HTTP Headers for dropbox.com

Responds with HTTP 200 OK from envoy — 5 of 6 security headers present.

URL to Check

200 OKhttps://www.dropbox.com/

Security Headers5/6

HSTS

CSP

X-Frame-Options

X-Content-Type-Options

Referrer-Policy

Permissions-Policy

All Response Headers (21)

alt-svch3=":443"; ma=86400, h3-29=":443"; ma=86400

cache-controlno-cache, no-store

connectionclose

content-security-policybase-uri 'self'; child-src https://www.dropbox.com/static/serviceworker/ blob:; connect-src https://* ws://127.0.0.1:*/ws blob: wss://dsimports.dropbox.com/; default-src 'none'; font-src 'self' data: https://*; form-action 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker https://*.sharepoint.com/; frame-ancestors 'self'; frame-src https://* dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: blob:; img-src https://* data: blob:; media-src https://* blob:; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://edge-live.dropboxstatic.com/static/; report-to csp-metaserver-whitelist; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://edge-live.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://www.paypal.com/sdk/js https://applepay.cdn-apple.com https://snippet.meticulous.ai/record/ https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline'; style-src https://* 'unsafe-inline' 'unsafe-eval'; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob:

content-typetext/html; charset=utf-8

cross-origin-opener-policysame-origin-allow-popups

dateFri, 24 Apr 2026 10:08:01 GMT

pragmano-cache

referrer-policystrict-origin-when-cross-origin

reporting-endpointscoop-dws2="https://www.dropbox.com/csp_log?policy_name=coop-dws2", max_age=10886400, csp-metaserver-whitelist="https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist", max_age=10886400

serverenvoy

set-cookielocale=en; Path=/; Domain=dropbox.com; Expires=Wed, 23 Apr 2031 10:08:01 GMT

strict-transport-securitymax-age=31536000; includeSubDomains

transfer-encodingchunked

varyAccept-Encoding

x-content-type-optionsnosniff

x-dropbox-request-id5da0cc9d18cc4338a5b3926d69eb4101

x-dropbox-response-originfar_remote

x-frame-optionsSAMEORIGIN

x-permitted-cross-domain-policiesnone

x-xss-protection1; mode=block

SSL Certificate Checker

Check any domain's SSL/TLS certificate — issuer, expiry, SANs, and cipher.

→

HTTP Status Codes

Searchable reference of all HTTP status codes with descriptions and use cases.

→

WHOIS Lookup

Look up WHOIS details for any domain or IP address.

→