HTTP Headers Analysis for https://xdr.ctrveil.com

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=3600 ; includeSubDomains

Content-Security-Policy

Good

default-src; connect-src; style-src; +8 more

default-src 'none'; connect-src 'self' https://*.limacharlie.io/ wss://*.limacharlie.io/ wss://*.firebaseio.com/.ws https://securetoken.googleapis.com/v1/token https://storage.googleapis.com/ https://o541605.ingest.us.sentry.io/ https://cdn.segment.com/v1/projects/ https://*.posthog.com/ https://identitytoolkit.googleapis.com/ https://us-central1-refractionpoint-lce.cloudfunctions.net/ https://api.segment.io/ https://fonts.gstatic.com/ https://fonts.googleapis.com/css2 https://apis.google.com/ https://www.google.com/ https://www.gstatic.com/ https://api.hsforms.com/submissions/v3/integration/ ; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com/css2 ; img-src 'self' https://storage.cloud.google.com/limacharlie-io/ https://storage.googleapis.com/ https://www.hpcsec.com/wp-content/uploads/2023/05/cropped-black-grey-rectangle-logo.png https://www.jumpsec.com/wp-content/uploads/2022/08/JUMPSEC-2021-Retina.png https://images.squarespace-cdn.com/content/v1/647a0e6d7e0f640683184bf4/d8bef655-332f-4709-b56e-0a5bc05fe009/full-logo-periwinkle.png https://www.misp-project.org/img/logo.png https://github.com/target/strelka/raw/master/misc/assets/strelka_banner.png https://img.youtube.com/ https://images.coursestack.com/ data: blob: ; font-src 'self' https://fonts.gstatic.com/s/ https://app.limacharlie.io/ data: ; frame-src 'self' https://refractionpoint-lce.firebaseapp.com/ https://js.stripe.com/ https://*.firebaseio.com/ https://www.google.com/ https://www.recaptcha.google.com/ ; script-src-elem 'unsafe-inline' 'self' https://*.firebaseio.com/ https://apis.google.com/ https://js.stripe.com/ https://cdn.segment.com/ https://*.posthog.com/ https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ ; worker-src 'self' blob: ; manifest-src 'self'; report-uri https://o541605.ingest.us.sentry.io/api/5660726/security/?sentry_key=9aceeec567e940de825127c5c33fd825; report-to csp-endpoint;

X-Frame-Options

Good

sameorigin

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Present

same-origin

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Strengthen CSP by removing 'unsafe-eval'
• Consider adding Permissions-Policy to control browser features

Performance Headers

3 headers

Accept-Ranges

Performance

bytes

Connection

Performance

close

Vary

Performance

x-fh-requested-host, accept-encoding

Caching Headers

3 headers

Cache-Control

Caching

max-age=3600

Etag

Caching

"27d5b73cdbbd7cfe890a1a79c9241316718002cb4585ee5ac06ac41220616ece"

Last-Modified

Caching

Fri, 19 Dec 2025 08:41:14 GMT

Content Headers

2 headers

Content-Length

Content

921

Content-Type

Content

text/html; charset=utf-8

Server Headers

0 headers

No server headers found

CORS Headers

0 headers

No CORS headers found

Cookies Headers

0 headers

No cookies headers found

Other Headers

7 headers

Alt-Svc

Other

h3=":443";ma=86400,h3-29=":443";ma=86400,h3-27=":443";ma=86400

Date

Other

Sun, 11 Jan 2026 08:57:11 GMT

Report-To

Other

{"group":"csp-endpoint","max_age":10886400,"endpoints":[{"url":"https://o541605.ingest.us.sentry.io/api/5660726/security/?sentry_key=9aceeec567e940de825127c5c33fd825"}],"include_subdomains":true}

X-Cache

Other

HIT

X-Cache-Hits

Other

0

X-Served-By

Other

cache-iad-kcgs7200137-IAD

X-Timer

Other

S1768121832.561482,VS0,VE1

Recommendations

Enable compression (gzip/brotli) to improve performance