Skip to content
https://goodrx.com

Security

· 12 checks — HTTP headers, CSP, TLS handshake, and cookie hygiene rolled into one auditable list.
SCORE
77
GRADE
C
FIX
2
REVIEW
4
PASS
6
INFO
0
Checks
12
6 PASS 4 REVIEW 2 FIX
D
Content Security Policy
Action
3 of 10 CSP checks passed
FIX
3 of 10 CSP checks passed
Info::
Raw CSP policy
Got: default-src 'self' 'unsafe-eval' 'unsafe-inline' data: blob: mediastream: android-webview-video-poster: goodrx.com *.goodrx.com *.goodrx.com. *.grxstatic.com *.grxweb.com *.heydoctor.com descopecdn.com; block-all-mixed-content; script-src 'self' 'unsafe-eval' 'unsafe-inline' data: blob: mediastream: *.goodrx.com *.goodrx.com. *.grxstatic.com *.grxweb.com healthination.com *.heydoctor.com d2bnxibecyz4h5.cloudfront.net *.scorecardresearch.com unpkg.com s3.amazonaws.com descopecdn.com static.descope.com *.px-cdn.net *.videoamp.com gx9e.app.link app.link *.px-cloud.net rampjs-cdn.system1.com *.trustpilot.com *.riddle.com *.sentry-cdn.com *.affirm.com static.legitscript.com *.osano.com *.doubleverify.com *.googletagservices.com *.2mdn.net *.adsafeprotected.com *.parsely.com www.datadoghq-browser-agent.com trc.lhmos.com *.adnxs.com *.adnxs-simple.com *.segment.io *.segment.com cd.goodrx.com js.stripe.com *.branch.io *.adtrafficquality.google *.googleadservices.com *.googletagmanager.com sync.graph.bluecava.com *.hcn.health *.doubleclick.net *.googlesyndication.com *.googleapis.com *.gstatic.com *.google.com *.jwpcdn.com *.jwplayer.com *.jwplatform.com *.jwpltx.com *.jwpsrv.com videos-fms.jwpsrv.com videos-cloudflare.jwpsrv.com *.optimizely.com *.google-analytics.com *.getvim.com *.athenahealth.com *.ecwcloud.com *.eclinicalweb.com www.medtargetsystem.com site806-fyn1ivvp.chartwire.cloud ecw.desotoregional.com ecw.gsantosmd.com ecw.padderhealth.com site807-5c2melqa.chartwire.cloud cranium.rhgnc.org ecw.imgnh.com *.allscripts.com *.officeally.com *.oadomain.com *.drchrono.com *.elationemr.com *.mdland.com *.emedpractice.com; style-src data: 'self' 'unsafe-inline' *.goodrx.com *.goodrx.com. *.grxstatic.com *.gstatic.com *.google.com *.googleapis.com s3.amazonaws.com static.descope.com content.app.descope.com *.innovid.com; img-src data: blob: android-webview-video-poster: 'self' *.goodrx.com *.goodrx.com. *.grxstatic.com www.hellogoodrx.com *.heydoctor.com static.dwcdn.net *.scorecardresearch.com *.bidr.io beeswax.com static.star2.descope.app static.descope.com *.insightexpressai.com bat.bing.com *.googleusercontent.com content.app.descope.com *.evidon.com *.doubleverify.com *.google-analytics.com *.innovid.com *.adsafeprotected.com goodrx-web-assets.s3.us-west-2.amazonaws.com sync.graph.bluecava.com s3.amazonaws.com *.ctfassets.net *.adtrafficquality.google syndicatedsearch.goog *.hcn.health trc.lhmos.com *.adnxs.com *.adnxs-simple.com p.alcmpn.com *.adsrvr.org *.googleapis.com *.googleadservices.com *.gstatic.com *.googlesyndication.com *.google.com *.doubleclick.net *.googletagmanager.com *.jwpcdn.com *.jwplayer.com *.jwplatform.com *.jwpltx.com *.jwpsrv.com videos-fms.jwpsrv.com videos-cloudflare.jwpsrv.com static.legitscript.com *.parsely.com *.2mdn.net *.riddle.com d4fuqqd5l3dbz.cloudfront.net askchapter.org unpkg.com www.medtargetsystem.com surveygizmolibrary.s3.amazonaws.com *.rlcdn.com *.flashtalking.com www.flashtalking.net; connect-src data: blob: 'self' goodrx.com *.goodrx.com *.goodrx.com. *.grxstatic.com *.grxweb.com *.heydoctor.com surveygizmobeacon.s3.amazonaws.com d2bnxibecyz4h5.cloudfront.net *.zapier.com *.scorecardresearch.com *.rlcdn.com *.adsafeprotected.com *.affirm.com gx9e.app.link app.link cdn.contentful.com soflopxl.com bat.bing.com static.star2.descope.app api.descope.com content.app.descope.com p.alcmpn.com *.googleadservices.com static.legitscript.com *.segment.com cd.goodrx.com *.segment.io *.perimeterx.net *.pxchk.net *.perimeterx.net *.px-cdn.net *.parsely.com rampjs-cdn.system1.com trc.lhmos.com *.ctfassets.net rum.browser-intake-us5-datadoghq.com browser-intake-datadoghq.com *.browser-intake-datadoghq.com *.datadoghq.com *.googleadservices.com *.doubleverify.com *.sentry-cdn.com sentry.io *.ingest.sentry.io *.ingest.us.sentry.io *.optimizely.com *.px-cloud.net *.px-client.net *.doubleclick.net *.hcn.health *.gstatic.com *.googletagmanager.com *.google-analytics.com *.google.com *.googleapis.com *.googlesyndication.com *.googletagservices.com sync.graph.bluecava.com *.jwpcdn.com *.jwplayer.com *.jwplatform.com *.jwpltx.com *.jwpsrv.com videos-fms.jwpsrv.com videos-cloudflare.jwpsrv.com *.branch.io *.osano.com *.adtrafficquality.google globalsiteanalytics.com *.getvim.com *.athenahealth.com *.ecwcloud.com *.eclinicalweb.com www.medtargetsystem.com site806-fyn1ivvp.chartwire.cloud ecw.desotoregional.com ecw.gsantosmd.com ecw.padderhealth.com site807-5c2melqa.chartwire.cloud cranium.rhgnc.org ecw.imgnh.com *.allscripts.com *.officeally.com *.oadomain.com *.drchrono.com *.elationemr.com *.mdland.com *.emedpractice.com descopecdn.com vtrk.dv.tech ene-debug-scripts.doubleverify.io; font-src data: *.goodrx.com *.goodrx.com. *.heydoctor.com *.grxstatic.com *.gstatic.com *.innovid.com *.typekit.net *.googleapis.com *.googleusercontent.com descopecdn.com static.descope.com content.app.descope.com maxcdn.bootstrapcdn.com unpkg.com; media-src data: blob: *.goodrx.com *.goodrx.com. *.grxstatic.com *.gstatic.com *.googlevideo.com *.gvt1.com *.2mdn.net *.innovid.com *.jwpcdn.com *.jwplayer.com *.jwplatform.com *.jwpltx.com *.jwpsrv.com videos-fms.jwpsrv.com videos-cloudflare.jwpsrv.com *.flashtalking.com; frame-ancestors 'self' data: blob: mediastream: android-webview-video-poster: *.goodrx.com *.goodrx.com. *.grxstatic.com *.osano.com *.rlcdn.com *.contentful.com adzerk-preview.com *.getvim.com *.athenahealth.com *.ecwcloud.com *.eclinicalweb.com www.medtargetsystem.com ecw.gsantosmd.com ecw.padderhealth.com site807-5c2melqa.chartwire.cloud cranium.rhgnc.org ecw.imgnh.com *.allscripts.com *.officeally.com *.oadomain.com *.drchrono.com *.elationemr.com *.mdland.com *.emedpractice.com; child-src blob: *.goodrx.com *.goodrx.com. *.grxstatic.com *.osano.com *.scorecardresearch.com *.googletagmanager.com *.hcn.health *.doubleclick.net *.googleapis.com *.googlesyndication.com syndicatedsearch.goog *.google.com *.googleadservices.com *.2mdn.net js.stripe.com datawrapper.dwcdn.net *.riddle.com *.trustpilot.com; worker-src blob: chrome: *.goodrx.com *.goodrx.com.; frame-src 'self' *.goodrx.com *.goodrx.com. *.grxstatic.com *.osano.com *.scorecardresearch.com scores.securityscorecard.io *.rlcdn.com *.affirm.com *.adsrvr.org bat.bing.com js.stripe.com *.jwplayer.com www.youtube.com partners-medicare.askchapter.org *.googletagservices.com *.adtrafficquality.google datawrapper.dwcdn.net *.hcn.health google.com *.google.com *.googletagmanager.com *.googleadservices.com *.googleapis.com *.doubleclick.net *.trustpilot.com syndicatedsearch.goog *.googlesyndication.com *.riddle.com *.2mdn.net *.innovid.com survey.alchemer.com *.medtargetsystem.com site806-fyn1ivvp.chartwire.cloud ecw.desotoregional.com *.doubleverify.com vtrk.dv.tech ene-debug-scripts.doubleverify.io ajs-assets.ftstatic.com *.flashtalking.com www.flashtalking.net; fenced-frame-src 'self' *.google.com *.googlesyndication.com; script-src-elem blob: data: 'unsafe-inline' *.goodrx.com *.goodrx.com. *.grxstatic.com *.heydoctor.com d2bnxibecyz4h5.cloudfront.net *.scorecardresearch.com unpkg.com bat.bing.com s3.amazonaws.com js.stripe.com *.jwpcdn.com *.adnxs.com trc.lhmos.com *.osano.com *.px-cloud.net *.px-cdn.net descopecdn.com static.descope.com content.app.descope.com rampjs-cdn.system1.com *.parsely.com *.segment.com cd.goodrx.com *.segment.io gx9e.app.link app.link *.evidon.com *.trustpilot.com *.doubleclick.net *.doubleverify.com *.googlesyndication.com *.google.com *.hcn.health *.sentry-cdn.com *.videoamp.com *.adtrafficquality.google *.gstatic.com *.adsafeprotected.com choices.truste.com choices.trustarc.com *.innovid.com *.googleapis.com *.googleadservices.com *.googletagservices.com *.google-analytics.com *.googletagmanager.com *.affirm.com static.legitscript.com *.branch.io *.optimizely.com sync.graph.bluecava.com *.datadoghq-browser-agent.com *.2mdn.net *.riddle.com *.jwplatform.com *.jwplayer.com healthination.com *.getvim.com *.athenahealth.com *.ecwcloud.com *.eclinicalweb.com site806-fyn1ivvp.chartwire.cloud ecw.desotoregional.com ecw.gsantosmd.com ecw.padderhealth.com site807-5c2melqa.chartwire.cloud cranium.rhgnc.org ecw.imgnh.com *.allscripts.com *.officeally.com *.oadomain.com *.drchrono.com *.elationemr.com *.mdland.com *.emedpractice.com ajs-assets.ftstatic.com; style-src-elem blob: data: 'unsafe-inline' *.goodrx.com *.goodrx.com. *.grxstatic.com *.evidon.com *.innovid.com s3.amazonaws.com *.gstatic.com *.google.com *.googleapis.com static.descope.com content.app.descope.com p.typekit.net pt.dwcdn.net; object-src sync.graph.bluecava.com; report-uri https://sentry.io/api/5148329/security/?sentry_key=b77e90b1f5654f2e83a0238f4cf07987
Info::
default-src directive is set
