Security Report Summary
A
Site: | https://www.currencycloud.com/ | ||
---|---|---|---|
IP Address: | 2606:4700::6812:994 | ||
Report Time: | 06 May 2024 03:12:16 UTC | ||
Headers: |
|
||
Warning: | Grade capped at A, please see warnings below. | ||
Advanced: |
|
Warnings
Content-Security-Policy | This policy contains 'unsafe-inline' which is dangerous in the default-src directive. This policy contains 'unsafe-eval' which is dangerous in the default-src directive. |
---|---|
X-Frame-Options | There was a duplicate X-Frame-Options header. |
Raw Headers
HTTP/2 | 200 |
---|---|
date | Mon, 06 May 2024 03:12:16 GMT |
content-type | text/html; charset=UTF-8 |
cf-cache-status | DYNAMIC |
age | 230661 |
cache-control | public, max-age=0, s-maxage=2592000 |
last-modified | Thu, 02 May 2024 14:11:42 GMT |
link | <https://www.currencycloud.com/wp-json/>; rel="https://api.w.org/", <https://www.currencycloud.com/wp-json/wp/v2/pages/7>; rel="alternate"; type="application/json", <https://www.currencycloud.com/>; rel=shortlink |
strict-transport-security | max-age=31536000; includeSubDomains |
vary | Accept-Encoding |
access-control-allow-credentials | false |
content-security-policy | base-uri 'self'; form-action 'self' www.facebook.com forms-eu1.hsforms.com pyithubawa.net; frame-ancestors 'self' www.currencycloud.com; upgrade-insecure-requests ; child-src blob: go.currencycloud.com bid.g.doubleclick.net www.google.com forms-eu1.hsforms.com embed.podcasts.apple.com embed.sounder.fm player.vimeo.com www.youtube.com; connect-src 'self' data: region1.analytics.google.com api.clearout.io api.cognitive.microsofttranslator.com google.com ds.cookiehub.net policy.cookiereports.com assets-tracking.crazyegg.com pagestates-tracking.crazyegg.com script.crazyegg.com tracking.crazyegg.com www.currencycloud.com metrics2.data.hicloud.com ad.doubleclick.net www.facebook.com googleads.g.doubleclick.net stats.g.doubleclick.net www.googleadservices.com region1.google-analytics.com www.google-analytics.com translate.googleapis.com www.google.co.cr adservice.google.com analytics.google.com www.google.com www.google.com.sg www.google.co.uk www.google.de pagead2.googlesyndication.com www.googletagmanager.com js-eu1.hsadspixel.net js-eu1.hs-analytics.net js-eu1.hs-banner.com forms-eu1.hscollectedforms.net js-eu1.hscollectedforms.net forms-eu1.hsforms.com js-eu1.hs-scripts.com api-eu1.hubapi.com forms-eu1.hubspot.com mainnet.infura.io cdn.linkedin.oribi.io edge.microsoft.com cookiehub.net hubspot-forms-static-embed-eu1.s3.amazonaws.com scout.salesloft.com analytics.twitter.com plugin.ucads.ucweb.com gjtrack.ucweb.com infragrid.v.network njs.wigoal.com; default-src 'self' data: 'unsafe-inline' 'unsafe-eval' blob: px.ads.linkedin.com static.ads-twitter.com p.adsymptotic.com js.chilipiper.com t.co ds.cookiehub.net assets-tracking.crazyegg.com pagestates-tracking.crazyegg.com script.crazyegg.com tracking.crazyegg.com www.facebook.com connect.facebook.net bid.g.doubleclick.net googleads.g.doubleclick.net stats.g.doubleclick.net www.googleadservices.com region1.google-analytics.com www.google-analytics.com fonts.googleapis.com www.google.co.il adservice.google.com www.google.com www.google.com.au www.google.com.br www.google.co.uk www.google.de www.google.ee www.google.fr www.google.hu www.google.nl www.googleoptimize.com www.google.pl pagead2.googlesyndication.com www.googletagmanager.com fonts.gstatic.com www.gstatic.com js-eu1.hsadspixel.net js-eu1.hs-analytics.net js-eu1.hs-banner.com js-eu1.hscollectedforms.net forms-eu1.hsforms.com perf-eu1.hsforms.com js-eu1.hsforms.net js-eu1.hs-scripts.com api-eu1.hubapi.com forms-eu1.hubspot.com track-eu1.hubspot.com snap.licdn.com www.linkedin.com cookiehub.net hubspot-forms-static-embed-eu1.s3.amazonaws.com scout-cdn.salesloft.com scout.salesloft.com analytics.twitter.com player.vimeo.com www.youtube.com; font-src 'self' data: at.alicdn.com zip.co fonts.gstatic.com www.slant.co use.typekit.net; frame-src embed.acast.com vimeo.com wwatchvideos.com blog.currencycloud.com go.currencycloud.com www.currencycloud.com td.doubleclick.net