HTTPS Enabled
Missing: referrer-policy
Recommendation: Controls referrer info. Recommended: strict-origin-when-cross-origin
Missing: permissions-policy
Recommendation: Controls browser features. Recommended: camera=(), microphone=(), geolocation=()
Missing: cross-origin-opener-policy
Recommendation: Controls cross-origin window access. Recommended: same-origin
Missing: cross-origin-resource-policy
Recommendation: Controls cross-origin resource access. Recommended: same-origin
Missing: cross-origin-embedder-policy
Recommendation: Controls cross-origin embedding. Recommended: require-corp
Missing recommended header: referrer-policy
Recommendation: Review and fix this security issue
| Status | Header | Value | Recommendation |
|---|---|---|---|
content-security-policy | base-uri 'self'; default-src 'self' *.atlassian.com *.intercomcdn.com *.orangelogic.com *.6sc.co *.6sense.com sourcetreeapp.com *.sourcetreeapp.com; script-src 'self' *.gstatic.com *.cookielaw.org *.public.atl-paas.net *.prod.atl-paas.net *.googletagmanager.com *.marketo.net *.atlassian.com utt.impactcdn.com *.google.com *.doubleclick.com *.googleadservices.com *.livechatinc.com *.bing.com *.quora.com *.yimg.jp *.clicktale.net *.linkedin.com *.twitter.com *.licdn.com *.demandbase.com *.doubleclick.net *.facebook.net *.redditstatic.com *.clearbitscripts.com *.clarity.ms *.vimeo.com *.google-analytics.com facebook.com *.facebook.com impactcdn.com *.impactcdn.com clearbitjs.com *.clearbitjs.com yahoo.co.jp *.yahoo.co.jp *.recaptcha.net *.ads-twitter.com *.intercom.io *.intercomcdn.com *.jsdelivr.net *.6sc.co *.6sense.com *.techtarget.com *.capterra.com sourcetreeapp.com *.sourcetreeapp.com 'unsafe-eval' 'unsafe-inline'; style-src 'self' *.public.atl-paas.net *.prod.atl-paas.net fonts.googleapis.com *.googletagmanager.com sourcetreeapp.com *.sourcetreeapp.com 'unsafe-inline'; img-src 'self' blob: data: atlassian.com *.atlassian.com *.cookielaw.org *.gravatar.com *.wp.com fd-assets.prod.atl-paas.net pixel.pointmediatracker.com *.prod.public.atl-paas.net cnv.event.prod.bidr.io *.doubleclick.net *.clicktale.net *.bing.com rlcdn.com reddit.com quora.com *.rlcdn.com *.reddit.com *.quora.com *.ctfassets.net *.linkedin.com *.google.com *.google.com.au *.company-target.com *.facebook.com *.google-analytics.com *.twitter.com t.co *.intercomcdn.com *.intercomassets.com *.frontend.public.atl-paas.net *.orangelogic.com *.googletagmanager.com img.logo.dev *.atlassian.net sourcetreeapp.com *.sourcetreeapp.com; font-src 'self' *.ctfassets.net *.intercomcdn.com *.gstatic.com *.frontend.public.atl-paas.net; frame-ancestors 'none'; form-action 'self'; report-uri https://web-security-reports.services.atlassian.com/csp-report/wac-web; report-to csp-default-endpoint; connect-src 'self' ws: atlassian.com *.atlassian.com *.cookielaw.org *.onetrust.com *.public.atl-paas.net *.prod.atl-paas.net *.mktoresp.com *.ingest.sentry.io *.workato.com atlassian.sjv.io statsigapi.net *.statsigapi.net *.contentful.com atlassian.net *.clicktale.net *.contentsquare.net *.bing.com google-analytics.com company-target.com linkedin.com *.google-analytics.com *.company-target.com *.linkedin.com *.doubleclick.net *.reddit.com *.redditstatic.com *.google.com *.demandbase.com *.clarity.ms *.clearbit.com *.intercom.io *.algolianet.com *.algolia.net *.algolia.io *.recaptcha.net https://unpkg.com/@rive-app/ *.facebook.com *.orangelogic.com *.adnxs.com *.6sc.co *.6sense.com apis.auxia.io *.atlassian.net https://participant.connect.us-east-1.amazonaws.com wss://participant.connect.us-east-1.amazonaws.com *.connect.us-east-1.amazonaws.com sourcetreeapp.com *.sourcetreeapp.com; worker-src 'self' blob:; frame-src 'self' *.youtube.com *.google.com *.doubleclick.net *.recaptcha.net *.atl-paas.net *.company-target.com *.googletagmanager.com *.atlassian.net; media-src 'self' *.ctfassets.net *.atlassian.com *.orangelogic.com | Controls resources the browser can load. Prevents XSS. | |
x-content-type-options | nosniff | Prevents MIME type sniffing. Should be 'nosniff'. | |
x-frame-options | DENY | Controls framing. Use CSP frame-ancestors instead. | |
strict-transport-security | max-age=63072000; preload | Forces HTTPS. Recommended: max-age=31536000; includeSubDomains | |
referrer-policy | Not set | Controls referrer info. Recommended: strict-origin-when-cross-origin | |
permissions-policy | Not set | Controls browser features. Recommended: camera=(), microphone=(), geolocation=() | |
x-xss-protection | 1; mode=block | Deprecated. Use Content-Security-Policy instead. | |
cross-origin-opener-policy | Not set | Controls cross-origin window access. Recommended: same-origin | |
cross-origin-resource-policy | Not set | Controls cross-origin resource access. Recommended: same-origin | |
cross-origin-embedder-policy | Not set | Controls cross-origin embedding. Recommended: require-corp |
content-type:text/htmltransfer-encoding:chunkedconnection:keep-alivedate:Sat, 18 Apr 2026 07:37:35 GMTcontent-security-policy:base-uri 'self'; default-src 'self' *.atlassian.com *.intercomcdn.com *.orangelogic.com *.6sc.co *.6sense.com sourcetreeapp.com *.sourcetreeapp.com; script-src 'self' *.gstatic.com *.cookielaw.org *.public.atl-paas.net *.prod.atl-paas.net *.googletagmanager.com *.marketo.net *.atlassian.com utt.impactcdn.com *.google.com *.doubleclick.com *.googleadservices.com *.livechatinc.com *.bing.com *.quora.com *.yimg.jp *.clicktale.net *.linkedin.com *.twitter.com *.licdn.com *.demandbase.com *.doubleclick.net *.facebook.net *.redditstatic.com *.clearbitscripts.com *.clarity.ms *.vimeo.com *.google-analytics.com