urlscan.io logo urlscan.io
SecurityTrails logo

pay.capitastar.com Open in urlscan Pro
20.43.173.20  Public Scan

Go To Rescan Add Verdict Report
Submitted URL: https://cstar.sg/ul/gc?ac=T7WTBE6UXEHGCWNE
Effective URL: https://pay.capitastar.com/
Submission: On January 08 via api from US — Scanned from SG
 Behaviour Indicators
Similar DOM Content API
Verdicts

Summary

This website contacted 3 IPs in 1 countries across 2 domains to perform 18 HTTP transactions. The main IP is 20.43.173.20, located in Singapore, Singapore and belongs to MICROSOFT-CORP-MSN-AS-BLOCK, US. The main domain is pay.capitastar.com.
TLS certificate: Issued by Entrust Certification Authority - L1K on April 18th 2023. Valid for: a year.
This is the only time pay.capitastar.com was scanned on urlscan.io!

urlscan.io Verdict: No classification

Domain & IP information

IP Address AS Autonomous System
1 3 20.43.153.233 8075 (MICROSOFT...)
16 20.43.173.20 8075 (MICROSOFT...)
18 3
Apex Domain
Subdomains		 Transfer
18 capitastar.com
pay.capitastar.com
moba.capitastar.com — Cisco Umbrella Rank: 317500
1 MB
1 cstar.sg
cstar.sg
1012 B
18 2
Domain Requested by
16 pay.capitastar.com pay.capitastar.com
2 moba.capitastar.com pay.capitastar.com
1 cstar.sg 1 redirects
18 3

This site contains links to these domains. Also see Links.

Domain
www.capitastar.com
www.capitaland.com
Subject Issuer Validity Valid
*.capitastar.com
Entrust Certification Authority - L1K		 2023-04-18 -
2024-05-18		 a year crt.sh

This page contains 1 frames:

Primary Page: https://pay.capitastar.com/
Frame ID: 0EF4E5C2F28A04A33513A4C5D71657A6
Requests: 18 HTTP requests in this frame

Screenshot
Live screenshot
Full Image

Page Title

CapitaStar - Login Wallet

Page URL History Show full URLs

  1. https://cstar.sg/ul/gc?ac=T7WTBE6UXEHGCWNE HTTP 301
    https://pay.capitastar.com/ Page URL

Detected technologies

Overall confidence: 100%
Detected patterns
  • <[^>]*class="ant-(?:btn|col|row|layout|breadcrumb|menu|pagination|steps|select|cascader|checkbox|calendar|form|input-number|input|mention|rate|radio|slider|switch|tree-select|time-picker|transfer|upload|avatar|badge|card|carousel|collapse|list|popover|tooltip|table|tabs|tag|timeline|tree|alert|modal|message|notification|progress|popconfirm|spin|anchor|back-top|divider|drawer)

Page Statistics

18
Requests

100 %
HTTPS

0 %
IPv6

2
Domains

3
Subdomains

3
IPs

1
Countries

1303 kB
Transfer

3439 kB
Size

4
Cookies

Page URL History

This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.

  1. https://cstar.sg/ul/gc?ac=T7WTBE6UXEHGCWNE HTTP 301
    https://pay.capitastar.com/ Page URL

Redirected requests

There were HTTP redirect chains for the following requests:

18 HTTP transactions

Resource
Path		 Size
x-fer		 Type
MIME-Type
Primary Request /
pay.capitastar.com/
Redirect Chain
  • https://cstar.sg/ul/gc?ac=T7WTBE6UXEHGCWNE
  • https://pay.capitastar.com/
3 KB
2 KB 		Document
General
Check archive.org
Download Go to
Full URL
https://pay.capitastar.com/
Protocol
HTTP/1.1
Security
TLS 1.3, , AES_256_GCM
Server
20.43.173.20 Singapore, Singapore, ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US),
Reverse DNS
Software
/
Resource Hash
2239d324ed695bf51d47a033c8425760638f8f2b37240bc4c69893eaf3eb1f66
Security Headers
Name Value
Content-Security-Policy default-src 'self' https://api-js.mixpanel.com *.capitastar.com *.dc.capitaland.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.capitastar.com https://diaochan.capitastar.com https://storacctcstartableprod.blob.core.windows.net data:; frame-src 'self' https://www.google.com; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; child-src 'self' blob:
Strict-Transport-Security max-age=15724800; includeSubDomains
X-Content-Type-Options nosniff
X-Frame-Options Deny
X-Xss-Protection 1; mode=block