https://*.duosecurity.com www.facebook.com sounder.fm bid.g.doubleclick.net googleads.g.doubleclick.net www.google.com tpc.googlesyndication.com www.googletagmanager.com forms-eu1.hsforms.com app-eu1.hubspot.com www.linkedin.com mozbar.moz.com developer.mozilla.org pitc.nube.53.com embed.podcasts.apple.com www.recaptcha.net cf-media.sndcdn.com w.soundcloud.com embed.sounder.fm filter.techloq.com player.vimeo.com api.xiaoduis.com www.youtube.com; img-src 'self' data: p.adsymptotic.com region1.analytics.google.com t.co policy.cookiereports.com assets.currencycloud.com www.currencycloud.com ad.doubleclick.net www.facebook.com googleads.g.doubleclick.net www.google.ad www.googleadservices.com www.google.ae www.google.am region1.google-analytics.com www.google-analytics.com translate.googleapis.com www.google.at www.google.ba www.google.be www.google.bg www.google.bj www.google.bs www.google.by www.google.ca www.google.cd www.google.cg www.google.ch www.google.ci www.google.cl www.google.cm www.google.cn www.google.co.ck www.google.co.cr www.google.co.id www.google.co.il www.google.co.in www.google.co.jp www.google.co.ke www.google.co.kr adservice.google.com translate.google.com www.google.com www.google.co.ma www.google.com.ag www.google.com.ar www.google.com.au www.google.com.bd www.google.com.bh www.google.com.bn www.google.com.br www.google.com.co www.google.com.cy www.google.com.do www.google.com.ec www.google.com.eg www.google.com.gh www.google.com.gi www.google.com.hk www.google.com.jm www.google.com.kh www.google.com.kw www.google.com.lb www.google.com.ly www.google.com.mm www.google.com.mt www.google.com.mx www.google.com.my www.google.com.ng www.google.com.ni www.google.com.np www.google.com.pa www.google.com.pe www.google.com.ph www.google.com.pk www.google.com.pr www.google.com.py www.google.com.sa www.google.com.sg www.google.com.sl www.google.com.tr www.google.com.tw www.google.com.ua www.google.com.uy www.google.com.vn www.google.co.nz www.google.co.th www.google.co.tz www.google.co.ug www.google.co.uk www.google.co.uz www.google.co.ve www.google.co.za www.google.co.zw www.google.cz www.google.de www.google.dk www.google.dz www.google.ee www.google.es www.google.fi www.google.fr www.google.ge www.google.gg www.google.gm www.google.gr www.google.hr www.google.hu www.google.ie www.google.im www.google.iq www.google.is www.google.it www.google.je www.google.jo www.google.kg www.google.kz www.google.lk www.google.lt www.google.lu www.google.lv www.google.md www.google.me www.google.mk www.google.ml www.google.mn www.google.mu www.google.nl www.google.no www.google.pl www.google.ps www.google.pt www.google.ro www.google.rs www.google.ru www.google.se www.google.si www.google.sk www.google.sm www.google.sn pagead2.googlesyndication.com www.googletagmanager.com www.google.tn secure.gravatar.com fonts.gstatic.com www.gstatic.com forms-eu1.hsforms.com forms.hsforms.com perf-eu1.hsforms.com forms.hubspot.com track-eu1.hubspot.com track.hubspot.com *.linkedin.com www.linkedin.com is3-ssl.mzstatic.com co-asset.s3.ap-south-1.amazonaws.com embed.sounder.fm analytics.twitter.com scout.us1.salesloft.com i.vimeocdn.com i.ytimg.com; manifest-src 'self'; media-src data:; object-src 'none'; script-src 'nonce-p7gEANfcbk0KjKZ29oqNO7moR6FGa7Av' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval' 'self' inline self wasm-eval static.ads-twitter.com js.chilipiper.com script.crazyegg.com connect.facebook.net googleads.g.doubleclick.net www.googleadservices.com www.google-analytics.com www.google.com www.google.com.my www.googleoptimize.com pagead2.googlesyndication.com www.googletagmanager.com www.gstatic.com js-eu1.hsadspixel.net js-eu1.hs-analytics.net js-eu1.hs-banner.com js-eu1.hscollectedforms.net js-eu1.hsforms.net js-eu1.hs-scripts.com snap.licdn.com cookiehub.net scout-cdn.salesloft.com embed.sounder.fm; script-src-attr 'nonce-p7gEANfcbk0KjKZ29oqNO7moR6FGa7Av' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval' 'report-sample'; script-src-elem 'nonce-p7gEANfcbk0KjKZ29oqNO7moR6FGa7Av' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval' 