{
  "url": "https://cloudflare.com",
  "scanned_at": "2026-06-17T20:10:50.381Z",
  "grade": "C+",
  "cors": {
    "enabled": false,
    "allow_origin": null,
    "allow_credentials": false,
    "allow_methods": [],
    "allow_headers": [],
    "expose_headers": [],
    "max_age": null,
    "preflight_status": 301,
    "vary_origin": false,
    "issues": [
      {
        "severity": "info",
        "code": "NO_CORS_HEADERS",
        "message": "No CORS headers present. Cross-origin requests from browsers will be blocked.",
        "fix": "If you intend to allow cross-origin access, set the Access-Control-Allow-Origin header.",
        "mdn": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS"
      },
      {
        "severity": "high",
        "code": "PREFLIGHT_FAILED",
        "message": "Preflight (OPTIONS) returned 301. Browsers require a 2xx response.",
        "fix": "Ensure your server responds to OPTIONS requests with a 200 or 204 status and the appropriate CORS headers.",
        "mdn": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#preflighted_requests"
      }
    ]
  },
  "csp": {
    "present": true,
    "mode": "enforce",
    "raw": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://static.cloudflareinsights.com https://static-staging.cloudflareinsights.com https://challenges.cloudflare.com https://*.onetrust.com https://cdn.cookielaw.org https://ot.www.cloudflare.com https://www.googletagmanager.com https://tagmanager.google.com https://www.googleadservices.com https://googleads.g.doubleclick.net https://adservice.google.com https://cdn.bizible.com https://js.adsrvr.org https://*.marketo.net https://platform.twitter.com https://static.ads-twitter.com https://scripts.demandbase.com https://tag.demandbase.com https://*.6sc.co https://*.qualified.com https://snap.licdn.com https://bat.bing.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https://*.googletagmanager.com https://*.google-analytics.com https://*.analytics.google.com https://analytics.google.com https://*.doubleclick.net https://www.googleadservices.com https://translate.googleapis.com https://cdn.bizible.com https://js.adsrvr.org https://*.marketo.net https://ads-twitter.com https://analytics.twitter.com https://*.twimg.com https://api.demandbase.com https://scripts.demandbase.com https://tag.demandbase.com https://tag-logger.demandbase.com https://api.company-target.com https://*.6sc.co https://epsilon.6sense.com https://*.qualified.com wss://*.qualified.com https://*.ads.linkedin.com https://www.linkedin.com https://bat.bing.com https:; frame-src https://*.adsrvr.org https://*.cloudflare.com https://*.videodelivery.net https://www.googletagmanager.com https://*.qualified.com https://td.doubleclick.net https://bid.g.doubleclick.net https://9309168.fls.doubleclick.net https://9973066.fls.doubleclick.net https://s.company-target.com; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; worker-src 'self' blob:; child-src 'self' blob:; upgrade-insecure-requests",
    "parsed": {
      "default-src": [
        "'self'"
      ],
      "script-src": [
        "'self'",
        "'unsafe-inline'",
        "'unsafe-eval'",
        "https://static.cloudflareinsights.com",
        "https://static-staging.cloudflareinsights.com",
        "https://challenges.cloudflare.com",
        "https://*.onetrust.com",
        "https://cdn.cookielaw.org",
        "https://ot.www.cloudflare.com",
        "https://www.googletagmanager.com",
        "https://tagmanager.google.com",
        "https://www.googleadservices.com",
        "https://googleads.g.doubleclick.net",
        "https://adservice.google.com",
        "https://cdn.bizible.com",
        "https://js.adsrvr.org",
        "https://*.marketo.net",
        "https://platform.twitter.com",
        "https://static.ads-twitter.com",
        "https://scripts.demandbase.com",
        "https://tag.demandbase.com",
        "https://*.6sc.co",
        "https://*.qualified.com",
        "https://snap.licdn.com",
        "https://bat.bing.com"
      ],
      "style-src": [
        "'self'",
        "'unsafe-inline'"
      ],
      "img-src": [
        "'self'",
        "data:",
        "https:"
      ],
      "font-src": [
        "'self'",
        "data:"
      ],
      "connect-src": [
        "'self'",
        "https://*.googletagmanager.com",
        "https://*.google-analytics.com",
        "https://*.analytics.google.com",
        "https://analytics.google.com",
        "https://*.doubleclick.net",
        "https://www.googleadservices.com",
        "https://translate.googleapis.com",
        "https://cdn.bizible.com",
        "https://js.adsrvr.org",
        "https://*.marketo.net",
        "https://ads-twitter.com",
        "https://analytics.twitter.com",
        "https://*.twimg.com",
        "https://api.demandbase.com",
        "https://scripts.demandbase.com",
        "https://tag.demandbase.com",
        "https://tag-logger.demandbase.com",
        "https://api.company-target.com",
        "https://*.6sc.co",
        "https://epsilon.6sense.com",
        "https://*.qualified.com",
        "wss://*.qualified.com",
        "https://*.ads.linkedin.com",
        "https://www.linkedin.com",
        "https://bat.bing.com",