Request headers

Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.129 Safari/537.36
accept-language
zh-SG,zh;q=0.9

Response headers

Cache-Control
no-cache, no-store, max-age=0, must-revalidate
Connection
keep-alive
Content-Encoding
gzip
Content-Language
zh-SG
Content-Security-Policy
default-src 'self' https://api-js.mixpanel.com *.capitastar.com *.dc.capitaland.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.capitastar.com https://diaochan.capitastar.com https://storacctcstartableprod.blob.core.windows.net data:; frame-src 'self' https://www.google.com; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; child-src 'self' blob:
Content-Type
text/html
Date
Mon, 08 Jan 2024 05:06:29 GMT
Expires
0
Last-Modified
Fri, 24 Nov 2023 07:24:27 GMT
Pragma
no-cache
Referrer-Policy
same-origin
Strict-Transport-Security
max-age=15724800; includeSubDomains
Transfer-Encoding
chunked
Vary
Accept-Encoding Origin Access-Control-Request-Method Access-Control-Request-Headers
X-Content-Type-Options
nosniff
X-Frame-Options
Deny
X-Permitted-Cross-Domain-Policies
none
X-XSS-Protection
1; mode=block

Redirect headers

Cache-Control
no-cache
Content-Length
0
Content-Security-Policy
default-src 'self' https://api-js.mixpanel.com; script-src 'self' 'unsafe-inline' https://cdn.mxpnl.com; style-src 'self' 'unsafe-inline'; img-src 'self' * data: https; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content;
Date
Mon, 08 Jan 2024 05:06:29 GMT
Expires
-1
Location
https://pay.capitastar.com/#/gift-card?ac=T7WTBE6UXEHGCWNE
Pragma
no-cache
Referrer-Policy
same-origin
Strict-Transport-Security
max-age=15724800; includeSubDomains
X-Content-Type-Options
nosniff
X-Frame-Options
Deny
X-Permitted-Cross-Domain-Policies
none
X-XSS-Protection
1; mode=block
umi.d403f1ae.css
pay.capitastar.com/ 		110 KB
20 KB 		Stylesheet
General
Check archive.org
Download Go to
Full URL
https://pay.capitastar.com/umi.d403f1ae.css
Requested by
Host: pay.capitastar.com
URL: https://pay.capitastar.com/
Protocol
HTTP/1.1
Security
TLS 1.3, , AES_256_GCM
Server
20.43.173.20 Singapore, Singapore, ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US),
Reverse DNS
Software
/
Resource Hash
df7860ec8a9c05e1bd504117f180bc8115652594afab44ba01d84c33c85a73c1
Security Headers
Name Value
Content-Security-Policy default-src 'self' https://api-js.mixpanel.com *.capitastar.com *.dc.capitaland.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.capitastar.com https://diaochan.capitastar.com https://storacctcstartableprod.blob.core.windows.net data:; frame-src 'self' https://www.google.com; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; child-src 'self' blob:
Strict-Transport-Security max-age=15724800; includeSubDomains
X-Content-Type-Options nosniff
X-Frame-Options Deny
X-Xss-Protection 1; mode=block

Request headers

accept-language
zh-SG,zh;q=0.9
Referer
https://pay.capitastar.com/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.129 Safari/537.36

