HTTP Headers Analysis for https://www.userway.org

HTTP Security Headers

Status

Strict-Transport-Security

Good

max-age=31536000; includeSubDomains

Content-Security-Policy

Basic

default-src; script-src; style-src; +9 more

default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: https://*.google.com https://*.googleapis.com https://*.gstatic.com https://*.googletagmanager.com https://*.googleadservices.com https://*.doubleclick.net https://*.google-analytics.com https://*.analytics.google.com https://*.googlesyndication.com https://www.recaptcha.net https://*.google.com https://sgtm.userway.org https://api.userway.org/api/ https://inspect.userway.org/api https://inspect.userway.org https://userway.org https://manage.userway.org https://scan.userway.org https://cdn.userway.org https://*.hotjar.com https://*.cookiebot.com http://*.outbrain.com http://*.trustpilot.com https://cdn.debugbear.com https://js.stripe.com https://m.stripe.network/out-4.5.42.js https://*.hideousplay.com https://www.redditstatic.com/ads/pixel.js https://a.quora.com/qevents.js https://amplify.outbrain.com/cp/obtp.js https://js.hs-scripts.com https://static.ads-twitter.com/uwt.js https://m.stripe.network https://bat.bing.com http://js.hs-scripts.com https://js.hs-banner.com https://js.hs-analytics.net https://tag.clearbitscripts.com https://x.clearbitjs.com https://reveal.clearbit.com https://cdn.amplitude.com https://js.intercomcdn.com https://www.youtube.com https://*.tiktok.com/ https://snap.licdn.com https://*.6sc.co https://js.hsadspixel.net https://*.taboola.com https://connect.facebook.net https://*.intercom.io https://assets.calendly.com https://w.usabilla.com https://cdn.optimizely.com https://cdn.segment.io https://cdn.heapanalytics.com https://js.appboycdn.com https://data.pendo.io https://static.zdassets.com https://geolocation.onetrust.com https://*.airbrake.io https://api2.amplitude.com https://*.g.doubleclick.net https://cdn.cookielaw.org https://booking-dfp.calendly.com/telemetry.js; style-src 'self' 'unsafe-inline' https://*.google.com https://*.googleapis.com https://*.gstatic.com https://*.googletagmanager.com https://*.googleadservices.com https://*.doubleclick.net https://*.google-analytics.com https://*.analytics.google.com https://*.googlesyndication.com https://www.recaptcha.net https://*.google.com https://sgtm.userway.org https://api.userway.org/api/ https://inspect.userway.org/api https://inspect.userway.org https://userway.org https://manage.userway.org https://scan.userway.org https://cdn.userway.org https://*.cookiebot.com https://tagmanager.google.com; img-src 'self' data: https://*.google.com https://*.googleapis.com https://*.gstatic.com https://*.googletagmanager.com https://*.googleadservices.com https://*.doubleclick.net https://*.google-analytics.com https://*.analytics.google.com https://*.googlesyndication.com https://www.recaptcha.net https://*.google.com https://sgtm.userway.org https://api.userway.org/api/ https://inspect.userway.org/api https://inspect.userway.org https://userway.org https://manage.userway.org https://scan.userway.org https://cdn.userway.org https://track.hubspot.com https://px.ads.linkedin.com https://bat.bing.com https://static.intercomassets.com https://downloads.intercomcdn.com https://js.intercomcdn.com https://*.trustpilot.com https://*.cookiebot.com https://*.g2crowd.com https://*.taboola.com https://q.quora.com https://levelaccess.com https://stape.io https://www.linkedin.com https://*.g.doubleclick.net https://t.co/1/i/ https://analytics.twitter.com https://alb.reddit.com http://b.6sc.co/v1/beacon/ https://un.hideousplay.com/tracker/ https://ct.capterra.com/ https://i.liadm.com/ https://images.g2crowd.com https://lh3.googleusercontent.com https://www.facebook.com https://b.6sc.co https://effortless-cuddle-8148be6fe0.media.strapiapp.com https://i.ytimg.com; font-src 'self' data: https://*.google.com https://*.googleapis.com https://*.gstatic.com https://*.googletagmanager.com https://*.googleadservices.com https://*.doubleclick.net https://*.google-analytics.com https://*.analytics.google.com https://*.googlesyndication.com https://www.recaptcha.net https://*.google.com https://sgtm.userway.org https://api.userway.org/api/ https://inspect.userway.org/api https://inspect.userway.org https://userway.org https://manage.userway.org https://scan.userway.org https://cdn.userway.org https://fonts.intercomcdn.com/messenger-m4/; connect-src 'self' https://*.google.com https://*.googleapis.com https://*.gstatic.com https://*.googletagmanager.com https://*.googleadservices.com https://*.doubleclick.net https://*.google-analytics.com https://*.analytics.google.com https://*.googlesyndication.com https://www.recaptcha.net https://*.google.com https://sgtm.userway.org https://api.userway.org/api/ https://inspect.userway.org/api https://inspect.userway.org https://userway.org https://manage.userway.org https://scan.userway.org https://cdn.userway.org https://*.trustpilot.com https://static.hsappstatic.net https://api.hubapi.com https://www.facebook.com https://bat.bing.net wss://ws.hotjar.com https://metrics.hotjar.io https://content.hotjar.io https://vc.hotjar.io https://bat.bing.com https://*.outbrain.com https://*.taboola.com https://tag.clearbitscripts.com https://app.clearbit.com https://data.debugbear.com https://analytics.tiktok.com https://analytics-ipv6.tiktokw.us https://px.ads.linkedin.com https://pixel-config.reddit.com https://*.6sc.co https://epsilon.6sense.com https://www.redditstatic.com https://*.hideousplay.com https://conversions-config.reddit.com wss://nexus-websocket-a.intercom.io https://api-iam.intercom.io https://*.airbrake.io https://api2.amplitude.com https://cdn.amplitude.com https://*.cookiebot.com https://*.cookiebot.eu https://effortless-cuddle-8148be6fe0.media.strapiapp.com; media-src https://sgtm.userway.org https://api.userway.org/api/ https://inspect.userway.org/api https://inspect.userway.org https://userway.org https://manage.userway.org https://scan.userway.org https://cdn.userway.org; frame-src 'self' https://*.google.com https://*.googleapis.com https://*.gstatic.com https://*.googletagmanager.com https://*.googleadservices.com https://*.doubleclick.net https://*.google-analytics.com https://*.analytics.google.com https://*.googlesyndication.com https://www.recaptcha.net https://*.google.com https://sgtm.userway.org https://api.userway.org/api/ https://inspect.userway.org/api https://inspect.userway.org https://userway.org https://manage.userway.org https://scan.userway.org https://cdn.userway.org https://js.stripe.com https://intercom-sheets.com https://www.facebook.com https://www.youtube.com http://www.youtube.com https://calendly.com https://*.cookiebot.com; object-src 'none'; base-uri 'self'; form-action 'self' https://www.facebook.com https://scan.userway.org https://manage.userway.org https://api.userway.org/api/ https://inspect.userway.org/api/; frame-ancestors https://userway.org https://userway.org/blog/ https://userway.org/es/blog/ https://userway.org/de/blog/ https://userway.org/fr/blog/ https://userway.org/pt/blog/ https://manage.userway.org;

