.mxpnl.com *.bizographics.com *.pingdom.net *.mbww.com *.entrust.net *.trustev.com *.mathtag.com *.googlesyndication.com *.google.com *.outbrain.com o1.qnsr.com *.facebook.net cas.cluep.com *.quizgnome.com *.siteintercept.qualtrics.com *.qualtrics.com *.pulseinsights.com blob: 'unsafe-eval' 'unsafe-inline'; child-src www.googletagmanager.com *.trustarc.com *.truste.com insight.adsrvr.org content.inpwrd.net *.kampyle.com *.medallia.com transunion.demdex.net *.google.com *.liveperson.net *.snapchat.com *.lpsnmedia.net *.evenfinancial.com *.hifiona.com *.transunion.com *.transunion.ca blob: *.crwdcntrl.net *.cdn.optimizely.com *.addthis.com *.doubleclick.net *.lendingtree.com *.youtube.com *.hotjar.com *.mediaplex.com *.optimizely.com *.brightcove.net s.amazon-adsystem.com *.trustev.com *.mathtag.com *.qnsr.com *.facebook.com *.siteintercept.qualtrics.com *.qualtrics.com; connect-src 'self' s.amazon-adsystem.com ara.paa-reporting-advertising.amazon *.pathfactory.com wss://*.liveperson.net *.liveperson.net *.lpsnmedia.net *.onetrust.com *.trustarc.com *.cloudfront.net identity-force.sjv.io canada.pxf.io *.teads.tv pixelconnector.pixeltracker.co *.kampyle.com *.medallia.com s.yimg.com *.tt.omtrdc.net dpm.demdex.net wss://va.msg.liveperson.net wss://lo.msg.liveperson.net api.iterable.com *.google-analytics.com https://*.analytics.google.com analytics.google.com *.googletagmanager.com *.bc0a.com *.nextinsure.com *.googleapis.com *.g.doubleclick.net *.kore.ai wss://rtm.kore.ai *.stackadapt.com *.ifgza3.net *.passage.ai wss://tars-prod.passage.ai *.taboola.com *.transunion.com *.transunion.ca *.mixpanel.com *.optimizely.com *.youtube.com *.brightcovecdn.com *.pingdom.net *.brightcove.com manifest.prod.boltdns.net airbrake.io *.company-target.com r.3gl.net s7.addthis.com *.herokuapp.com unity.cadreon.com app.trustev.com *.hotjar.io *.hotjar.com wss://*.hotjar.com *.siteintercept.qualtrics.com *.qualtrics.com 'unsafe-eval' https://transunion-ir-v2.cm.invdcloud-is.us https://transunion-ir-v2.cd.invdcloud-is.us www.google.com bat.bing.com ad.doubleclick.net rjs.3gl.net px.ads.linkedin.com tag-logger.demandbase.com adservice.google.com; media-src 'self' *.lpsnmedia.net *.brightcove.com *.brightcovecdn.com *.prod.boltdns.net *.transunion.com *.transunion.ca blob: f1.media.brightcove.com; img-src * *.lpsnmedia.net *.trustarc.com *.truste.com canada.pxf.io identity-force.sjv.io *.kampyle.com *.googletagmanager.com *.google-analytics.com *.g.doubleclick.net *.medallia.com *.ifgza3.net *.ojrq.net *.tapad.com *.loggly.com *.rlcdn.com data:; font-src data: *.kampyle.com *.medallia.com *.transunion.com *.transunion.ca *.adobeaemcloud.com *.nextinsure.com *.gstatic.com *.company-target.com edge.api.brightcove.com r.3gl.net *.addthis.com *.herokuapp.com *.quora.com cdn-app.pathfactory.com cdn.pathfactory.com; frame-src * *.lpsnmedia.net *.liveperson.net; style-src * *.lpsnmedia.net *.liveperson.net 'unsafe-eval' 'unsafe-inline'; frame-ancestors *.transunion.com *.transunion.ca;

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

Performance Headers

3 headers

Connection

Performance

close

Transfer-Encoding

Performance

chunked

Vary

Performance

Accept-Encoding

Caching Headers

4 headers

Age

Caching

0

Cache-Control

Caching

max-age=300

Expires

Caching

Sun, 18 Jan 2026 11:32:29 GMT

Last-Modified

Caching

Sun, 18 Jan 2026 11:19:41 GMT

Content Headers

1 headers

Content-Type

Content

text/html;charset=utf-8

Server Headers

1 headers

Server

cloudflare

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

Cookies

__cf_bm=2tX2uwb4aE1UTM1.3OEcKtYsiqJjvwzKwUvbne05Ty4-1768735649-1.0.1.1-ZkKGC4Wyb4m1P0mj5NRKs9_UV2qekzXhyUmEm564qm6zrYrAE3.e9VY5n4rGzc784CvWxHzbST22zQVSXOmg5yBzWEpZ_g8jzgjj4fAn97E; path=/; expires=Sun, 18-Jan-26 11:57:29 GMT; domain=.transunion.com; HttpOnly; Secure; SameSite=None

Other Headers

7 headers

Cf-Cache-Status

Other

DYNAMIC

Cf-Ray

Other

9bfdbe4efb1682d8-IAD

Date

Other

Sun, 18 Jan 2026 11:27:29 GMT

X-Cache

Other

MISS

X-Served-By

Other

cache-iad-kiad7000028-IAD

X-Timer

Other

S1768735649.138054,VS0,VS0,VE15

X-Vhost

Other

tu publish

Recommendations

Enable compression (gzip/brotli) to improve performance