Got: default-src 'self' 'unsafe-eval' 'unsafe-inline' data: blob: mediastream: android-webview-video-poster: goodrx.com *.goodrx.com *.goodrx.com. *.grxstatic.com *.grxweb.com *.heydoctor.com descopecdn.com
Critical::
'unsafe-inline' found in script source
'unsafe-inline' allows inline <script> tags, defeating CSP against XSS. Remove it and use nonces or hashes instead.
Got: script-src 'self' 'unsafe-eval' 'unsafe-inline' data: blob: mediastream: *.goodrx.com *.goodrx.com. *.grxstatic.com *.grxweb.com healthination.com *.heydoctor.com d2bnxibecyz4h5.cloudfront.net *.scorecardresearch.com unpkg.com s3.amazonaws.com descopecdn.com static.descope.com *.px-cdn.net *.videoamp.com gx9e.app.link app.link *.px-cloud.net rampjs-cdn.system1.com *.trustpilot.com *.riddle.com *.sentry-cdn.com *.affirm.com static.legitscript.com *.osano.com *.doubleverify.com *.googletagservices.com *.2mdn.net *.adsafeprotected.com *.parsely.com www.datadoghq-browser-agent.com trc.lhmos.com *.adnxs.com *.adnxs-simple.com *.segment.io *.segment.com cd.goodrx.com js.stripe.com *.branch.io *.adtrafficquality.google *.googleadservices.com *.googletagmanager.com sync.graph.bluecava.com *.hcn.health *.doubleclick.net *.googlesyndication.com *.googleapis.com *.gstatic.com *.google.com *.jwpcdn.com *.jwplayer.com *.jwplatform.com *.jwpltx.com *.jwpsrv.com videos-fms.jwpsrv.com videos-cloudflare.jwpsrv.com *.optimizely.com *.google-analytics.com *.getvim.com *.athenahealth.com *.ecwcloud.com *.eclinicalweb.com www.medtargetsystem.com site806-fyn1ivvp.chartwire.cloud ecw.desotoregional.com ecw.gsantosmd.com ecw.padderhealth.com site807-5c2melqa.chartwire.cloud cranium.rhgnc.org ecw.imgnh.com *.allscripts.com *.officeally.com *.oadomain.com *.drchrono.com *.elationemr.com *.mdland.com *.emedpractice.com
Critical::
'unsafe-eval' found in script source
'unsafe-eval' allows eval() and similar functions, enabling code injection. Remove it.
Got: script-src 'self' 'unsafe-eval' 'unsafe-inline' data: blob: mediastream: *.goodrx.com *.goodrx.com. *.grxstatic.com *.grxweb.com healthination.com *.heydoctor.com d2bnxibecyz4h5.cloudfront.net *.scorecardresearch.com unpkg.com s3.amazonaws.com descopecdn.com static.descope.com *.px-cdn.net *.videoamp.com gx9e.app.link app.link *.px-cloud.net rampjs-cdn.system1.com *.trustpilot.com *.riddle.com *.sentry-cdn.com *.affirm.com static.legitscript.com *.osano.com *.doubleverify.com *.googletagservices.com *.2mdn.net *.adsafeprotected.com *.parsely.com www.datadoghq-browser-agent.com trc.lhmos.com *.adnxs.com *.adnxs-simple.com *.segment.io *.segment.com cd.goodrx.com js.stripe.com *.branch.io *.adtrafficquality.google *.googleadservices.com *.googletagmanager.com sync.graph.bluecava.com *.hcn.health *.doubleclick.net *.googlesyndication.com *.googleapis.com *.gstatic.com *.google.com *.jwpcdn.com *.jwplayer.com *.jwplatform.com *.jwpltx.com *.jwpsrv.com videos-fms.jwpsrv.com videos-cloudflare.jwpsrv.com *.optimizely.com *.google-analytics.com *.getvim.com *.athenahealth.com *.ecwcloud.com *.eclinicalweb.com www.medtargetsystem.com site806-fyn1ivvp.chartwire.cloud ecw.desotoregional.com ecw.gsantosmd.com ecw.padderhealth.com site807-5c2melqa.chartwire.cloud cranium.rhgnc.org ecw.imgnh.com *.allscripts.com *.officeally.com *.oadomain.com *.drchrono.com *.elationemr.com *.mdland.com *.emedpractice.com
Info::
No wildcard in script source
Warning::
object-src allows plugin content
Set object-src to 'none' to prevent Flash/Java plugin exploits.
Got: object-src sync.graph.bluecava.com Expected: object-src 'none'
Warning::
base-uri directive is missing
Without base-uri, attackers can inject a <base> tag to hijack relative URLs. Set it to 'self' or 'none'.
Expected: base-uri 'self'
Info::
frame-ancestors directive is set
Got: frame-ancestors 'self' data: blob: mediastream: android-webview-video-poster: *.goodrx.com *.goodrx.com. *.grxstatic.com *.osano.com *.rlcdn.com *.contentful.com adzerk-preview.com *.getvim.com *.athenahealth.com *.ecwcloud.com *.eclinicalweb.com www.medtargetsystem.com ecw.gsantosmd.com ecw.padderhealth.com site807-5c2melqa.chartwire.cloud cranium.rhgnc.org ecw.imgnh.com *.allscripts.com *.officeally.com *.oadomain.com *.drchrono.com *.elationemr.com *.mdland.com *.emedpractice.com
Warning::
form-action directive is missing
form-action restricts where forms can submit data, preventing form hijacking.
Expected: form-action 'self'
Info::
upgrade-insecure-requests is not set
This directive upgrades HTTP resources to HTTPS automatically, preventing mixed content.
Expected: upgrade-insecure-requests

