HTTP Headers Analysis for https://www.optimoney.app

HTTP Security Headers

Status

Strict-Transport-Security

Excellent

max-age=31536000; includeSubDomains; preload

Content-Security-Policy

Basic

default-src; script-src; connect-src; +12 more

default-src 'self' https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://telegram.org https://*.telegram.org https://github.com https://api.twitter.com https://identitytoolkit.googleapis.com https://*.googleapis.com https://*.firebaseapp.com https://apis.google.com https://www.gstatic.com https://*.walletconnect.com https://*.walletconnect.org https://cdn.jsdelivr.net https://unpkg.com https://cdnjs.cloudflare.com; connect-src 'self' https: wss: data: https://*.googleapis.com https://*.cloudfunctions.net https://api.github.com https://*.firebaseio.com wss://*.firebaseio.com https://identitytoolkit.googleapis.com https://telegram.org https://*.telegram.org https://securetoken.googleapis.com https://*.firebaseapp.com https://*.walletconnect.com https://*.walletconnect.org wss://*.walletconnect.com wss://*.walletconnect.org https://ethereum.publicnode.com https://bsc-dataseed.binance.org https://polygon-rpc.com https://arb1.arbitrum.io https://explorer-api.walletconnect.com https://relay.walletconnect.com https://api.web3modal.org; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://unpkg.com https://cdn.jsdelivr.net; img-src 'self' data: blob: https: https://www.gstatic.com https://*.walletconnect.com https://*.walletconnect.org https://api.web3modal.org; font-src 'self' data: https://fonts.googleapis.com https://fonts.gstatic.com; frame-src 'self' https: https://telegram.org https://*.telegram.org https://oauth.telegram.org https://t.me https://apis.google.com https://*.firebaseapp.com https://*.google.com https://*.walletconnect.com https://*.walletconnect.org https://verify.walletconnect.com https://verify.walletconnect.org https://secure.walletconnect.org https://api.web3modal.org; worker-src 'self' blob:; media-src 'self' blob:; object-src 'none'; base-uri 'self'; form-action 'self'; manifest-src 'self'; frame-ancestors 'self' https://secure.walletconnect.org https://*.walletconnect.org http://localhost:* https://*.pages.dev https://*.vercel.app https://*.ngrok-free.app https://secure-mobile.walletconnect.com https://secure-mobile.walletconnect.org https://api.web3modal.org; upgrade-insecure-requests;

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin-when-cross-origin

Permissions-Policy

Present

accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), sync-script=(), trust-token-redemption=(), window-placement=(), vertical-scroll=()

Recommendations

• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking

Performance Headers

3 headers

Accept-Ranges

Performance

bytes

Connection

Performance

keep-alive

Vary

Performance

x-fh-requested-host, accept-encoding

Caching Headers

3 headers

Cache-Control

Caching

max-age=3600

Etag

Caching

"40175d1f3dd1a4b2baf62c4b83d46d60be2073e47496019e3e479b3d098e8560"

Last-Modified

Caching

Thu, 05 Dec 2024 22:55:30 GMT

Content Headers

2 headers

Content-Length

Content

4623

Content-Type

Content

text/html; charset=utf-8

Server Headers

0 headers

No server headers found

CORS Headers

4 headers

Access-Control-Allow-Headers

Cors

Origin, X-Requested-With, Content-Type, Accept, Authorization

Access-Control-Allow-Methods

Cors

GET, HEAD, PUT, PATCH, POST, DELETE, OPTIONS

Access-Control-Allow-Origin

Cors

*

Access-Control-Max-Age

Cors

7200

Cookies Headers

0 headers

No cookies headers found

Other Headers

6 headers

Alt-Svc

Other

h3=":443";ma=86400,h3-29=":443";ma=86400,h3-27=":443";ma=86400

Date

Other

Tue, 18 Nov 2025 03:50:12 GMT

X-Cache

Other

MISS

X-Cache-Hits

Other

0

X-Served-By

Other

cache-pdk-kfty8610081-PDK

X-Timer

Other

S1763437813.562025,VS0,VE93

Recommendations

Enable compression (gzip/brotli) to improve performance