indexo.dev

trumpet.app

.app crawl

First seen 2026-05-03 · Last seen 2026-05-03 · ok HTTP/1.1 200 1499 ms crawled 2026-05-10

US · 216.150.1.193 · AS16509 Amazon.com, Inc.

Reputation 100/100

Classifying

HTML metadata

Language
en

Technology

CDN
Vercel
CMS
Next.js
Fonts
  • Adobe Fonts
  • Google Fonts

Third-party hosts loaded (5)

  • fonts.googleapis.com×3
  • ajax.googleapis.com×1
  • fonts.gstatic.com×1
  • px.ads.linkedin.com×1
  • use.typekit.net×1

DNS records live

NS
  • ns1.vercel-dns.com
  • ns2.vercel-dns.com
MX
  • 10 mxa.mailgun.org
  • 10 mxb.mailgun.org
TXT
  • hubspot-developer-verification=YjlhMzkyMGQtYWUzMS00MmY0LWJjM2QtYWFmODc5YjFhMjRh
Verified for
  • Google

Email authentication strong

SPF
v=spf1 include:mailgun.org ~all
softfail (~all)
DMARC
v=DMARC1; p=quarantine;
policy: quarantine
DKIM
  • k1: k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDgPXUmgVL5IvYlh8pjjKBx4WIA2DcvTR27bfQoN9zFYpA6k1k4sUocdFn0RCc9k3xE/2KwrpBfE4K69cNdL4SA/qOFEEz…
selectors probed

Certificate (current)

R13
from 2026-03-17 to 2026-06-15
Expires in 26 days

Full certificate history on crt.sh ↗

HTTP security headers

Header hygiene 70/100 Checked live page: https://trumpet.app/login

present
  • strict-transport-security
  • content-security-policy
  • x-content-type-options
findings
  • CSP allows unsafe inline scripts/styles
  • CSP uses wildcard sources
  • missing frame protection
  • missing Referrer Policy
  • missing Permissions Policy
Header values
x-content-type-options
nosniff
content-security-policy
default-src 'self'; script-src 'self' 'nonce-ZjNlYjA5ZTEtNTdjMC00MDcwLTg2YjEtMzQyMjQ4YmU3MDU2' 'strict-dynamic' 'unsafe-inline' 'wasm-unsafe-eval' https: http:; style-src 'self' 'unsafe-inline' https://p.typekit.net https://use.typekit.net https://fonts.googleapis.com https://fonts.gstatic.com; img-src 'self' https: data: blob:; media-src 'self' https: blob:; font-src 'self' https://p.typekit.net https://use.typekit.net https://fonts.googleapis.com https://fonts.gstatic.com https: data:; frame-src 'self' https:; child-src 'self' https: blob:; connect-src 'self' https: wss://*.velt.dev wss://*.firebasedatabase.app wss://ws-eu.pusher.com wss://*.intercom.io wss://*.intercom-messenger.com; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'self' https://*.hubspot.com https://*.gong.io https://*.salesforce.com https://*.force.com/ https://*.lightning.force.com/; upgrade-insecure-requests
strict-transport-security
max-age=63072000; includeSubDomains; preload

Linked from (1)