'unsafe-inline' allows inline <script> tags, defeating CSP against XSS. Remove it and use nonces or hashes instead.

Why this matters

Unsafe value (unsafe-inline, unsafe-eval) in script-src defeats CSP's main protection — XSS injections can execute again.

Learn more

unsafe-inline allows inline <script> tags; unsafe-eval allows eval() and similar. Both are necessary for some legacy code but explicitly dangerous. Migrate to nonces (per-page random tokens) or hashes (per-script SHA-256) instead.

Source: OWASP CSP / MDN

'unsafe-eval' allows eval() and similar functions, enabling code injection. Remove it.

Why this matters

Unsafe value (unsafe-inline, unsafe-eval) in script-src defeats CSP's main protection — XSS injections can execute again.

Learn more

unsafe-inline allows inline <script> tags; unsafe-eval allows eval() and similar. Both are necessary for some legacy code but explicitly dangerous. Migrate to nonces (per-page random tokens) or hashes (per-script SHA-256) instead.

Source: OWASP CSP / MDN

Set object-src to 'none' to prevent Flash/Java plugin exploits.

Expected: object-src 'none'
Why this matters

object-src open in CSP allows Flash/PDF/plugin embedding — a now-deprecated attack vector that should be explicitly blocked.

Learn more

object-src controls <object>, <embed>, and <applet> elements. Modern sites have no need for plugins; setting `object-src 'none'` blocks an entire class of legacy XSS vectors at zero cost. If your CSP missed it, add the directive.

Source: MDN CSP

Without base-uri, attackers can inject a <base> tag to hijack relative URLs. Set it to 'self' or 'none'.

Expected: base-uri 'self'
Why this matters

Missing base-uri in CSP leaves a base-tag injection attack path open even on otherwise strict policies.

Learn more

A common omission: developers add CSP for script-src and frame-ancestors but forget base-uri. The result is a CSP that looks strict but lets an attacker rewrite every URL on the page via <base href>. Add `base-uri 'self'` to close the gap.

Source: MDN CSP

form-action restricts where forms can submit data, preventing form hijacking.

Expected: form-action 'self'
Why this matters

Security gaps expose your site and users to attacks, eroding trust.

This directive upgrades HTTP resources to HTTPS automatically, preventing mixed content.

Expected: upgrade-insecure-requests
Why this matters

Without upgrade-insecure-requests, any HTTP subresource link survives as a mixed-content warning instead of auto-upgrading.

Learn more

Adding `upgrade-insecure-requests` to your CSP turns every http:// subresource fetch into https:// at the browser layer. One-line defense against accidental mixed content from legacy links or third-party widgets.