Response headers

Date
Mon, 08 Jan 2024 05:06:30 GMT
Strict-Transport-Security
max-age=15724800; includeSubDomains
X-Content-Type-Options
nosniff
Content-Security-Policy
default-src 'self' https://api-js.mixpanel.com *.capitastar.com *.dc.capitaland.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.capitastar.com https://diaochan.capitastar.com https://storacctcstartableprod.blob.core.windows.net data:; frame-src 'self' https://www.google.com; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; child-src 'self' blob:
Content-Encoding
gzip
X-Permitted-Cross-Domain-Policies
none
Transfer-Encoding
chunked
Connection
keep-alive
X-XSS-Protection
1; mode=block
Pragma
no-cache
Referrer-Policy
same-origin
Last-Modified
Fri, 24 Nov 2023 07:24:27 GMT
Vary
Accept-Encoding, Origin, Access-Control-Request-Method, Access-Control-Request-Headers
X-Frame-Options
Deny
Content-Type
text/css
Cache-Control
no-cache, no-store, max-age=0, must-revalidate
Expires
0
capitaStarLogoRgb.png
pay.capitastar.com/ 		24 KB
25 KB 		Image
General
Check archive.org
Download Go to Show image
Full URL
https://pay.capitastar.com/capitaStarLogoRgb.png
Requested by
Host: pay.capitastar.com
URL: https://pay.capitastar.com/
Protocol
HTTP/1.1
Security
TLS 1.3, , AES_256_GCM
Server
20.43.173.20 Singapore, Singapore, ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US),
Reverse DNS
Software
/
Resource Hash
bcf05fb3716888a91a0d6ab9acf8353ac25a3ca0519aaceb4c2277cccf864628
Security Headers
Name Value
Content-Security-Policy default-src 'self' https://api-js.mixpanel.com *.capitastar.com *.dc.capitaland.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.capitastar.com https://diaochan.capitastar.com https://storacctcstartableprod.blob.core.windows.net data:; frame-src 'self' https://www.google.com; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; child-src 'self' blob:
Strict-Transport-Security max-age=15724800; includeSubDomains
X-Content-Type-Options nosniff
X-Frame-Options Deny
X-Xss-Protection 1; mode=block

Request headers

accept-language
zh-SG,zh;q=0.9
Referer
https://pay.capitastar.com/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.129 Safari/537.36

Response headers

Date
Mon, 08 Jan 2024 05:06:30 GMT
Strict-Transport-Security
max-age=15724800; includeSubDomains
X-Content-Type-Options
nosniff
Content-Security-Policy
default-src 'self' https://api-js.mixpanel.com *.capitastar.com *.dc.capitaland.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.capitastar.com https://diaochan.capitastar.com https://storacctcstartableprod.blob.core.windows.net data:; frame-src 'self' https://www.google.com; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; child-src 'self' blob:
X-Permitted-Cross-Domain-Policies
none
Connection
keep-alive
Content-Length
24639
X-XSS-Protection
1; mode=block
Pragma
no-cache
Referrer-Policy
same-origin
Last-Modified
Fri, 24 Nov 2023 07:24:27 GMT
Vary
Origin, Access-Control-Request-Method, Access-Control-Request-Headers
X-Frame-Options
Deny
Content-Type
image/png
Cache-Control
no-cache, no-store, max-age=0, must-revalidate
Accept-Ranges
bytes
Expires
0
imgLoading.png
pay.capitastar.com/ 		6 KB
7 KB 		Image
General
Check archive.org
Download Go to Show image
Full URL
https://pay.capitastar.com/imgLoading.png
Requested by
Host: pay.capitastar.com
URL: https://pay.capitastar.com/
Protocol
HTTP/1.1
Security
TLS 1.3, , AES_256_GCM
Server
20.43.173.20 Singapore, Singapore, ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US),
Reverse DNS
Software
/
Resource Hash
229fb579ae8cf69a771bacc3dca2f0a600ed3a69dce69b7434fbea96c94187be
Security Headers
Name Value
Content-Security-Policy default-src 'self' https://api-js.mixpanel.com *.capitastar.com *.dc.capitaland.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.capitastar.com https://diaochan.capitastar.com https://storacctcstartableprod.blob.core.windows.net data:; frame-src 'self' https://www.google.com; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; child-src 'self' blob:
Strict-Transport-Security max-age=15724800; includeSubDomains
X-Content-Type-Options nosniff
X-Frame-Options Deny
X-Xss-Protection 1; mode=block

