Security Headers Checker

HTTP 200 · https://www.atlassian.com/

[ STRONG ]

// Forces HTTPS for all connections. Prevents downgrade attacks.

max-age=63072000; preload

[ WEAK ]

// Defines which sources of scripts/styles/images are allowed. Prevents XSS.

base-uri 'self'; default-src 'self' *.atlassian.com *.intercomcdn.com *.orangelogic.com *.6sc.co *.6sense.com sourcetreeapp.com *.sourcetreeapp.com; script-src 'self' *.gstatic.com *.cookielaw.org *.public.atl-paas.net *.prod.atl-paas.net *.googletagmanager.com *.marketo.net *.atlassian.com utt.impactcdn.com *.google.com *.doubleclick.com *.googleadservices.com *.livechatinc.com *.bing.com *.quora.com *.yimg.jp *.clicktale.net *.linkedin.com *.twitter.com *.licdn.com *.demandbase.com *.doubleclick.net *.facebook.net *.redditstatic.com *.clearbitscripts.com *.clarity.ms *.vimeo.com *.google-analytics.com facebook.com *.facebook.com impactcdn.com *.impactcdn.com clearbitjs.com *.clearbitjs.com yahoo.co.jp *.yahoo.co.jp *.recaptcha.net *.ads-twitter.com *.intercom.io *.intercomcdn.com *.jsdelivr.net *.6sc.co *.6sense.com *.techtarget.com *.capterra.com sourcetreeapp.com *.sourcetreeapp.com 'unsafe-eval' 'unsafe-inline'; style-src 'self' *.public.atl-paas.net *.prod.atl-paas.net fonts.googleapis.com *.googletagmanager.com sourcetreeapp.com *.sourcetreeapp.com 'unsafe-inline'; img-src 'self' blob: data: atlassian.com *.atlassian.com *.cookielaw.org *.gravatar.com *.wp.com fd-assets.prod.atl-paas.net pixel.pointmediatracker.com *.prod.public.atl-paas.net cnv.event.prod.bidr.io *.doubleclick.net *.clicktale.net *.bing.com rlcdn.com reddit.com quora.com *.rlcdn.com *.reddit.com *.quora.com *.ctfassets.net *.linkedin.com *.google.com *.google.com.au *.company-target.com *.facebook.com *.google-analytics.com *.twitter.com t.co *.intercomcdn.com *.intercomassets.com *.frontend.public.atl-paas.net *.orangelogic.com *.googletagmanager.com img.logo.dev *.atlassian.net sourcetreeapp.com *.sourcetreeapp.com; font-src 'self' *.ctfassets.net *.intercomcdn.com *.gstatic.com *.frontend.public.atl-paas.net; frame-ancestors 'none'; form-action 'self'; report-uri https://web-security-reports.services.atlassian.com/csp-report/wac-web; report-to csp-default-endpoint; connect-src 'self' ws: atlassian.com *.atlassian.com *.cookielaw.org *.onetrust.com *.public.atl-paas.net *.prod.atl-paas.net *.mktoresp.com *.ingest.sentry.io *.workato.com atlassian.sjv.io statsigapi.net *.statsigapi.net *.contentful.com atlassian.net *.clicktale.net *.contentsquare.net *.bing.com google-analytics.com company-target.com linkedin.com *.google-analytics.com *.company-target.com *.linkedin.com *.doubleclick.net *.reddit.com *.redditstatic.com *.google.com *.demandbase.com *.clarity.ms *.clearbit.com *.intercom.io *.algolianet.com *.algolia.net *.algolia.io *.recaptcha.net https://unpkg.com/@rive-app/ *.facebook.com *.orangelogic.com *.adnxs.com *.6sc.co *.6sense.com apis.auxia.io *.atlassian.net https://participant.connect.us-east-1.amazonaws.com wss://participant.connect.us-east-1.amazonaws.com *.connect.us-east-1.amazonaws.com sourcetreeapp.com *.sourcetreeapp.com; worker-src 'self' blob:; frame-src 'self' *.youtube.com *.google.com *.doubleclick.net *.recaptcha.net *.atl-paas.net *.company-target.com *.googletagmanager.com *.atlassian.net; media-src 'self' *.ctfassets.net *.atlassian.com *.orangelogic.com

[ STRONG ]

// Prevents clickjacking by blocking iframe embedding from other origins.

DENY

[ STRONG ]

// Prevents MIME sniffing. Should be 'nosniff'.

nosniff

[ MISSING ]

// Controls how much referrer info is leaked when navigating away.

// missing — add this header to improve security

[ MISSING ]

// Restricts which browser features (camera, mic, etc.) the page can use.

// missing — add this header to improve security