Source: MDN CSP

Parsed Policy

default-src 'self''unsafe-eval''unsafe-inline'data:blob:mediastream:android-webview-video-poster:goodrx.com*.goodrx.com*.goodrx.com.*.grxstatic.com*.grxweb.com*.heydoctor.comdescopecdn.com
block-all-mixed-content
script-src 'self''unsafe-eval''unsafe-inline'data:blob:mediastream:*.goodrx.com*.goodrx.com.*.grxstatic.com*.grxweb.comhealthination.com*.heydoctor.comd2bnxibecyz4h5.cloudfront.net*.scorecardresearch.comunpkg.coms3.amazonaws.comdescopecdn.comstatic.descope.com*.px-cdn.net*.videoamp.comgx9e.app.linkapp.link*.px-cloud.netrampjs-cdn.system1.com*.trustpilot.com*.riddle.com*.sentry-cdn.com*.affirm.comstatic.legitscript.com*.osano.com*.doubleverify.com*.googletagservices.com*.2mdn.net*.adsafeprotected.com*.parsely.comwww.datadoghq-browser-agent.comtrc.lhmos.com*.adnxs.com*.adnxs-simple.com*.segment.io*.segment.comcd.goodrx.comjs.stripe.com*.branch.io*.adtrafficquality.google*.googleadservices.com*.googletagmanager.comsync.graph.bluecava.com*.hcn.health*.doubleclick.net*.googlesyndication.com*.googleapis.com*.gstatic.com*.google.com*.jwpcdn.com*.jwplayer.com*.jwplatform.com*.jwpltx.com*.jwpsrv.comvideos-fms.jwpsrv.comvideos-cloudflare.jwpsrv.com*.optimizely.com*.google-analytics.com*.getvim.com*.athenahealth.com*.ecwcloud.com*.eclinicalweb.comwww.medtargetsystem.comsite806-fyn1ivvp.chartwire.cloudecw.desotoregional.comecw.gsantosmd.comecw.padderhealth.comsite807-5c2melqa.chartwire.cloudcranium.rhgnc.orgecw.imgnh.com*.allscripts.com*.officeally.com*.oadomain.com*.drchrono.com*.elationemr.com*.mdland.com*.emedpractice.com
style-src data:'self''unsafe-inline'*.goodrx.com*.goodrx.com.*.grxstatic.com*.gstatic.com*.google.com*.googleapis.coms3.amazonaws.comstatic.descope.comcontent.app.descope.com*.innovid.com
img-src data:blob:android-webview-video-poster:'self'*.goodrx.com*.goodrx.com.*.grxstatic.comwww.hellogoodrx.com*.heydoctor.comstatic.dwcdn.net*.scorecardresearch.com*.bidr.iobeeswax.comstatic.star2.descope.appstatic.descope.com*.insightexpressai.combat.bing.com*.googleusercontent.comcontent.app.descope.com*.evidon.com*.doubleverify.com*.google-analytics.com*.innovid.com*.adsafeprotected.comgoodrx-web-assets.s3.us-west-2.amazonaws.comsync.graph.bluecava.coms3.amazonaws.com*.ctfassets.net*.adtrafficquality.googlesyndicatedsearch.goog*.hcn.healthtrc.lhmos.com*.adnxs.com*.adnxs-simple.comp.alcmpn.com*.adsrvr.org*.googleapis.com*.googleadservices.com*.gstatic.com*.googlesyndication.com*.google.com*.doubleclick.net*.googletagmanager.com*.jwpcdn.com*.jwplayer.com*.jwplatform.com*.jwpltx.com*.jwpsrv.comvideos-fms.jwpsrv.comvideos-cloudflare.jwpsrv.comstatic.legitscript.com*.parsely.com*.2mdn.net*.riddle.comd4fuqqd5l3dbz.cloudfront.netaskchapter.orgunpkg.comwww.medtargetsystem.comsurveygizmolibrary.s3.amazonaws.com*.rlcdn.com*.flashtalking.comwww.flashtalking.net
connect-src data:blob:'self'goodrx.com*.goodrx.com*.goodrx.com.*.grxstatic.com*.grxweb.com*.heydoctor.comsurveygizmobeacon.s3.amazonaws.comd2bnxibecyz4h5.cloudfront.net*.zapier.com*.scorecardresearch.com*.rlcdn.com*.adsafeprotected.com*.affirm.comgx9e.app.linkapp.linkcdn.contentful.comsoflopxl.combat.bing.comstatic.star2.descope.appapi.descope.comcontent.app.descope.comp.alcmpn.com*.googleadservices.comstatic.legitscript.com*.segment.comcd.goodrx.com*.segment.io*.perimeterx.net*.pxchk.net*.perimeterx.net*.px-cdn.net*.parsely.comrampjs-cdn.system1.comtrc.lhmos.com*.ctfassets.netrum.browser-intake-us5-datadoghq.combrowser-intake-datadoghq.com*.browser-intake-datadoghq.com*.datadoghq.com*.googleadservices.com*.doubleverify.com*.sentry-cdn.comsentry.io*.ingest.sentry.io*.ingest.us.sentry.io*.optimizely.com*.px-cloud.net*.px-client.net*.doubleclick.net*.hcn.health*.gstatic.com*.googletagmanager.com*.google-analytics.com*.google.com*.googleapis.com*.googlesyndication.com*.googletagservices.comsync.graph.bluecava.com*.jwpcdn.com*.jwplayer.com*.jwplatform.com*.jwpltx.com*.jwpsrv.comvideos-fms.jwpsrv.comvideos-cloudflare.jwpsrv.com*.branch.io*.osano.com*.adtrafficquality.googleglobalsiteanalytics.com*.getvim.com*.athenahealth.com*.ecwcloud.com*.eclinicalweb.comwww.medtargetsystem.comsite806-fyn1ivvp.chartwire.cloudecw.desotoregional.comecw.gsantosmd.comecw.padderhealth.comsite807-5c2melqa.chartwire.cloudcranium.rhgnc.orgecw.imgnh.com*.allscripts.com*.officeally.com*.oadomain.com*.drchrono.com*.elationemr.com*.mdland.com*.emedpractice.comdescopecdn.comvtrk.dv.techene-debug-scripts.doubleverify.io
font-src data:*.goodrx.com*.goodrx.com.*.heydoctor.com*.grxstatic.com*.gstatic.com*.innovid.com*.typekit.net*.googleapis.com*.googleusercontent.comdescopecdn.comstatic.descope.comcontent.app.descope.commaxcdn.bootstrapcdn.comunpkg.com
media-src data:blob:*.goodrx.com*.goodrx.com.*.grxstatic.com*.gstatic.com*.googlevideo.com*.gvt1.com*.2mdn.net*.innovid.com*.jwpcdn.com*.jwplayer.com*.jwplatform.com*.jwpltx.com*.jwpsrv.comvideos-fms.jwpsrv.comvideos-cloudflare.jwpsrv.com*.flashtalking.com
frame-ancestors 'self'data:blob:mediastream:android-webview-video-poster:*.goodrx.com*.goodrx.com.*.grxstatic.com*.osano.com*.rlcdn.com*.contentful.comadzerk-preview.com*.getvim.com*.athenahealth.com*.ecwcloud.com*.eclinicalweb.comwww.medtargetsystem.comecw.gsantosmd.comecw.padderhealth.comsite807-5c2melqa.chartwire.cloudcranium.rhgnc.orgecw.imgnh.com*.allscripts.com*.officeally.com*.oadomain.com*.drchrono.com*.elationemr.com*.mdland.com*.emedpractice.com
child-src blob:*.goodrx.com*.goodrx.com.*.grxstatic.com*.osano.com*.scorecardresearch.com*.googletagmanager.com*.hcn.health*.doubleclick.net*.googleapis.com*.googlesyndication.comsyndicatedsearch.goog*.google.com*.googleadservices.com*.2mdn.netjs.stripe.comdatawrapper.dwcdn.net*.riddle.com*.trustpilot.com
worker-src blob:chrome:*.goodrx.com*.goodrx.com.
frame-src 'self'*.goodrx.com*.goodrx.com.*.grxstatic.com*.osano.com*.scorecardresearch.comscores.securityscorecard.io*.rlcdn.com*.affirm.com*.adsrvr.orgbat.bing.comjs.stripe.com*.jwplayer.comwww.youtube.compartners-medicare.askchapter.org*.googletagservices.com*.adtrafficquality.googledatawrapper.dwcdn.net*.hcn.healthgoogle.com*.google.com*.googletagmanager.com*.googleadservices.com*.googleapis.com*.doubleclick.net*.trustpilot.comsyndicatedsearch.goog*.googlesyndication.com*.riddle.com*.2mdn.net*.innovid.comsurvey.alchemer.com*.medtargetsystem.comsite806-fyn1ivvp.chartwire.cloudecw.desotoregional.com*.doubleverify.comvtrk.dv.techene-debug-scripts.doubleverify.ioajs-assets.ftstatic.com*.flashtalking.comwww.flashtalking.net
fenced-frame-src 'self'*.google.com*.googlesyndication.com
script-src-elem blob:data:'unsafe-inline'*.goodrx.com*.goodrx.com.*.grxstatic.com*.heydoctor.comd2bnxibecyz4h5.cloudfront.net*.scorecardresearch.comunpkg.combat.bing.coms3.amazonaws.comjs.stripe.com*.jwpcdn.com*.adnxs.comtrc.lhmos.com*.osano.com*.px-cloud.net*.px-cdn.netdescopecdn.comstatic.descope.comcontent.app.descope.comrampjs-cdn.system1.com*.parsely.com*.segment.comcd.goodrx.com*.segment.iogx9e.app.linkapp.link*.evidon.com*.trustpilot.com*.doubleclick.net*.doubleverify.com*.googlesyndication.com*.google.com*.hcn.health*.sentry-cdn.com*.videoamp.com*.adtrafficquality.google*.gstatic.com*.adsafeprotected.comchoices.truste.comchoices.trustarc.com*.innovid.com*.googleapis.com*.googleadservices.com*.googletagservices.com*.google-analytics.com*.googletagmanager.com*.affirm.comstatic.legitscript.com*.branch.io*.optimizely.comsync.graph.bluecava.com*.datadoghq-browser-agent.com*.2mdn.net*.riddle.com*.jwplatform.com*.jwplayer.comhealthination.com*.getvim.com*.athenahealth.com*.ecwcloud.com*.eclinicalweb.comsite806-fyn1ivvp.chartwire.cloudecw.desotoregional.comecw.gsantosmd.comecw.padderhealth.comsite807-5c2melqa.chartwire.cloudcranium.rhgnc.orgecw.imgnh.com*.allscripts.com*.officeally.com*.oadomain.com*.drchrono.com*.elationemr.com*.mdland.com*.emedpractice.comajs-assets.ftstatic.com
style-src-elem blob:data:'unsafe-inline'*.goodrx.com*.goodrx.com.*.grxstatic.com*.evidon.com*.innovid.coms3.amazonaws.com*.gstatic.com*.google.com*.googleapis.comstatic.descope.comcontent.app.descope.comp.typekit.netpt.dwcdn.net
object-src sync.graph.bluecava.com
report-uri https://sentry.io/api/5148329/security/?sentry_key=b77e90b1f5654f2e83a0238f4cf07987
D
Permissions-Policy
Action
No header set
FIX
No header set
Warning::
No Permissions-Policy header
Consider adding a Permissions-Policy header to restrict browser feature access from embedded content.