Request headers

accept-language
zh-SG,zh;q=0.9
Referer
https://pay.capitastar.com/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.129 Safari/537.36

Response headers

Date
Mon, 08 Jan 2024 05:06:30 GMT
Strict-Transport-Security
max-age=15724800; includeSubDomains
X-Content-Type-Options
nosniff
Content-Security-Policy
default-src 'self' https://api-js.mixpanel.com *.capitastar.com *.dc.capitaland.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.capitastar.com https://diaochan.capitastar.com https://storacctcstartableprod.blob.core.windows.net data:; frame-src 'self' https://www.google.com; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; child-src 'self' blob:
X-Permitted-Cross-Domain-Policies
none
Connection
keep-alive
Content-Length
6295
X-XSS-Protection
1; mode=block
Pragma
no-cache
Referrer-Policy
same-origin
Last-Modified
Fri, 24 Nov 2023 07:24:27 GMT
Vary
Origin, Access-Control-Request-Method, Access-Control-Request-Headers
X-Frame-Options
Deny
Content-Type
image/png
Cache-Control
no-cache, no-store, max-age=0, must-revalidate
Accept-Ranges
bytes
Expires
0
umi.d5bfd9c8.js
pay.capitastar.com/ 		2 MB
625 KB 		Script
General
Check archive.org
Download Go to
Full URL
https://pay.capitastar.com/umi.d5bfd9c8.js
Requested by
Host: pay.capitastar.com
URL: https://pay.capitastar.com/
Protocol
HTTP/1.1
Security
TLS 1.3, , AES_256_GCM
Server
20.43.173.20 Singapore, Singapore, ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US),
Reverse DNS
Software
/
Resource Hash
c092edcff287491dac485802d74cab69c2167a67c9b582336492bb01415a1c6c
Security Headers
Name Value
Content-Security-Policy default-src 'self' https://api-js.mixpanel.com *.capitastar.com *.dc.capitaland.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.capitastar.com https://diaochan.capitastar.com https://storacctcstartableprod.blob.core.windows.net data:; frame-src 'self' https://www.google.com; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; child-src 'self' blob:
Strict-Transport-Security max-age=15724800; includeSubDomains
X-Content-Type-Options nosniff
X-Frame-Options Deny
X-Xss-Protection 1; mode=block

Request headers

accept-language
zh-SG,zh;q=0.9
Referer
https://pay.capitastar.com/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.129 Safari/537.36

Response headers

Date
Mon, 08 Jan 2024 05:06:30 GMT
Strict-Transport-Security
max-age=15724800; includeSubDomains
X-Content-Type-Options
nosniff
Content-Security-Policy
default-src 'self' https://api-js.mixpanel.com *.capitastar.com *.dc.capitaland.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.capitastar.com https://diaochan.capitastar.com https://storacctcstartableprod.blob.core.windows.net data:; frame-src 'self' https://www.google.com; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; child-src 'self' blob:
Content-Encoding
gzip
X-Permitted-Cross-Domain-Policies
none
Transfer-Encoding
chunked
Connection
keep-alive
X-XSS-Protection
1; mode=block
Pragma
no-cache
Referrer-Policy
same-origin
Last-Modified
Fri, 24 Nov 2023 07:24:27 GMT
Vary
Accept-Encoding, Origin, Access-Control-Request-Method, Access-Control-Request-Headers
X-Frame-Options
Deny
Content-Type
application/javascript
Cache-Control
no-cache, no-store, max-age=0, must-revalidate
Expires
0
layouts__SecurityLayout.9ef5c2dc.async.js
pay.capitastar.com/ 		2 KB
2 KB 		Script
General
Check archive.org
Download Go to
Full URL
https://pay.capitastar.com/layouts__SecurityLayout.9ef5c2dc.async.js
Requested by
Host: pay.capitastar.com
URL: https://pay.capitastar.com/umi.d5bfd9c8.js
Protocol
HTTP/1.1
Security
TLS 1.3, , AES_256_GCM
Server
20.43.173.20 Singapore, Singapore, ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US),
Reverse DNS
Software
/
Resource Hash
89cbfdfee5ce636aae469bcaafa82b9caedc06c22b8a6e12d68b54e04bf10269
Security Headers
Name Value
Content-Security-Policy default-src 'self' https://api-js.mixpanel.com *.capitastar.com *.dc.capitaland.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.capitastar.com https://diaochan.capitastar.com https://storacctcstartableprod.blob.core.windows.net data:; frame-src 'self' https://www.google.com; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; child-src 'self' blob:
Strict-Transport-Security max-age=15724800; includeSubDomains
X-Content-Type-Options nosniff
X-Frame-Options Deny
X-Xss-Protection 1; mode=block

