Results forheroku.com

www.heroku.com com

Registrar

Creation Date

DNSSEC

Security Headers Score

HTTPS Enabled

score-mid

/ 100 points

Issues Found (3)

Missing: cross-origin-opener-policy
Recommendation: Controls cross-origin window access. Recommended: same-origin
Missing: cross-origin-resource-policy
Recommendation: Controls cross-origin resource access. Recommended: same-origin
Missing: cross-origin-embedder-policy
Recommendation: Controls cross-origin embedding. Recommended: require-corp

Successes (9)

content-security-policy: default-src https: data: wss://*.hotjar.com wss://*.crazyegg.com *.crazyegg.com wss://*.zohopublic.com; script-src https: blob: data: 'unsafe-inline' 'unsafe-eval'; style-src https: data: 'unsafe-inline'; img-src data: https: 'unsafe-inline'; font-src data: https: 'unsafe-inline'; frame-ancestors 'self'; object-src 'self' blob; upgrade-insecure-requests; media-src 'self' blob: data: https:;
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=31536000
referrer-policy: no-referrer-when-downgrade
permissions-policy: autoplay=(), camera=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), usb=(), browsing-topics=()
x-xss-protection: 1; mode=block
HSTS configured with max-age: 31536000 seconds
HTTPS is enabled

Security Headers (10)

Header	Value	Recommendation
`content-security-policy`	`default-src https: data: wss://.hotjar.com wss://.crazyegg.com .crazyegg.com wss://.zohopublic.com; script-src https: blob: data: 'unsafe-inline' 'unsafe-eval'; style-src https: data: 'unsafe-inline'; img-src data: https: 'unsafe-inline'; font-src data: https: 'unsafe-inline'; frame-ancestors 'self'; object-src 'self' blob; upgrade-insecure-requests; media-src 'self' blob: data: https:;`	Controls resources the browser can load. Prevents XSS.
`x-content-type-options`	`nosniff`	Prevents MIME type sniffing. Should be 'nosniff'.
`x-frame-options`	`SAMEORIGIN`	Controls framing. Use CSP frame-ancestors instead.
`strict-transport-security`	`max-age=31536000`	Forces HTTPS. Recommended: max-age=31536000; includeSubDomains
`referrer-policy`	`no-referrer-when-downgrade`	Controls referrer info. Recommended: strict-origin-when-cross-origin
`permissions-policy`	`autoplay=(), camera=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), usb=(), browsing-topics=()`	Controls browser features. Recommended: camera=(), microphone=(), geolocation=()
`x-xss-protection`	`1; mode=block`	Deprecated. Use Content-Security-Policy instead.
`cross-origin-opener-policy`	Not set	Controls cross-origin window access. Recommended: same-origin
`cross-origin-resource-policy`	Not set	Controls cross-origin resource access. Recommended: same-origin
`cross-origin-embedder-policy`	Not set	Controls cross-origin embedding. Recommended: require-corp

Raw Headers (18)

server:nginx

date:Sat, 18 Apr 2026 07:45:39 GMT

content-type:text/html; charset=UTF-8

transfer-encoding:chunked

connection:keep-alive

vary:Accept-Encoding

host-header:a9130478a60e5f9135f765b23f26593b

x-xss-protection:1; mode=block

x-frame-options:SAMEORIGIN

x-content-type-options:nosniff

content-security-policy:default-src https: data: wss://*.hotjar.com wss://*.crazyegg.com *.crazyegg.com wss://*.zohopublic.com; script-src https: blob: data: 'unsafe-inline' 'unsafe-eval'; style-src https: data: 'unsafe-inline'; img-src data: https: 'unsafe-inline'; font-src data: https: 'unsafe-inline'; frame-ancestors 'self'; object-src 'self' blob; upgrade-insecure-requests; media-src 'self' blob: data: https:;

referrer-policy:no-referrer-when-downgrade

permissions-policy:autoplay=(), camera=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), usb=(), browsing-topics=()

x-rq:arn1 0 40 9980

cache-control:public, max-age=3600

x-cache:HIT

accept-ranges:bytes

strict-transport-security:max-age=31536000

Errors (3)

Missing header: cross-origin-opener-policy
Missing header: cross-origin-resource-policy
Missing header: cross-origin-embedder-policy

Status

Header

Value

Recommendation

content-security-policy

default-src https: data: wss://*.hotjar.com wss://*.crazyegg.com *.crazyegg.com wss://*.zohopublic.com; script-src https: blob: data: 'unsafe-inline' 'unsafe-eval'; style-src https: data: 'unsafe-inline'; img-src data: https: 'unsafe-inline'; font-src data: https: 'unsafe-inline'; frame-ancestors 'self'; object-src 'self' blob; upgrade-insecure-requests; media-src 'self' blob: data: https:;

Controls resources the browser can load. Prevents XSS.

x-content-type-options

nosniff

Prevents MIME type sniffing. Should be 'nosniff'.

x-frame-options

SAMEORIGIN

Controls framing. Use CSP frame-ancestors instead.

strict-transport-security

max-age=31536000

Forces HTTPS. Recommended: max-age=31536000; includeSubDomains

referrer-policy

no-referrer-when-downgrade

Controls referrer info. Recommended: strict-origin-when-cross-origin

permissions-policy

autoplay=(), camera=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), usb=(), browsing-topics=()

Controls browser features. Recommended: camera=(), microphone=(), geolocation=()

x-xss-protection

1; mode=block

Deprecated. Use Content-Security-Policy instead.

cross-origin-opener-policy

Not set

Controls cross-origin window access. Recommended: same-origin

cross-origin-resource-policy

Not set

Controls cross-origin resource access. Recommended: same-origin

cross-origin-embedder-policy

Not set

Controls cross-origin embedding. Recommended: require-corp