HTTP Headers Analysis for https://www.step.com

Detected Technologies from Headers

See all in URL Inspect 33

YouTube

Google AdSense

Google Maps

Microsoft 365

Google Tag Manager

Bing

Google reCAPTCHA

Google Cloud Run

AppsFlyer

Tapad

Cookiebot

Plaid

Google DoubleClick

Google Analytics

Google Conversion Tracking

Mixpanel

Greenhouse

Typeform

Google Static File Front End

TikTok Analytics

Google Fonts

Contentful

Stripe

Google Search

Facebook

Snapchat

Adobe Fonts (Typekit)

TikTok

Persona

Microsoft Clarity

Sentry

Google Cloud

Next.js

HTTP Security Headers

Status

Strict-Transport-Security

Excellent

max-age=31536000; includeSubDomains; preload

Content-Security-Policy

Basic

default-src; script-src; script-src-elem; +15 more Analyze

Content-Security-Policy-Report-Only

Missing

Not configured Analyze

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Present

origin-when-cross-origin

Permissions-Policy

Present

payment=(self "https://js.stripe.com" "https://hooks.stripe.com"), publickey-credentials-get=(self), publickey-credentials-create=(self); +4 more

Recommendations

• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking

Performance Headers

Connection

Performance

close

Transfer-Encoding

Performance

chunked

Vary

Performance

Accept-Encoding,Origin

connection: close
transfer-encoding: chunked
vary: Accept-Encoding,Origin

Caching Headers

Cache-Control

Caching

public, s-maxage=0, max-age=0, must-revalidate

Etag

Caching

"fjxyz346qc4eb7"

cache-control: public, s-maxage=0, max-age=0, must-revalidate
etag: "fjxyz346qc4eb7"

Content Headers

Content-Type

Content

text/html; charset=utf-8

content-type: text/html; charset=utf-8

Server Headers

No server headers found

CORS Headers

No CORS headers found

Cookies Headers

No cookies headers found

Other Headers

Alt-Svc

Other

h3=":443"; ma=2592000

Back-Forward-Cache

Other

1

Date

Other

Thu, 07 May 2026 10:13:32 GMT

Report-To

Other

Group csp-endpoint max-age: 1d

Endpoint 1 /api/csp-report

Via

Other

1.1 google

X-Download-Options

Other

noopen

X-Nextjs-Cache

Other

HIT

alt-svc: h3=":443"; ma=2592000
back-forward-cache: 1
date: Thu, 07 May 2026 10:13:32 GMT
report-to: {"group":"csp-endpoint","max_age":86400,"endpoints":[{"url":"/api/csp-report"}]}
via: 1.1 google
x-download-options: noopen
x-nextjs-cache: HIT

Recommendations

Enable compression (gzip/brotli) to improve performance