{ "url": "https://stripe.com", "scanned_at": "2026-06-17T20:14:30.338Z", "grade": "B", "cors": { "enabled": false, "allow_origin": null, "allow_credentials": false, "allow_methods": [], "allow_headers": [], "expose_headers": [], "max_age": null, "preflight_status": 204, "vary_origin": false, "issues": [ { "severity": "info", "code": "NO_CORS_HEADERS", "message": "No CORS headers present. Cross-origin requests from browsers will be blocked.", "fix": "If you intend to allow cross-origin access, set the Access-Control-Allow-Origin header.", "mdn": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS" } ] }, "csp": { "present": true, "mode": "enforce", "raw": "base-uri 'none'; child-src 'none'; connect-src https://c.increment.com https://c.stripe.dev https://c.stripe.global https://c.stripe.partners blob: https://b.stripecdn.com https://errors.stripe.com https://ext.stripe.com https://r.stripe.com https://stripe-images.s3.us-west-1.amazonaws.com https://stripe.com 'self'; default-src 'none'; font-src https://b.stripecdn.com 'self'; form-action https://stripe.com 'self'; frame-ancestors https://app.contentful.com 'self'; frame-src https://b.stripecdn.com https://js.stripe.com https://support-conversations.stripe.com 'self'; img-src data: https://assets.ctfassets.net https://assets.stripeassets.com https://b.stripecdn.com https://images.ctfassets.net https://images.stripeassets.com https://q.stripe.com 'self'; manifest-src 'none'; media-src https://assets.ctfassets.net https://assets.stripeassets.com https://b.stripecdn.com https://videos.ctfassets.net https://videos.stripeassets.com 'self'; object-src 'none'; script-src https://b.stripecdn.com https://js.stripe.com 'self' 'sha256-3aWvb9tRBjmz1OjR3n7mwiTm94+s4iki4mMZF82asmc=' 'sha256-5LtzXhT7UFn+GqP5pKEMGL08UNZsrzANHFEBW/mQHGw=' 'sha256-beLzNcen8LrazzSCRjAapoIMTgJI0osPWGNSX7aK6lc=' 'sha256-cCM0Z4lzGkzQnmbdVw+ouz0JRawyaKcZ4yiqzqYS7ek=' 'sha256-vTifGUJH6hJYTvstw4xJ4xfr/vE0ELkOV4GpCumyqfg=' 'sha256-KxhSaxKB5RFTQsqfRwp+zG7iLjvMrTAySqnSvWlqct0=' 'sha256-tMuJ8c00j54yuxogrdIJeGhNVB350dc56i969XRz/Mc=' 'sha256-aEFSvCaVnb2wNwuO3IzA8J44RdTKt6vms9beA7BcCYg=' 'sha256-0SWEc2BfR2o77i2vUiNNIrFKQkjc2Ujsr2hlfZ6oUek=' 'report-sample'; style-src https://b.stripecdn.com 'self' 'unsafe-inline'; worker-src https://b.stripecdn.com 'self'; upgrade-insecure-requests; report-uri https://q.stripe.com/csp-violation?q=h-4sDrVyx4MMf-FsdFbmD_6E6kCK6IyGpTRGos0FnCSHrn6scSyQE0pHl5sp52g%3D; report-to csp", "parsed": { "base-uri": [ "'none'" ], "child-src": [ "'none'" ], "connect-src": [ "https://c.increment.com", "https://c.stripe.dev", "https://c.stripe.global", "https://c.stripe.partners", "blob:", "https://b.stripecdn.com", "https://errors.stripe.com", "https://ext.stripe.com", "https://r.stripe.com", "https://stripe-images.s3.us-west-1.amazonaws.com", "https://stripe.com", "'self'" ], "default-src": [ "'none'" ], "font-src": [ "https://b.stripecdn.com", "'self'" ], "form-action": [ "https://stripe.com", "'self'" ], "frame-ancestors": [ "https://app.contentful.com", "'self'" ], "frame-src": [ "https://b.stripecdn.com", "https://js.stripe.com", "https://support-conversations.stripe.com", "'self'" ], "img-src": [ "data:", "https://assets.ctfassets.net", "https://assets.stripeassets.com", "https://b.stripecdn.com", "https://images.ctfassets.net", "https://images.stripeassets.com", "https://q.stripe.com", "'self'" ], "manifest-src": [ "'none'" ], "media-src": [ "https://assets.ctfassets.net", "https://assets.stripeassets.com", "https://b.stripecdn.com", "https://videos.ctfassets.net", "https://videos.stripeassets.com", "'self'" ], "object-src": [ "'none'" ], "script-src": [ "https://b.stripecdn.com", "https://js.stripe.com", "'self'", "'sha256-3aWvb9tRBjmz1OjR3n7mwiTm94+s4iki4mMZF82asmc='", "'sha256-5LtzXhT7UFn+GqP5pKEMGL08UNZsrzANHFEBW/mQHGw='", "'sha256-beLzNcen8LrazzSCRjAapoIMTgJI0osPWGNSX7aK6lc='", "'sha256-cCM0Z4lzGkzQnmbdVw+ouz0JRawyaKcZ4yiqzqYS7ek='", "'sha256-vTifGUJH6hJYTvstw4xJ4xfr/vE0ELkOV4GpCumyqfg='", "'sha256-KxhSaxKB5RFTQsqfRwp+zG7iLjvMrTAySqnSvWlqct0='", "'sha256-tMuJ8c00j54yuxogrdIJeGhNVB350dc56i969XRz/Mc='", "'sha256-aEFSvCaVnb2wNwuO3IzA8J44RdTKt6vms9beA7BcCYg='", "'sha256-0SWEc2BfR2o77i2vUiNNIrFKQkjc2Ujsr2hlfZ6oUek='", "'report-sample'" ], "style-src": [ "https://b.stripecdn.com", "'self'", "'unsafe-inline'" ], "worker-src": [ "https://b.stripecdn.com", "'self'" ], "upgrade-insecure-requests": [], "report-uri": [ "https://q.stripe.com/csp-violation?q=h-4sDrVyx4MMf-FsdFbmD_6E6kCK6IyGpTRGos0FnCSHrn6scSyQE0pHl5sp52g%3D" ], "report-to": [ "csp" ] }, "grade": "B", "issues": [ { "severity": "warning", "code": "XFO_CSP_CONFLICT", "message": "X-Frame-Options (SAMEORIGIN) conflicts with CSP frame-ancestors (https://app.contentful.com 'self'). CSP takes precedence in modern browsers.", "fix": "Remove X-Frame-Options and rely on CSP frame-ancestors. Or align both: DENY ↔ frame-ancestors 'none', SAMEORIGIN ↔ frame-ancestors 'self'.", "mdn": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors" } ], "missing_directives": [] }, "security_headers": { "grade": "C", "headers": { "strict-transport-security": { "present": true, "value": "max-age=63072000; includeSubDomains; preload", "issues": [], "preload_eligible": true }, "x-frame-options": { "present": true, "value": "SAMEORIGIN", "issues": [] }, "x-content-type-options": { "present": true, "value": "nosniff", "issues": [] }, "referrer-policy": { "present": true, "value": "no-referrer-when-downgrade", "issues": [ { "severity": "warning", "code": "REFERRER_LEAKY", "message": "Referrer-Policy \"no-referrer-when-downgrade\" leaks full URLs to other sites, including paths and query strings.", "fix": "Use strict-origin-when-cross-origin or strict-origin to limit referrer information." } ] }, "permissions-policy": { "present": false, "value": null, "issues": [ { "severity": "info", "code": "NO_PERMISSIONS_POLICY", "message": "No Permissions-Policy header. Browser features like camera, microphone, and geolocation use default permissions.", "fix": "Add