facebook.com *.facebook.com impactcdn.com *.impactcdn.com clearbitjs.com *.clearbitjs.com yahoo.co.jp *.yahoo.co.jp *.recaptcha.net *.ads-twitter.com *.intercom.io *.intercomcdn.com *.jsdelivr.net *.6sc.co *.6sense.com *.techtarget.com *.capterra.com sourcetreeapp.com *.sourcetreeapp.com 'unsafe-eval' 'unsafe-inline'; style-src 'self' *.public.atl-paas.net *.prod.atl-paas.net fonts.googleapis.com *.googletagmanager.com sourcetreeapp.com *.sourcetreeapp.com 'unsafe-inline'; img-src 'self' blob: data: atlassian.com *.atlassian.com *.cookielaw.org *.gravatar.com *.wp.com fd-assets.prod.atl-paas.net pixel.pointmediatracker.com *.prod.public.atl-paas.net cnv.event.prod.bidr.io *.doubleclick.net *.clicktale.net *.bing.com rlcdn.com reddit.com quora.com *.rlcdn.com *.reddit.com *.quora.com *.ctfassets.net *.linkedin.com *.google.com *.google.com.au *.company-target.com *.facebook.com *.google-analytics.com *.twitter.com t.co *.intercomcdn.com *.intercomassets.com *.frontend.public.atl-paas.net *.orangelogic.com *.googletagmanager.com img.logo.dev *.atlassian.net sourcetreeapp.com *.sourcetreeapp.com; font-src 'self' *.ctfassets.net *.intercomcdn.com *.gstatic.com *.frontend.public.atl-paas.net; frame-ancestors 'none'; form-action 'self'; report-uri https://web-security-reports.services.atlassian.com/csp-report/wac-web; report-to csp-default-endpoint; connect-src 'self' ws: atlassian.com *.atlassian.com *.cookielaw.org *.onetrust.com *.public.atl-paas.net *.prod.atl-paas.net *.mktoresp.com *.ingest.sentry.io *.workato.com atlassian.sjv.io statsigapi.net *.statsigapi.net *.contentful.com atlassian.net *.clicktale.net *.contentsquare.net *.bing.com google-analytics.com company-target.com linkedin.com *.google-analytics.com *.company-target.com *.linkedin.com *.doubleclick.net *.reddit.com *.redditstatic.com *.google.com *.demandbase.com *.clarity.ms *.clearbit.com *.intercom.io *.algolianet.com *.algolia.net *.algolia.io *.recaptcha.net https://unpkg.com/@rive-app/ *.facebook.com *.orangelogic.com *.adnxs.com *.6sc.co *.6sense.com apis.auxia.io *.atlassian.net https://participant.connect.us-east-1.amazonaws.com wss://participant.connect.us-east-1.amazonaws.com *.connect.us-east-1.amazonaws.com sourcetreeapp.com *.sourcetreeapp.com; worker-src 'self' blob:; frame-src 'self' *.youtube.com *.google.com *.doubleclick.net *.recaptcha.net *.atl-paas.net *.company-target.com *.googletagmanager.com *.atlassian.net; media-src 'self' *.ctfassets.net *.atlassian.com *.orangelogic.comcontent-security-policy-report-only:reporting-endpoints:csp-default-endpoint="https://web-security-reports.services.atlassian.com/csp-report/wac-web"x-node-architecture:arm64x-instance-type:r8g.12xlargecache-control:max-age=0, s-maxage=1200, stale-while-revalidate=1200, stale-if-error=1200, no-cache="Set-Cookie"server:AtlassianEdgecontent-encoding:identityx-content-type-options:nosniffx-xss-protection:1; mode=blockatl-traceid:2262fa1188184b80abe00666855506f3atl-request-id:2262fa11-8818-4b80-abe0-0666855506f3strict-transport-security:max-age=63072000; preloadreport-to:{"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}nel:{"failure_fraction": 0.01, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}vary:Accept-Encodingvia:1.1 9a7e0d68b8274eedf8d6b7b815b568c6.cloudfront.net (CloudFront)alt-svc:h3=":443"; ma=86400age:223x-frame-options:DENYserver-timing:cdn-cache-hit,cdn-pop;desc="ARN56-P2",cdn-rid;desc="4NnryswMd6Oah82YCZPbq-L_RtLKZ2NFFwWx3pO_xcVpWyoDma27iQ==",cdn-hit-layer;desc="REC",cdn-downstream-fbl;dur=81set-cookie:atlCohort={"bucketAll":{"bucketId":0,"bucketedAtUTC":"2026-04-18T07:41:18.771Z","version":"2","index":41}}; Max-Age=31536000; Path=/; Domain=.atlassian.com;set-cookie:X-Experiments-Key=path=/~GQdwhgxg+gdg9gFwJYDMkTMuMoCMCmANoVPgB4AO+ATkgLb4wIC8E2C1chwA5iBQFoAnAGYATGIHgIAgBZwGFMD3wDq+FOoDOsgeSq0GTZgCI2TToRMACMFutn2lmwB8HCfFoQnQkAWCQBLXwwaghdLQBXOjpQgE8BADcxZhQwQmDgBBAIHgEAdiEABgFzDzIESPSBXEgAax5OSJgAEy0pPy0kHhgBJBhTMudbe0cLLld3T29gMhRCOBAodTYYxhbMJGwoMVhcCigW2kTGVPTMvkEARiLigDYOmXlFZVVZGjgBACskajABCiESLtTiJT7hMAwFRaZgcSL4XzQdSaTyyKAARwALCg4mI7lAwGAoB4vLDqPDEVAtOlPFBCCE2lAIAgiTwFrUSDAwIkyRTqfStFAQEgWioEHhKEL8LgoIDMCg4NQ6GcMgj+bThaL8OLcJKQNLZYR5Yq6Id8Dy0qqsnA6owggg4vSpH8KAZHlJpQIeJh8CrMs1UCbZTQtNh0kgAF6bbarCjYRjixhgXD0lq8hHSD24AQcMAoNAyQlen3pxFZgn+KDejxQBXUOlwHgqFr9KDAkOly4CACsV27AA4BAqIMCAZwWpFmf4Wmm4Qiu5ihJj8jmQnQBGJu3IPnIFPglCoc2BbXATtQ/Rm/BRx5OEO0FgoBJFqIRS/gtQIjXRcBtSpB3mOcATlOLZaGwZ5xKWmb6tm7Z6FodBAZEApBBAtAUHenb8D23aYoOHhgOum4CBOtBQnoJxMDUkIwDQF68NhuFiFcpRcPSzJbDA7TvJw9FgoQHDYF6kQUO0Gwsn0vSQukcTIBA7QgC6BhYYI+QiCuSYpqo/QeGEj4Qggu4MPRmaEKgHgtNRMC0dQ9roHUkGWhc2F3P2xEwf0oRWTZ9Fdv2mJFJiq6ERuW74JE3k0ACsh2Ko3a+dhbkiIOtTWVFNFwM0ED4EYLBOfOLn9upAhcokR70lR3pQX4TTIORLJacWHgJapvaDqVfTmE+FDiZ4KkFPkVwsQRRFbqlNnRbFAgiC1BTdncQU6fgjQ+t8PUCHMCwgJ+cBoEE3QwCJpagnAZqJHg2pEl0PQiXg9RHflDGqXcRQiE+MCBkqAKvCR+rEDm9C+o90hUiEYRov0LTkFAiRvSkc5PT2/Y3P4wJ1V6fytGOSBkLNQgSA8I0bg8410Y9Xb41cQXPPuP1geojA6IgMII5pTryeuYBfDtPBwNVMjoDz/T9aIdxbkTQkIJltlaHELS0QkNMHqopO2WAEUwBGeNXEIw1rsT26cEZtOHiyJ5nv1NxFHckhgCAKAsUrP2q7NNxUyumZO4eJ1JCK+CfIhE5OtWvoI12NyYlcDygcmTrwL0cAGNGXKEP4Keyeg7SREgFD83SkI8FUKig+xUv1kaUIEggHBILgkTNY9dCECsChGOJnFBLa9JS70IcXkAA===; Max-Age=600; Path=/; Secure; Domain=.atlassian.com;set-cookie:X-Experiments-Trace-Id=b4316f93-8800-4855-b439-bea87c6beb75; Max-Age=600; Path=/; Secure; Domain=.atlassian.com;set-cookie:ajs_anonymous_id=%2267291bd7-122f-4712-83a3-9776f4d60dad%22; Max-Age=31536000; Path=/; Domain=.atlassian.com;x-cache:Hit from cloudfrontx-amz-cf-pop:ARN56-P2x-amz-cf-id:4NnryswMd6Oah82YCZPbq-L_RtLKZ2NFFwWx3pO_xcVpWyoDma27iQ==