        "https:"
      ],
      "frame-src": [
        "https://*.adsrvr.org",
        "https://*.cloudflare.com",
        "https://*.videodelivery.net",
        "https://www.googletagmanager.com",
        "https://*.qualified.com",
        "https://td.doubleclick.net",
        "https://bid.g.doubleclick.net",
        "https://9309168.fls.doubleclick.net",
        "https://9973066.fls.doubleclick.net",
        "https://s.company-target.com"
      ],
      "object-src": [
        "'none'"
      ],
      "base-uri": [
        "'self'"
      ],
      "form-action": [
        "'self'"
      ],
      "frame-ancestors": [
        "'none'"
      ],
      "worker-src": [
        "'self'",
        "blob:"
      ],
      "child-src": [
        "'self'",
        "blob:"
      ],
      "upgrade-insecure-requests": []
    },
    "grade": "F",
    "issues": [
      {
        "severity": "critical",
        "code": "UNSAFE_INLINE",
        "message": "script-src includes 'unsafe-inline', which allows inline scripts and defeats XSS protection.",
        "fix": "Replace 'unsafe-inline' with nonce-based or hash-based script loading. Use 'nonce-{random}' and add the matching nonce attribute to your <script> tags.",
        "mdn": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_inline_script"
      },
      {
        "severity": "high",
        "code": "UNSAFE_EVAL",
        "message": "script-src includes 'unsafe-eval', allowing eval(), Function(), and setTimeout('string'). This enables code injection attacks.",
        "fix": "Remove 'unsafe-eval' and refactor code to avoid eval(). Most modern frameworks don't need it.",
        "mdn": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_eval"
      },
      {
        "severity": "warning",
        "code": "BLOB_URI",
        "message": "worker-src allows blob: URIs, which can be used to create executable content dynamically.",
        "fix": "Remove blob: from worker-src unless your application specifically needs it for Web Workers or dynamic scripts."
      },
      {
        "severity": "warning",
        "code": "XFO_CSP_CONFLICT",
        "message": "X-Frame-Options (SAMEORIGIN) conflicts with CSP frame-ancestors ('none'). CSP takes precedence in modern browsers.",
        "fix": "Remove X-Frame-Options and rely on CSP frame-ancestors. Or align both: DENY ↔ frame-ancestors 'none', SAMEORIGIN ↔ frame-ancestors 'self'.",
        "mdn": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors"
      }
    ],
    "missing_directives": []
  },
  "security_headers": {
    "grade": "B",
    "headers": {
      "strict-transport-security": {
        "present": true,
        "value": "max-age=31536000; includeSubDomains",
        "issues": [
          {
            "severity": "info",
            "code": "HSTS_NO_PRELOAD",
            "message": "HSTS preload directive is missing. The site is not eligible for browser preload lists.",
            "fix": "Add the preload directive and submit to hstspreload.org to be hardcoded into browsers."
          }
        ],
        "preload_eligible": false
      },
      "x-frame-options": {
        "present": true,
        "value": "SAMEORIGIN",
        "issues": []
      },
      "x-content-type-options": {
        "present": true,
        "value": "nosniff",
        "issues": []
      },
      "referrer-policy": {
        "present": true,
        "value": "strict-origin-when-cross-origin",
        "issues": []
      },
      "permissions-policy": {
        "present": true,
        "value": "geolocation=(), camera=(), microphone=()",
        "issues": []
      },
      "content-security-policy": {
        "present": true,
        "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://static.cloudflareinsights.com https://static-staging.cloudflareinsights.com https://challenges.cloudflare.com https://*.onetrust.com https://cdn.cookielaw.org https://ot.www.cloudflare.com https://www.googletagmanager.com https://tagmanager.google.com https://www.googleadservices.com https://googleads.g.doubleclick.net https://adservice.google.com https://cdn.bizible.com https://js.adsrvr.org https://*.marketo.net https://platform.twitter.com https://static.ads-twitter.com https://scripts.demandbase.com https://tag.demandbase.com https://*.6sc.co https://*.qualified.com https://snap.licdn.com https://bat.bing.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https://*.googletagmanager.com https://*.google-analytics.com https://*.analytics.google.com https://analytics.google.com https://*.doubleclick.net https://www.googleadservices.com https://translate.googleapis.com https://cdn.bizible.com https://js.adsrvr.org https://*.marketo.net https://ads-twitter.com https://analytics.twitter.com https://*.twimg.com https://api.demandbase.com https://scripts.demandbase.com https://tag.demandbase.com https://tag-logger.demandbase.com https://api.company-target.com https://*.6sc.co https://epsilon.6sense.com https://*.qualified.com wss://*.qualified.com https://*.ads.linkedin.com https://www.linkedin.com https://bat.bing.com https:; frame-src https://*.adsrvr.org https://*.cloudflare.com https://*.videodelivery.net https://www.googletagmanager.com https://*.qualified.com https://td.doubleclick.net https://bid.g.doubleclick.net https://9309168.fls.doubleclick.net https://9973066.fls.doubleclick.net https://s.company-target.com; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; worker-src 'self' blob:; child-src 'self' blob:; upgrade-insecure-requests",