No Permissions-Policy header set.

Without this header, embedded iframes can request access to sensitive device features.

Suggested header
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=()
C
Security Headers
Action
4 of 10 headers properly configured
REVIEW
4 of 10 headers properly configured
Warning::
HSTS is missing includeSubDomains
Without includeSubDomains, subdomains can still be accessed over HTTP.
Got: max-age=31557600 Expected: max-age=31536000; includeSubDomains
Info::
X-Content-Type-Options is properly configured
Got: nosniff
Warning::
X-Frame-Options header is missing
This header prevents clickjacking by controlling who can embed your page in a frame. Set it to DENY or SAMEORIGIN.
Expected: DENY
Warning::
Referrer-Policy has a weak value
Got: origin Expected: strict-origin-when-cross-origin
Warning::
Permissions-Policy header is missing
Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.
Expected: geolocation=(), camera=(), microphone=()
Info::
Content-Security-Policy is present
Got: default-src 'self' 'unsafe-eval' 'unsafe-inline' data: blob: mediastream: androi…
Warning::
Cross-Origin-Opener-Policy header is missing
COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.
Expected: same-origin
Warning::
Cross-Origin-Embedder-Policy header is missing
COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.
Expected: require-corp
Info::
X-Powered-By header is not present
Info::
Server header is present without version info
Got: Varnish

Without includeSubDomains, subdomains can still be accessed over HTTP.