Request headers

accept-language
zh-SG,zh;q=0.9
Referer
https://pay.capitastar.com/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.129 Safari/537.36

Response headers

Date
Mon, 08 Jan 2024 05:06:30 GMT
Strict-Transport-Security
max-age=15724800; includeSubDomains
X-Content-Type-Options
nosniff
Content-Security-Policy
default-src 'self' https://api-js.mixpanel.com *.capitastar.com *.dc.capitaland.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.capitastar.com https://diaochan.capitastar.com https://storacctcstartableprod.blob.core.windows.net data:; frame-src 'self' https://www.google.com; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; child-src 'self' blob:
Content-Encoding
gzip
X-Permitted-Cross-Domain-Policies
none
Transfer-Encoding
chunked
Connection
keep-alive
X-XSS-Protection
1; mode=block
Pragma
no-cache
Referrer-Policy
same-origin
Last-Modified
Fri, 24 Nov 2023 07:24:27 GMT
Vary
Accept-Encoding, Origin, Access-Control-Request-Method, Access-Control-Request-Headers
X-Frame-Options
Deny
Content-Type
application/javascript
Cache-Control
no-cache, no-store, max-age=0, must-revalidate
Expires
0
truncated
/ 		6 KB
0 		Image
General
Check archive.org
Download Go to Show image
Full URL
data:truncated
Protocol
DATA
Server
-, , ASN (),
Reverse DNS
Software
/
Resource Hash
229fb579ae8cf69a771bacc3dca2f0a600ed3a69dce69b7434fbea96c94187be

Request headers

accept-language
zh-SG,zh;q=0.9
Referer
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.129 Safari/537.36

Response headers

Content-Type
image/png
vendors.1537cfd7.chunk.css
pay.capitastar.com/ 		217 KB
41 KB 		Stylesheet
General
Check archive.org
Download Go to
Full URL
https://pay.capitastar.com/vendors.1537cfd7.chunk.css
Requested by
Host: pay.capitastar.com
URL: https://pay.capitastar.com/umi.d5bfd9c8.js
Protocol
HTTP/1.1
Security
TLS 1.3, , AES_256_GCM
Server
20.43.173.20 Singapore, Singapore, ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US),
Reverse DNS
Software
/
Resource Hash
5d355572d262679bc3e8e82401671e10a5fb6272f833d52dce8c4c9642c7f661
Security Headers
Name Value
Content-Security-Policy default-src 'self' https://api-js.mixpanel.com *.capitastar.com *.dc.capitaland.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.capitastar.com https://diaochan.capitastar.com https://storacctcstartableprod.blob.core.windows.net data:; frame-src 'self' https://www.google.com; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; child-src 'self' blob:
Strict-Transport-Security max-age=15724800; includeSubDomains
X-Content-Type-Options nosniff
X-Frame-Options Deny
X-Xss-Protection 1; mode=block

Request headers

accept-language
zh-SG,zh;q=0.9
Referer
https://pay.capitastar.com/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.129 Safari/537.36