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Present

origin-when-cross-origin

Permissions-Policy

Missing

Not configured

Recommendations

• Consider adding 'preload' to HSTS for maximum security
• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Consider adding Permissions-Policy to control browser features

Performance Headers

2 headers

Accept-Ranges

Performance

bytes

Connection

Performance

close

Caching Headers

4 headers

Age

Caching

1

Cache-Control

Caching

public, max-age=5

Etag

Caching

W/"27ee6-19aa6029738"

Last-Modified

Caching

Fri, 21 Nov 2025 10:42:59 GMT

Content Headers

2 headers

Content-Length

Content

163558

Content-Type

Content

text/html; charset=UTF-8

Server Headers

1 headers

X-Powered-By

Server

Express

CORS Headers

0 headers

No CORS headers found

Cookies Headers

0 headers

No cookies headers found

Other Headers

5 headers

Date

Other

Sun, 30 Nov 2025 21:50:31 GMT

Via

Other

1.1 b64454e3c1123ac098282f1036154740.cloudfront.net (CloudFront)

X-Amz-Cf-Id

Other

yb33N4dyI1ykcdQe7f-E3Js7l3oe4tdO_b3klLzsE39ibG6oR4jgTQ==

X-Amz-Cf-Pop

Other

IAD55-P3

X-Cache

Other

Hit from cloudfront

Recommendations

Enable compression (gzip/brotli) to improve performance

Consider removing X-Powered-By header to hide server technology