Permissions-Policy: camera=(), microphone=(), geolocation=() to restrict sensitive features.", "mdn": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy" } ], "recommendation": "camera=(), microphone=(), geolocation=()" }, "content-security-policy": { "present": true, "value": "base-uri 'none'; child-src 'none'; connect-src https://c.increment.com https://c.stripe.dev https://c.stripe.global https://c.stripe.partners blob: https://b.stripecdn.com https://errors.stripe.com https://ext.stripe.com https://r.stripe.com https://stripe-images.s3.us-west-1.amazonaws.com https://stripe.com 'self'; default-src 'none'; font-src https://b.stripecdn.com 'self'; form-action https://stripe.com 'self'; frame-ancestors https://app.contentful.com 'self'; frame-src https://b.stripecdn.com https://js.stripe.com https://support-conversations.stripe.com 'self'; img-src data: https://assets.ctfassets.net https://assets.stripeassets.com https://b.stripecdn.com https://images.ctfassets.net https://images.stripeassets.com https://q.stripe.com 'self'; manifest-src 'none'; media-src https://assets.ctfassets.net https://assets.stripeassets.com https://b.stripecdn.com https://videos.ctfassets.net https://videos.stripeassets.com 'self'; object-src 'none'; script-src https://b.stripecdn.com https://js.stripe.com 'self' 'sha256-3aWvb9tRBjmz1OjR3n7mwiTm94+s4iki4mMZF82asmc=' 'sha256-5LtzXhT7UFn+GqP5pKEMGL08UNZsrzANHFEBW/mQHGw=' 'sha256-beLzNcen8LrazzSCRjAapoIMTgJI0osPWGNSX7aK6lc=' 'sha256-cCM0Z4lzGkzQnmbdVw+ouz0JRawyaKcZ4yiqzqYS7ek=' 'sha256-vTifGUJH6hJYTvstw4xJ4xfr/vE0ELkOV4GpCumyqfg=' 'sha256-KxhSaxKB5RFTQsqfRwp+zG7iLjvMrTAySqnSvWlqct0=' 'sha256-tMuJ8c00j54yuxogrdIJeGhNVB350dc56i969XRz/Mc=' 'sha256-aEFSvCaVnb2wNwuO3IzA8J44RdTKt6vms9beA7BcCYg=' 'sha256-0SWEc2BfR2o77i2vUiNNIrFKQkjc2Ujsr2hlfZ6oUek=' 'report-sample'; style-src https://b.stripecdn.com 'self' 'unsafe-inline'; worker-src https://b.stripecdn.com 'self'; upgrade-insecure-requests; report-uri https://q.stripe.com/csp-violation?q=h-4sDrVyx4MMf-FsdFbmD_6E6kCK6IyGpTRGos0FnCSHrn6scSyQE0pHl5sp52g%3D; report-to csp", "issues": [] }, "cross-origin-opener-policy": { "present": true, "value": "same-origin-allow-popups; report-to=\"wsp_coop\"", "issues": [] }, "cross-origin-embedder-policy": { "present": false, "value": null, "issues": [], "recommendation": "credentialless" }, "cross-origin-resource-policy": { "present": false, "value": null, "issues": [], "recommendation": "same-origin" } }, "conflicts": [], "score": 70, "max_score": 100 }, "redirect_chain": { "hops": 1, "loop_detected": false, "mixed_content": false, "chain": [ { "url": "https://stripe.com", "status": 200, "location": null, "timing_ms": 109, "headers_summary": { "server": "cloudflare", "strict-transport-security": "max-age=63072000; includeSubDomains; preload", "x-frame-options": "SAMEORIGIN", "x-content-type-options": "nosniff", "referrer-policy": "no-referrer-when-downgrade", "content-security-policy": "base-uri 'none'; child-src 'none'; connect-src