Response headers

Date
Mon, 08 Jan 2024 05:06:30 GMT
Strict-Transport-Security
max-age=15724800; includeSubDomains
X-Content-Type-Options
nosniff
Content-Security-Policy
default-src 'self' https://api-js.mixpanel.com *.capitastar.com *.dc.capitaland.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.capitastar.com https://diaochan.capitastar.com https://storacctcstartableprod.blob.core.windows.net data:; frame-src 'self' https://www.google.com; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; child-src 'self' blob:
Content-Encoding
gzip
X-Permitted-Cross-Domain-Policies
none
Transfer-Encoding
chunked
Connection
keep-alive
X-XSS-Protection
1; mode=block
Pragma
no-cache
Referrer-Policy
same-origin
Last-Modified
Fri, 24 Nov 2023 07:24:27 GMT
Vary
Accept-Encoding, Origin, Access-Control-Request-Method, Access-Control-Request-Headers
X-Frame-Options
Deny
Content-Type
text/css
Cache-Control
no-cache, no-store, max-age=0, must-revalidate
Expires
0
vendors.23b47575.async.js
pay.capitastar.com/ 		981 KB
361 KB 		Script
General
Check archive.org
Download Go to
Full URL
https://pay.capitastar.com/vendors.23b47575.async.js
Requested by
Host: pay.capitastar.com
URL: https://pay.capitastar.com/umi.d5bfd9c8.js
Protocol
HTTP/1.1
Security
TLS 1.3, , AES_256_GCM
Server
20.43.173.20 Singapore, Singapore, ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US),
Reverse DNS
Software
/
Resource Hash
8218a9379f7d9d338f1f712ef129ba2a9721f01163a5b19c4cddd93c6fbb3860
Security Headers
Name Value
Content-Security-Policy default-src 'self' https://api-js.mixpanel.com *.capitastar.com *.dc.capitaland.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.capitastar.com https://diaochan.capitastar.com https://storacctcstartableprod.blob.core.windows.net data:; frame-src 'self' https://www.google.com; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; child-src 'self' blob:
Strict-Transport-Security max-age=15724800; includeSubDomains
X-Content-Type-Options nosniff
X-Frame-Options Deny
X-Xss-Protection 1; mode=block

Request headers

accept-language
zh-SG,zh;q=0.9
Referer
https://pay.capitastar.com/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.129 Safari/537.36

Response headers

Date
Mon, 08 Jan 2024 05:06:30 GMT
Strict-Transport-Security
max-age=15724800; includeSubDomains
X-Content-Type-Options
nosniff
Content-Security-Policy
default-src 'self' https://api-js.mixpanel.com *.capitastar.com *.dc.capitaland.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.capitastar.com https://diaochan.capitastar.com https://storacctcstartableprod.blob.core.windows.net data:; frame-src 'self' https://www.google.com; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; child-src 'self' blob:
Content-Encoding
gzip
X-Permitted-Cross-Domain-Policies
none
Transfer-Encoding
chunked
Connection
keep-alive
X-XSS-Protection
1; mode=block
Pragma
no-cache
Referrer-Policy
same-origin
Last-Modified
Fri, 24 Nov 2023 07:24:27 GMT
Vary
Accept-Encoding, Origin, Access-Control-Request-Method, Access-Control-Request-Headers
X-Frame-Options
Deny
Content-Type
application/javascript
Cache-Control
no-cache, no-store, max-age=0, must-revalidate
Expires
0
layouts__BasicLayout.1a2ea358.async.js
pay.capitastar.com/ 		50 KB
10 KB 		Script
General
Check archive.org
Download Go to
Full URL
https://pay.capitastar.com/layouts__BasicLayout.1a2ea358.async.js
Requested by
Host: pay.capitastar.com
URL: https://pay.capitastar.com/umi.d5bfd9c8.js
Protocol
HTTP/1.1
Security
TLS 1.3, , AES_256_GCM
Server
20.43.173.20 Singapore, Singapore, ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US),
Reverse DNS
Software
/
Resource Hash
9fdc156b63826c7f3c0e315a5f7b96804b3be6531a4499d6bc92c9b161dc8eb5
Security Headers
Name Value
Content-Security-Policy default-src 'self' https://api-js.mixpanel.com *.capitastar.com *.dc.capitaland.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.capitastar.com https://diaochan.capitastar.com https://storacctcstartableprod.blob.core.windows.net data:; frame-src 'self' https://www.google.com; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; child-src 'self' blob:
Strict-Transport-Security max-age=15724800; includeSubDomains
X-Content-Type-Options nosniff
X-Frame-Options Deny
X-Xss-Protection 1; mode=block