        "issues": []
      },
      "cross-origin-opener-policy": {
        "present": true,
        "value": "unsafe-none",
        "issues": []
      },
      "cross-origin-embedder-policy": {
        "present": false,
        "value": null,
        "issues": [],
        "recommendation": "credentialless"
      },
      "cross-origin-resource-policy": {
        "present": true,
        "value": "cross-origin",
        "issues": []
      }
    },
    "conflicts": [
      {
        "severity": "info",
        "code": "XXSS_PROTECTION_ENABLED",
        "message": "X-XSS-Protection is set to \"1; mode=block\". This header is deprecated and can introduce vulnerabilities in older browsers. Modern browsers ignore it.",
        "fix": "Set X-XSS-Protection: 0 to explicitly disable it, and rely on CSP for XSS protection.",
        "mdn": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection"
      }
    ],
    "score": 85,
    "max_score": 100
  },
  "redirect_chain": {
    "hops": 2,
    "loop_detected": false,
    "mixed_content": false,
    "chain": [
      {
        "url": "https://cloudflare.com",
        "status": 301,
        "location": "https://www.cloudflare.com/",
        "timing_ms": 16,
        "headers_summary": {
          "server": "cloudflare",
          "strict-transport-security": "max-age=15780000; includeSubDomains",
          "cache-control": "max-age=3600",
          "content-type": "text/html"
        },
        "hsts": "max-age=15780000; includeSubDomains"
      },
      {
        "url": "https://www.cloudflare.com/",
        "status": 200,
        "location": null,
        "timing_ms": 92,
        "headers_summary": {
          "server": "cloudflare",
          "strict-transport-security": "max-age=31536000; includeSubDomains",
          "x-frame-options": "SAMEORIGIN",
          "x-content-type-options": "nosniff",
          "referrer-policy": "strict-origin-when-cross-origin",
          "permissions-policy": "geolocation=(), camera=(), microphone=()",
          "content-security-policy": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://static.cloudflareinsights.com https://static-staging.cloudflareinsights.com https://challenges.cloudflare.com https://*.onetrust.com https://cdn.cookielaw.org https://ot.www.cloudflare.com https://www.googletagmanager.com https://tagmanager.google.com https://www.googleadservices.com https://googleads.g.doubleclick.net https://adservice.google.com https://cdn.bizible.com https://js.adsrvr.org https://*.marketo.net https://platform.twitter.com https://static.ads-twitter.com https://scripts.demandbase.com https://tag.demandbase.com https://*.6sc.co https://*.qualified.com https://snap.licdn.com https://bat.bing.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https://*.googletagmanager.com https://*.google-analytics.com https://*.analytics.google.com https://analytics.google.com https://*.doubleclick.net https://www.googleadservices.com https://translate.googleapis.com https://cdn.bizible.com https://js.adsrvr.org https://*.marketo.net https://ads-twitter.com https://analytics.twitter.com https://*.twimg.com https://api.demandbase.com https://scripts.demandbase.com https://tag.demandbase.com https://tag-logger.demandbase.com https://api.company-target.com https://*.6sc.co https://epsilon.6sense.com https://*.qualified.com wss://*.qualified.com https://*.ads.linkedin.com https://www.linkedin.com https://bat.bing.com https:; frame-src https://*.adsrvr.org https://*.cloudflare.com https://*.videodelivery.net https://www.googletagmanager.com https://*.qualified.com https://td.doubleclick.net https://bid.g.doubleclick.net https://9309168.fls.doubleclick.net https://9973066.fls.doubleclick.net https://s.company-target.com; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; worker-src 'self' blob:; child-src 'self' blob:; upgrade-insecure-requests",
          "cross-origin-opener-policy": "unsafe-none",
          "cross-origin-resource-policy": "cross-origin",
          "cache-control": "public, max-age=10, s-maxage=10",
          "content-type": "text/html; charset=utf-8"
        },
        "hsts": "max-age=31536000; includeSubDomains"
      }
    ],
    "issues": [],
    "total_time_ms": 108
  },
  "cache": {
    "cache_control": "public, max-age=10, s-maxage=10",
    "parsed": {
      "public": true,
      "max-age": 10,
      "s-maxage": 10
    },
    "effective_ttl": 10,
    "vary": [],
    "cdn_status": null,
    "cdn_provider": "Cloudflare",
    "issues": [],
    "explanation": "Cacheable by browsers and CDNs. Fresh for 10 seconds."
  },
  "tls": {
    "version": null,
    "details": "→ certs.lol/cloudflare.com"
  },
  "_meta": {
    "version": "1.0.0",
    "scan_time_ms": 1671,
    "cache_hit": false,
    "cache_ttl": 3600,
    "docs": "https://xhttp.lol/api/docs",
    "tls_report": "https://certs.lol/cloudflare.com",
    "dns_report": "https://ns.lol/cloudflare.com",
    "full_report": "https://yoke.lol/cloudflare.com"
  }
}