- Scan ID:
- dfdf0781-5df2-47ef-b151-ccd014a294a7Finished
- Submitted URL:
- https://coda.io/form/Fractionals-United-Application-Form_d5FbI2oYZb2
- Report Finished:
Risks · 0 found
Practices that may pose security risks
Security Headers · 7 found
HTTP response headers that can harden the security of a web application
Learn more...| Name | Value | Support | Info |
|---|---|---|---|
| Strict-Transport-Security | max-age=63072000; includeSubDomains; preload | Good | Declare that a website is only accessible over a secure connection (HTTPS). Click to learn more... |
| X-Frame-Options | — | Good | Indicate whether a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Click to learn more... |
| X-Content-Type-Options | nosniff | Good | Indicate that the MIME types advertised in the Content-Type headers should be followed and not be changed. Click to learn more... |
| Content-Security-Policy | base-uri 'none'; child-src 'self' * blob:; connect-src 'self' https://cdn.coda.io wss://coda.io https://coda.io wss://*.intercom.io https://coda-us-west-2-prod-blobs-upload.s3-accelerate.amazonaws.com https://coda-us-west-2-prod-packs-upload.s3-accelerate.amazonaws.com https://coda-us-west-2-prod-packs.s3.us-west-2.amazonaws.com https://codahosted.io https://codacontent.io https://coda.io https://*.intercom.io https://uploads.intercomcdn.com https://uploads.intercomusercontent.com https://sdk.iad-05.braze.com https://app.getsentry.com https://iframe.ly https://cdn.iframe.ly https://api.rollbar.com https://baconipsum.com https://api.trello.com https://api.stripe.com https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://www.google.com/ccm/collect https://*.g.doubleclick.net https://*.google.com https://www.google.com/pagead/landing https://www.facebook.com https://*.marketo.com https://*.mktoresp.com https://*.mktoutil.com https://*.mutinycdn.com https://*.mutinyhq.com https://*.mutinyhq.io https://cdn.cookielaw.org https://*.onetrust.com https://us-central1-adaptive-growth.cloudfunctions.net https://sink.pdst.fm https://grsm.io https://partnerlinks.io https://pixel.pvd.to https://tracker.pixeltracker.co https://pixelconnector.pixeltracker.co https://login.microsoftonline.com https://graph.microsoft.com https://*.hotjar.com https://*.hotjar.io wss://*.hotjar.com https://*.api.sanity.io https://*.apicdn.sanity.io https://statsig.coda.io https://statsigapi.net https://app.clearbit.com https://cdn.linkedin.oribi.io https://snap.licdn.com https://px.ads.linkedin.com https://px4.ads.linkedin.com https://p.adsymptotic.com https://gw.linkedin.oribi.io https://dc.ads.linkedin.com https://sjs.bizographics.com https://api.sprig.com https://cdn.sprig.com https://pixels.spotify.com/v1/ingest https://api.cr-relay.com/ https://*.getkoala.com wss://*.getkoala.com; default-src 'self' https://cdn.coda.io https://codacontent.io https://coda-us-west-2-prod-blobs.s3.us-west-2.amazonaws.com https://coda.io; font-src data: https://cdn.coda.io https://js.intercomcdn.com https://fonts.intercomcdn.com https://fonts.gstatic.com https://fonts.googleapis.com https://use.typekit.net; form-action 'self' https://api-iam.intercom.io https://intercom.help *.coda.io; frame-ancestors 'self' *.intercom-sheets.com teams.microsoft.com chrome-extension://ocjjmmnhefcaopncklmdodfglamkeign chrome-extension://pbdpddefpmdbfdgkaknnmimgjmjoefmj chrome-extension://cdgkmagmdldlpiglliebaajdpdkigcbi sites.google.com www.gstatic.com *.googleusercontent.com *.liftlab.com *.atlassian.net *.sharepoint.com *.sanity.studio; frame-src *; img-src * blob: data:; media-src 'self' https://cdn.coda.io https://js.intercomcdn.com https://cdn.sanity.io; object-src 'none'; report-uri /csp-violation; script-src 'strict-dynamic' 'nonce-dd20468fa72e4508b10768abb9cb8ca9' 'unsafe-inline' 'unsafe-eval' https: https://*.mutinycdn.com https://*.googletagmanager.com https://cdn.cr-relay.com/ https://*.getkoala.com; style-src 'self' 'unsafe-inline' blob: https://accounts.google.com https://cdn.coda.io https://fonts.googleapis.com https://use.typekit.net https://p.typekit.net https://*.mktoweb.com; worker-src 'self' blob: | Good | Control resources the user agent is allowed to load for a given page. Click to learn more... |
| Referrer-Policy | strict-origin-when-cross-origin | Good | Control how much referrer information should be included with requests. Click to learn more... |
| Clear-Site-Data | — | Good | Control the data stored by a client browser for their origins. Click to learn more... |
| X-Permitted-Cross-Domain-Policies | none | Good | Control whether a web client such as Adobe Flash Player or Adobe Acrobat has permission to handle data across domains. Click to learn more... |
| Permissions-Policy | fullscreen=*; autoplay=(self); geolocation=* | New | Allow and deny the use of browser features in a document or iframe. Click to learn more... |
| Cross-Origin-Embedder-Policy | — | New | Configure embedding cross-origin resources into the document. Click to learn more... |
| Cross-Origin-Opener-Policy | — | New | Ensure a top-level document does not share a browsing context group with cross-origin documents. Click to learn more... |
| Cross-Origin-Resource-Policy | — | New | Request that the browser blocks no-cors cross-origin/cross-site requests to the given resource. Click to learn more... |
| X-XSS-Protection | 0 | Deprecated | Deprecated. Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Click to learn more... |
| Feature-Policy | — | Deprecated | Deprecated. Replaced by the Permissions-Policy header. Click to learn more... |
| Expect-CT | — | Deprecated | Deprecated. Opt in to reporting and/or enforcement of Certificate Transparency requirements. Click to learn more... |
| Public-Key-Pins | — | Deprecated | Deprecated. Allows HTTPS websites to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates. Click to learn more... |
Security Violations · 0 found
Requests or resources offending security policies
Certificates · 7 found
SSL/TLS Certificates enable websites to encrypt transactions between the client and the server and provide server identity verification
| Subject | Issue date | Expiry date |
|---|---|---|
| coda.io | Jun 12, 2024, 00:00:00 | Jul 10, 2025, 23:59:59 |
| cdn.coda.io | Jul 20, 2024, 00:00:00 | Aug 18, 2025, 23:59:59 |
| codacontent.io | Jun 1, 2024, 00:00:00 | Jun 29, 2025, 23:59:59 |
| *.google-analytics.com | Nov 4, 2024, 08:37:47 | Jan 27, 2025, 08:37:46 |
| partnerstack.com | Oct 29, 2024, 15:03:41 | Jan 27, 2025, 16:03:16 |
| grsm.io | Nov 15, 2024, 17:44:28 | Feb 13, 2025, 17:44:27 |
| partnerlinks.io | Nov 4, 2024, 03:05:36 | Feb 2, 2025, 03:05:35 |