Request headers

accept-language
zh-SG,zh;q=0.9
Referer
https://pay.capitastar.com/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.129 Safari/537.36

Response headers

Date
Mon, 08 Jan 2024 05:06:30 GMT
Strict-Transport-Security
max-age=15724800; includeSubDomains
X-Content-Type-Options
nosniff
Content-Security-Policy
default-src 'self' https://api-js.mixpanel.com *.capitastar.com *.dc.capitaland.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.capitastar.com https://diaochan.capitastar.com https://storacctcstartableprod.blob.core.windows.net data:; frame-src 'self' https://www.google.com; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; child-src 'self' blob:
Content-Encoding
gzip
X-Permitted-Cross-Domain-Policies
none
Transfer-Encoding
chunked
Connection
keep-alive
X-XSS-Protection
1; mode=block
Pragma
no-cache
Referrer-Policy
same-origin
Last-Modified
Fri, 24 Nov 2023 07:24:27 GMT
Vary
Accept-Encoding, Origin, Access-Control-Request-Method, Access-Control-Request-Headers
X-Frame-Options
Deny
Content-Type
application/javascript
Cache-Control
no-cache, no-store, max-age=0, must-revalidate
Expires
0
layouts__UserLayout.87a77c9c.chunk.css
pay.capitastar.com/ 		3 KB
2 KB 		Stylesheet
General
Check archive.org
Download Go to
Full URL
https://pay.capitastar.com/layouts__UserLayout.87a77c9c.chunk.css
Requested by
Host: pay.capitastar.com
URL: https://pay.capitastar.com/umi.d5bfd9c8.js
Protocol
HTTP/1.1
Security
TLS 1.3, , AES_256_GCM
Server
20.43.173.20 Singapore, Singapore, ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US),
Reverse DNS
Software
/
Resource Hash
55efdd1f0d5a335629ad03b3d3601728b17f90b893d66552464f922b9413b8b6
Security Headers
Name Value
Content-Security-Policy default-src 'self' https://api-js.mixpanel.com *.capitastar.com *.dc.capitaland.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.capitastar.com https://diaochan.capitastar.com https://storacctcstartableprod.blob.core.windows.net data:; frame-src 'self' https://www.google.com; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; child-src 'self' blob:
Strict-Transport-Security max-age=15724800; includeSubDomains
X-Content-Type-Options nosniff
X-Frame-Options Deny
X-Xss-Protection 1; mode=block

Request headers

accept-language
zh-SG,zh;q=0.9
Referer
https://pay.capitastar.com/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.129 Safari/537.36

Response headers

Date
Mon, 08 Jan 2024 05:06:30 GMT
Strict-Transport-Security
max-age=15724800; includeSubDomains
X-Content-Type-Options
nosniff
Content-Security-Policy
default-src 'self' https://api-js.mixpanel.com *.capitastar.com *.dc.capitaland.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.capitastar.com https://diaochan.capitastar.com https://storacctcstartableprod.blob.core.windows.net data:; frame-src 'self' https://www.google.com; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; child-src 'self' blob:
Content-Encoding
gzip
X-Permitted-Cross-Domain-Policies
none
Transfer-Encoding
chunked
Connection
keep-alive
X-XSS-Protection
1; mode=block
Pragma
no-cache
Referrer-Policy
same-origin
Last-Modified
Fri, 24 Nov 2023 07:24:27 GMT
Vary
Accept-Encoding, Origin, Access-Control-Request-Method, Access-Control-Request-Headers
X-Frame-Options
Deny
Content-Type
text/css
Cache-Control
no-cache, no-store, max-age=0, must-revalidate
Expires
0
layouts__UserLayout.f465fd7d.async.js
pay.capitastar.com/ 		5 KB
3 KB 		Script
General
Check archive.org
Download Go to
Full URL
https://pay.capitastar.com/layouts__UserLayout.f465fd7d.async.js
Requested by
Host: pay.capitastar.com
URL: https://pay.capitastar.com/umi.d5bfd9c8.js
Protocol
HTTP/1.1
Security
TLS 1.3, , AES_256_GCM
Server
20.43.173.20 Singapore, Singapore, ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US),
Reverse DNS
Software
/
Resource Hash
c35c095b911a98ec9d01e920b57a0dd4ce99c1985c4dd3b25d6ae16cbb90c779
Security Headers
Name Value
Content-Security-Policy default-src 'self' https://api-js.mixpanel.com *.capitastar.com *.dc.capitaland.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.capitastar.com https://diaochan.capitastar.com https://storacctcstartableprod.blob.core.windows.net data:; frame-src 'self' https://www.google.com; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; child-src 'self' blob:
Strict-Transport-Security max-age=15724800; includeSubDomains
X-Content-Type-Options nosniff
X-Frame-Options Deny
X-Xss-Protection 1; mode=block

