xaya.io

.io crawl

First seen 2026-04-15 · Last seen 2026-05-16 · ok HTTP/1.1 200 801 ms crawled 2026-05-09

US · 104.26.2.124 · AS13335 Cloudflare, Inc.

Reputation 94/100 dmarc monitor-only

Classifying

HTML metadata

Title: Xaya - Open Source Blockchain Gaming Platform
Description: Xaya is the ultimate open-source blockchain gaming platform. Build serverless, decentralized games with true player ownership. Join the revolution in blockchain gaming with WCHI tokens on Polygon and Ethereum.
Language: en
Canonical: https://xaya.io/

Open Graph

url: https://xaya.io/
title: Xaya - Revolutionary Blockchain Gaming Platform
locale: en_US
site name: Xaya
description: Build and play fully decentralized games. No servers needed. True ownership, provably fair gameplay. Start with WCHI on Polygon & Ethereum.

Technology

CDN: Cloudflare
CMS: Gatsby

Third-party hosts loaded (1)

unpkg.com×1

Social

DNS records live

NS

elle.ns.cloudflare.com
lex.ns.cloudflare.com

MX

1 aspmx.l.google.com
10 alt3.aspmx.l.google.com
10 alt4.aspmx.l.google.com
5 alt1.aspmx.l.google.com
5 alt2.aspmx.l.google.com

TXT

Show 5 TXT records

google-site-verification=CKQ_njWY4-5YQUmzDKGtWP4vdDTbiOolvwpvREuxbZI
google-site-verification=sNw76OuHBaz_aoYjGfhgR5EnQuAyJlhoZRUScgaKov4
proxy-ssl.webflow.com
Sendinblue-code:71db232656ffa47f93dd9acc5f534d07
facebook-domain-verification=o3mfaorf33bpnebh6khycpyjqsc430

Email authentication partial

SPF

v=spf1 include:_spf.google.com include:spf.sendinblue.com mx ~all

softfail (~all)

DMARC

v=DMARC1; p=none; sp=none; rua=mailto:dmarc@mailinblue.com!10m; ruf=mailto:dmarc@mailinblue.com!10m; rf=afrf; pct=100; ri=86400

policy: none (monitoring only) · sp=none

DKIM

google: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqLQ5B2k0/SSwpJYTpP1Yn+HVzPM8bSuSBiB2IfQEw1bIvtqyezHsKeevA93r1AHwOnShBNp1FLS/iI…
mail: k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDeMVIzrCa3T14JsNY0IRv5/2V1/v2itlviLQBwXsa7shBD6TrBkswsFUToPyMRWC9tbR/5ey0nRBH0ZVxp+lsmTxid2Y2z…

selectors probed

Certificate (current)

WE1

from 2026-03-24 to 2026-06-22

Expires in 35 days

Full certificate history on crt.sh ↗

HTTP security headers

Header hygiene 80/100 Checked live page: https://xaya.io/

present

strict-transport-security
content-security-policy
x-frame-options
x-content-type-options

findings

CSP allows unsafe inline scripts/styles
CSP uses wildcard sources
missing Referrer Policy
missing Permissions Policy

Header values

x-frame-options: DENY
x-content-type-options: nosniff
content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://unpkg.com https://cdn.ethers.io https://cdn.jsdelivr.net https://cdn.skypack.dev https://www.gstatic.com https://www.googletagmanager.com; style-src 'self' 'unsafe-inline' https://unpkg.com https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; frame-src 'self' https://www.youtube.com https://www.youtube-nocookie.com; connect-src 'self' https://polygon-bor-rpc.publicnode.com https://polygon.drpc.org https://api.studio.thegraph.com https://polygon-mainnet.graph-eu.p2pify.com https://graph.soccerverse.com https://eth.llamarpc.com https://mainnet.infura.io https://cdn.skypack.dev https://cdn.jsdelivr.net https://www.gstatic.com https://*.google-analytics.com https://*.googleapis.com https://*.firebase.googleapis.com https://*.firebaseio.com https://*.cloudfunctions.net
strict-transport-security: max-age=31536000; includeSubDomains