discord.com response headers

Security headers

Caching

Cache-Control

no-cache

Last-Modified

Fri, 24 Apr 2026 21:41:50 GMT

Cookies (2)

Server & transport

Server

cloudflare

What to try next

All response headers (24)

alt-svc

h3=":443"; ma=86400

cache-control

no-cache

cf-cache-status

HIT

cf-ray

9f1b033bbc82e600-IAD

connection

keep-alive

content-security-policy

default-src 'self'; script-src 'self' 'unsafe-inline' 'nonce-MjMwLDIzMiw1MywxNTYsMTIzLDg3LDUsODE=' https://discord.com https://www.googletagmanager.com https://connect.facebook.net https://www.google-analytics.com https://ssl.google-analytics.com https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/ https://hcaptcha.com https://*.hcaptcha.com https://challenges.cloudflare.com https://s.ytimg.com/yts/jsbin/ https://www.youtube.com/iframe_api https://www.youtube.com/s/player/ https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location https:/

content-type

text/html; charset=utf-8

date

Sat, 25 Apr 2026 05:40:23 GMT

last-modified

Fri, 24 Apr 2026 21:41:50 GMT

nel

{"report_to":"cf-nel","success_fraction":0.0,"max_age":604800}

o2o-cache-status

HIT

permissions-policy

interest-cohort=()

report-to

{"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=OACLam50ubcP%2FilcON5QQv%2BS7cEM7iIWIH%2BlDLvycxwyD%2BzwXfCM3fr6G5zbXPcBdlbUpFmXsTvgst5TnDltgINe7Mt0wVcfTAFTwbt66mxSY8neFFQBHEMZGtl3"}]}

reporting-endpoints

csp-sentry="https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870&sentry_environment=stable"

server

cloudflare

set-cookie

__dcfduid=40ec0770406911f1baa587821c6fecd3; Expires=Thu, 24 Apr 2031 05:40:23 GMT; Max-Age=157680000; Path=/; Secure; HttpOnly; SameSite=Lax, __sdcfduid=40ec0771406911f1baa587821c6fecd3507462701dd81a1b9dd37fa63b748efc091a0a198b5c02c9a5e186bca23cea46; Expires=Thu, 24 Apr 2031 05:40:23 GMT; Max-Age=157680000; Path=/; Secure; HttpOnly; SameSite=Lax

strict-transport-security

max-age=31536000; includeSubDomains; preload

surrogate-control

max-age=2147483647

surrogate-key

prod-wf1.discord.com 6257adef93867e50d84d30e2 pageId:682721f53dee216a91e1f555

vary

accept-encoding

x-content-type-options

nosniff

x-forwarded-for

3.84.73.73

x-frame-options

DENY

x-xss-protection

1; mode=block

Methodology

Probe

We open a HEAD request to https://{host}/ (falling back to GET on 405 / 501), capture every response header, and grade the six load-bearing security headers: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. The overall letter grade is the average of those six.

Counts as DOWN

The HEAD (and GET fallback) request fails to complete — DNS, TCP, TLS, or timeout. Nothing to grade.

Counts as DEGRADED

Reserved for grade C / D — common security headers present but weakened, or some missing. The probe still returns full data; the grade reflects production-readiness.

Detail

We do not test for known CVEs, fingerprint application versions, or attempt downgrade attacks. The probe is a single request — what the server returned to a generic client. CSP grading is intentionally crude (penalises wildcard sources and 'unsafe-eval'); a manual review is the right move for fine-grained CSP work.

Cadence

Every 5 minutes, in parallel across 4 monitoring regions (US East Virginia, US West Oregon, Europe London, Asia Singapore).

Rate-limited targets

If a host returns 429 or consistently drops connections from our IPs, we cap retries at 3 and report the last observed status — we do not flood the target to confirm the outage.

Data source

Direct probes from our monitoring infrastructure. We do not aggregate crowd reports, Twitter mentions, or DownDetector signals — every result on this page is a live network request.