https://c.increment.com https://c.stripe.dev https://c.stripe.global https://c.stripe.partners blob: https://b.stripecdn.com https://errors.stripe.com https://ext.stripe.com https://r.stripe.com https://stripe-images.s3.us-west-1.amazonaws.com https://stripe.com 'self'; default-src 'none'; font-src https://b.stripecdn.com 'self'; form-action https://stripe.com 'self'; frame-ancestors https://app.contentful.com 'self'; frame-src https://b.stripecdn.com https://js.stripe.com https://support-conversations.stripe.com 'self'; img-src data: https://assets.ctfassets.net https://assets.stripeassets.com https://b.stripecdn.com https://images.ctfassets.net https://images.stripeassets.com https://q.stripe.com 'self'; manifest-src 'none'; media-src https://assets.ctfassets.net https://assets.stripeassets.com https://b.stripecdn.com https://videos.ctfassets.net https://videos.stripeassets.com 'self'; object-src 'none'; script-src https://b.stripecdn.com https://js.stripe.com 'self' 'sha256-3aWvb9tRBjmz1OjR3n7mwiTm94+s4iki4mMZF82asmc=' 'sha256-5LtzXhT7UFn+GqP5pKEMGL08UNZsrzANHFEBW/mQHGw=' 'sha256-beLzNcen8LrazzSCRjAapoIMTgJI0osPWGNSX7aK6lc=' 'sha256-cCM0Z4lzGkzQnmbdVw+ouz0JRawyaKcZ4yiqzqYS7ek=' 'sha256-vTifGUJH6hJYTvstw4xJ4xfr/vE0ELkOV4GpCumyqfg=' 'sha256-KxhSaxKB5RFTQsqfRwp+zG7iLjvMrTAySqnSvWlqct0=' 'sha256-tMuJ8c00j54yuxogrdIJeGhNVB350dc56i969XRz/Mc=' 'sha256-aEFSvCaVnb2wNwuO3IzA8J44RdTKt6vms9beA7BcCYg=' 'sha256-0SWEc2BfR2o77i2vUiNNIrFKQkjc2Ujsr2hlfZ6oUek=' 'report-sample'; style-src https://b.stripecdn.com 'self' 'unsafe-inline'; worker-src https://b.stripecdn.com 'self'; upgrade-insecure-requests; report-uri https://q.stripe.com/csp-violation?q=pXcezKMZwcq9eABTcR0RbdSzKAzE9Nrfl0Oz97L50BH6kmv11_jJmQAMtdrOAuU%3D; report-to csp", "cross-origin-opener-policy": "same-origin-allow-popups; report-to=\"wsp_coop\"", "content-type": "text/html; charset=utf-8", "cf-cache-status": "DYNAMIC", "vary": "accept-encoding" }, "hsts": "max-age=63072000; includeSubDomains; preload" } ], "issues": [], "total_time_ms": 109 }, "cache": { "cache_control": null, "parsed": {}, "effective_ttl": null, "vary": [ "accept-encoding" ], "cdn_status": "DYNAMIC", "cdn_provider": "Cloudflare", "issues": [ { "severity": "info", "code": "NO_CACHE_CONTROL", "message": "No Cache-Control header. Browsers and CDNs will use heuristic caching based on Last-Modified.", "fix": "Set an explicit Cache-Control header. For static assets: public, max-age=31536000, immutable. For HTML: no-cache or public, max-age=0, must-revalidate.", "mdn": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control" } ], "explanation": "No explicit cache policy. Browsers will use heuristic caching." }, "tls": { "version": null, "details": "→ certs.lol/stripe.com" }, "_meta": { "version": "1.0.0", "scan_time_ms": 241, "cache_hit": false, "cache_ttl": 3600, "docs": "https://xhttp.lol/api/docs", "tls_report": "https://certs.lol/stripe.com", "dns_report": "https://ns.lol/stripe.com", "full_report": "https://yoke.lol/stripe.com" } }