'self' 'report-sample' static.ads-twitter.com js.chilipiper.com policy.cookiereports.com script.crazyegg.com connect.facebook.net googleads.g.doubleclick.net www.googleadservices.com www.google-analytics.com www.google.com www.googleoptimize.com pagead2.googlesyndication.com tpc.googlesyndication.com www.googletagmanager.com www.gstatic.com js-eu1.hsadspixel.net js-eu1.hs-analytics.net js-eu1.hs-banner.com js-eu1.hscollectedforms.net js-eu1.hsforms.net js-eu1.hs-scripts.com gc.kes.v2.scr.kaspersky-labs.com me.kes.v2.scr.kaspersky-labs.com snap.licdn.com cookiehub.net cdn.randomhow.com scout-cdn.salesloft.com embed.sounder.fm; style-src 'self' 'unsafe-inline' fonts.googleapis.com translate.googleapis.com www.gstatic.com cookiehub.net; style-src-attr 'unsafe-inline' 'report-sample'; style-src-elem 'self' 'unsafe-inline' 'report-sample' www.currencycloud.com fonts.googleapis.com translate.googleapis.com www.googletagmanager.com www.gstatic.com cookiehub.net adblockers.opera-mini.net; worker-src blob:; report-uri https://darwinapps.report-uri.com/r/d/csp/enforce; |
ki-cache-tag | 6548954b-bf96-43b2-a8c5-7fdcea318a07,a6dd80a4d563f2e4827e6b9e1fb8761b1ac2603f67b59cae975345cc8dc2fd97 |
ki-cache-type | Edge |
ki-cf-cache-status | HIT |
ki-edge | v=20.2.7;mv=3.0.6 |
ki-edge-o2o | yes |
ki-origin | g1p |
permissions-policy | geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=() |
referrer-policy | no-referrer |
referrer-policy | strict-origin-when-cross-origin |
report-to | {"group":"default""max_age":31536000"endpoints":[{"url":"https://darwinapps.report-uri.com/a/d/g"}]"include_subdomains":true} |
x-content-type-options | nosniff |
x-edge-location-klb | 1 |
x-frame-options | SAMEORIGIN |
x-frame-options | SAMEORIGIN |
x-kinsta-cache | HIT |
x-xss-protection | 1; mode=block |
set-cookie | __cf_bm=MktGBfYKwpmxdRYCHY.bG30RtFKiVYxv6_JX00q6XZw-1714965136-1.0.1.1-hYMXp13eve9s8klfqi1FnsWfml3WN3mzM2NqwDlRzWDftf.vl3U3xDQTB8.XjdJjCI0vEzm7ov._VDS0q34PLQ; path=/; expires=Mon, 06-May-24 03:42:16 GMT; domain=.currencycloud.com; HttpOnly; Secure; SameSite=None |
set-cookie | _cfuvid=OdeyIUZc.wGTMskguDDKVkWfptJaptkWG9o._7OazDc-1714965136501-0.0.1.1-604800000; path=/; domain=.currencycloud.com; HttpOnly; Secure; SameSite=None |
server | cloudflare |
cf-ray | 87f5c9a6a96f2314-SJC |
content-encoding | gzip |
Upcoming Headers
Cross-Origin-Embedder-Policy | Cross-Origin Embedder Policy allows a site to prevent assets being loaded that do not grant permission to load them via CORS or CORP. |
---|---|
Cross-Origin-Opener-Policy | Cross-Origin Opener Policy allows a site to opt-in to Cross-Origin Isolation in the browser. |
Cross-Origin-Resource-Policy | Cross-Origin Resource Policy allows a resource owner to specify who can load the resource. |
Additional Information
strict-transport-security | HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS. |
---|---|
content-security-policy | Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets. Analyse this policy in more detail. |
permissions-policy | Permissions Policy is a new header that allows a site to control which features and APIs can be used in the browser. |
referrer-policy | Referrer Policy is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites. |
referrer-policy | Referrer Policy is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites. |
report-to | Report-To enables the Reporting API. This allows a website to collect reports from the browser about various errors that may occur. |
x-content-type-options | X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is "X-Content-Type-Options: nosniff". |
x-frame-options | X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. |
x-frame-options | X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. |
x-xss-protection | X-XSS-Protection sets the configuration for the XSS Auditor built into older browsers. The recommended value was "X-XSS-Protection: 1; mode=block" but you should now look at Content Security Policy instead. |
server | Server value has been changed. Typically you will see values like "Microsoft-IIS/8.0" or "nginx 1.7.2". |