Expected: max-age=31536000; includeSubDomains
Why this matters

Without includeSubDomains, a forgotten dev subdomain over HTTP can set malicious cookies that ride to the apex.

Learn more

HSTS without includeSubDomains protects only the exact domain. Cookies set on a non-HSTS subdomain can ride to the apex via cookie-scope attacks. The fix is one directive append. Verify all subdomains support HTTPS first — adding includeSubDomains to a domain with HTTP-only subdomains breaks them.

Source: RFC 6797

This header prevents clickjacking by controlling who can embed your page in a frame. Set it to DENY or SAMEORIGIN.

Expected: DENY
Why this matters

Without frame protection, your site can be embedded in a hostile page and used for clickjacking.

Learn more

Clickjacking overlays your site under a transparent malicious page so users click invisible buttons. Setting X-Frame-Options: DENY (or a modern frame-ancestors CSP directive) blocks the embedding entirely. There's almost never a legitimate reason to allow it.

Source: OWASP / MDN

Expected: strict-origin-when-cross-origin
Why this matters

Weak Referrer-Policy values leak full URLs (with query params, tokens, IDs) to every third-party resource on the page.

Learn more

Default referrer behavior shares the full referring URL with images, scripts, and other resources from third-party origins. If your URLs contain tokens, session IDs, or user emails (in query strings or paths), every third-party tracker gets them. Set `Referrer-Policy: strict-origin-when-cross-origin` (or stricter).

Source: MDN Referrer-Policy / W3C

Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.

Expected: geolocation=(), camera=(), microphone=()
Why this matters

Permissions-Policy locks down browser APIs you don't use — without it, every page can request camera/mic/geolocation if XSS lands.

Learn more

By default every page can request the camera, microphone, geolocation, payment APIs, and dozens more. Permissions-Policy turns off the ones you don't need so a future bug can't quietly start using them. It's a defense-in-depth header — one line, big surface reduction.

Source: MDN / W3C

COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.

Expected: same-origin
Why this matters

COOP isolates your top-level browsing context from cross-origin windows — without it, popup-based side-channel attacks remain possible.

Learn more

Cross-Origin-Opener-Policy: same-origin prevents cross-origin pages from sharing a browsing-context group with yours. This blocks cross-window references that enable Spectre-style timing attacks and tab-nabbing. Required if you want to enable SharedArrayBuffer.

Source: MDN / web.dev

COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.

Expected: require-corp
Why this matters

COEP enforces that all embedded resources opt-in to cross-origin embedding — required for cross-origin isolation features.

Learn more

Cross-Origin-Embedder-Policy: require-corp ensures every embedded resource (script, iframe, image) explicitly allows being loaded cross-origin. Combined with COOP, this enables the cross-origin-isolated context that unlocks SharedArrayBuffer, high-resolution timers, and other powerful APIs.

Source: MDN / web.dev

B
Cookie Security
5 cookies analyzed, 5 checks passed
REVIEW
5 cookies analyzed, 5 checks passed
Info::
Cookie 'fastly_unique_id' has the Secure flag
Warning::
Cookie 'fastly_unique_id' is missing the HttpOnly flag
Without HttpOnly, this cookie can be accessed by JavaScript, making it vulnerable to XSS-based theft.
Warning::
Cookie 'fastly_unique_id' has no SameSite attribute
Without an explicit SameSite attribute, browser default behavior varies. Set SameSite=Lax or Strict.
Info::
Cookie 'grx_unique_id' has the Secure flag
Warning::
Cookie 'grx_unique_id' is missing the HttpOnly flag
Without HttpOnly, this cookie can be accessed by JavaScript, making it vulnerable to XSS-based theft.
Warning::
Cookie 'grx_unique_id' has no SameSite attribute
Without an explicit SameSite attribute, browser default behavior varies. Set SameSite=Lax or Strict.
Info::
Cookie 'optimizelyEndUserId' has the Secure flag
Warning::
Cookie 'optimizelyEndUserId' is missing the HttpOnly flag
Without HttpOnly, this cookie can be accessed by JavaScript, making it vulnerable to XSS-based theft.
Warning::
Cookie 'optimizelyEndUserId' has no SameSite attribute
Without an explicit SameSite attribute, browser default behavior varies. Set SameSite=Lax or Strict.
Info::
Cookie 'grx_visit_start' has the Secure flag
Warning::
Cookie 'grx_visit_start' is missing the HttpOnly flag
Without HttpOnly, this cookie can be accessed by JavaScript, making it vulnerable to XSS-based theft.
Warning::
Cookie 'grx_visit_start' has no SameSite attribute
Without an explicit SameSite attribute, browser default behavior varies. Set SameSite=Lax or Strict.
Info::
Cookie 'grx_sa' has the Secure flag
Warning::
Cookie 'grx_sa' is missing the HttpOnly flag
Without HttpOnly, this cookie can be accessed by JavaScript, making it vulnerable to XSS-based theft.
Warning::
Cookie 'grx_sa' has no SameSite attribute
Without an explicit SameSite attribute, browser default behavior varies. Set SameSite=Lax or Strict.
5 cookies analyzed 10 warnings
NameSecureHttpOnlySameSiteSizeIssues
fastly_unique_id48 B2
grx_unique_id45 B2
optimizelyEndUserId51 B2
grx_visit_start25 B2
grx_sa11 B2
B
CORS Configuration
No CORS headers
REVIEW
No CORS headers
Info::
No CORS headers present — secure default
CORS Configuration Secure

No CORS headers detected.

Cross-origin requests are blocked by browser same-origin policy.

Origin reflection test

Some servers mirror the request Origin header, which can be exploited. Test manually:

curl -sI -H "Origin: https://evil.com" <url> | grep -i access-control
B
security.txt
Published with 0 contact(s)
REVIEW

security.txt

A+
TLS & Certificates
TLS 1.2, 7 checks passed
PASS
TLS 1.2, 7 checks passed
Info::
TLS 1.2 is used
Got: TLS 1.2
Info::
TLS 1.3 is not negotiated
TLS 1.3 offers improved performance and security. Consider enabling it.
Got: TLS 1.2
Info::
Strong cipher suite is used
Got: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Info::
HTTP/2 is not negotiated
HTTP/2 provides multiplexing and header compression for better performance.
Got: http/1.1
Info::
Certificate is valid (expires in 261 days)
Got: 2027-01-09T21:00:19Z
Info::
Certificate chain has 2 certificates
Info::
Certificate uses modern signature algorithm
Got: SHA256-RSA
Info::
Certificate covers 1 domain(s)
Got: goodrx.com
Info::
Certificate is issued by a trusted CA
Got: CN=GlobalSign Atlas R3 DV TLS CA 2025 Q4,O=GlobalSign nv-sa,C=BE

TLS 1.3 offers improved performance and security. Consider enabling it.

Why this matters

TLS 1.3 not in use — connection falls back to 1.2 and pays the extra round-trip.

Learn more

Most clients prefer TLS 1.3 if both sides support it. If your server has TLS 1.3 enabled but it's not being negotiated, check for a downgrade-attack mitigation issue or a misconfigured cipher list. nginx ≥ 1.13.0 and OpenSSL ≥ 1.1.1 support TLS 1.3.

Source: RFC 8446 / Mozilla SSL Config

HTTP/2 provides multiplexing and header compression for better performance.

Why this matters

HTTP/1.1 forces the browser to make sequential requests, multiplying latency on every page.

Learn more

HTTP/2 (and HTTP/3) multiplex many requests over a single connection, eliminating head-of-line blocking. HTTP/1.1 forces the browser to either queue requests or open many parallel connections — both worse. Most modern web servers support HTTP/2 with one config line.

Source: MDN Web Docs

Connection
Protocol
TLS 1.2
Cipher Suite
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
HTTP Version
HTTP/1.1

Certificate Chain

Leaf Certificate
Subject CN=goodrx.comIssuer CN=GlobalSign Atlas R3 DV TLS CA 2025 Q4,O=GlobalSign nv-sa,C=BEValid 2025-12-08T21:00:20Z → 2027-01-09T21:00:19ZExpires in 261 days SANs goodrx.comSignature SHA256-RSASerial 17edbe24e6bb240f212d0480a54ed89
Intermediate (CA Certificate)
Subject CN=GlobalSign Atlas R3 DV TLS CA 2025 Q4,O=GlobalSign nv-sa,C=BEIssuer CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSignValid 2025-07-16T03:06:35Z → 2027-07-16T00:00:00ZExpires in 449 days Signature SHA256-RSASerial 83da86ab0e31b19d8f03a5edd5bdbd66
A+
Subresource Integrity
No external resources
PASS
No external resources
Info::
No external resources to protect
SRI Coverage No external resources — SRI not applicable
A+
JS Library Vulnerabilities
No known vulnerabilities
PASS
No known vulnerabilities
Info::
No known JavaScript library vulnerabilities detected

No known JavaScript library vulnerabilities detected.

A+
Information Leakage
No exposures
PASS
No exposures
Info::
security.txt is present — good practice
Info::
No sensitive files exposed

No sensitive files exposed — all paths returned 404.

PathStatusCategoryRisk
/.git/HEAD Not foundVersion Control
/.git/config Not foundVersion Control
/.svn/entries Not foundVersion Control
/.env Not foundConfiguration
/.env.local Not foundConfiguration
/.env.production Not foundConfiguration
/wp-config.php Not foundConfiguration
/.htaccess Not foundConfiguration
/phpinfo.php Not foundDebug
/server-status Not foundDebug
/server-info Not foundDebug
/.well-known/security.txt ExposedSecurity PolicyInfo
A+
Email Security
DMARC: reject
PASS
DMARC: reject
Info::
DMARC policy is reject — strongest protection
DMARC
Policy reject — strongest protection Record v=DMARC1; p=reject; rua=mailto:postmaster@goodrx.com
A
Transport Security
HTTP/3, HSTS, and TLS version analysis
PASS
HTTP/3, HSTS, and TLS version analysis
Info::
HTTP/3 (QUIC) not advertised
HTTP/3 eliminates head-of-line blocking. If your CDN supports it, consider enabling it.
Info::
HSTS enabled (base policy)
Info::
HSTS missing includeSubDomains
Without includeSubDomains, HSTS only protects the exact domain.
All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.

Send Feedback