Request headers

accept-language
zh-SG,zh;q=0.9
Referer
https://pay.capitastar.com/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.129 Safari/537.36

Response headers

Date
Mon, 08 Jan 2024 05:06:30 GMT
Strict-Transport-Security
max-age=15724800; includeSubDomains
X-Content-Type-Options
nosniff
Content-Security-Policy
default-src 'self' https://api-js.mixpanel.com *.capitastar.com *.dc.capitaland.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.capitastar.com https://diaochan.capitastar.com https://storacctcstartableprod.blob.core.windows.net data:; frame-src 'self' https://www.google.com; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; child-src 'self' blob:
Content-Encoding
gzip
X-Permitted-Cross-Domain-Policies
none
Transfer-Encoding
chunked
Connection
keep-alive
X-XSS-Protection
1; mode=block
Pragma
no-cache
Referrer-Policy
same-origin
Last-Modified
Fri, 24 Nov 2023 07:24:27 GMT
Vary
Accept-Encoding, Origin, Access-Control-Request-Method, Access-Control-Request-Headers
X-Frame-Options
Deny
Content-Type
application/javascript
Cache-Control
no-cache, no-store, max-age=0, must-revalidate
Expires
0
p__user__LoginOTP__index.fd0afbd3.async.js
pay.capitastar.com/ 		4 KB
3 KB 		Script
General
Check archive.org
Download Go to
Full URL
https://pay.capitastar.com/p__user__LoginOTP__index.fd0afbd3.async.js
Requested by
Host: pay.capitastar.com
URL: https://pay.capitastar.com/umi.d5bfd9c8.js
Protocol
HTTP/1.1
Security
TLS 1.3, , AES_256_GCM
Server
20.43.173.20 Singapore, Singapore, ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US),
Reverse DNS
Software
/
Resource Hash
38e3b011c918bf1dde9ebc22f1a6317381df877320c77ef6e36df4436494c849
Security Headers
Name Value
Content-Security-Policy default-src 'self' https://api-js.mixpanel.com *.capitastar.com *.dc.capitaland.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.capitastar.com https://diaochan.capitastar.com https://storacctcstartableprod.blob.core.windows.net data:; frame-src 'self' https://www.google.com; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; child-src 'self' blob:
Strict-Transport-Security max-age=15724800; includeSubDomains
X-Content-Type-Options nosniff
X-Frame-Options Deny
X-Xss-Protection 1; mode=block

Request headers

accept-language
zh-SG,zh;q=0.9
Referer
https://pay.capitastar.com/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.129 Safari/537.36

Response headers

Date
Mon, 08 Jan 2024 05:06:30 GMT
Strict-Transport-Security
max-age=15724800; includeSubDomains
X-Content-Type-Options
nosniff
Content-Security-Policy
default-src 'self' https://api-js.mixpanel.com *.capitastar.com *.dc.capitaland.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.capitastar.com https://diaochan.capitastar.com https://storacctcstartableprod.blob.core.windows.net data:; frame-src 'self' https://www.google.com; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; child-src 'self' blob:
Content-Encoding
gzip
X-Permitted-Cross-Domain-Policies
none
Transfer-Encoding
chunked
Connection
keep-alive
X-XSS-Protection
1; mode=block
Pragma
no-cache
Referrer-Policy
same-origin
Last-Modified
Fri, 24 Nov 2023 07:24:27 GMT
Vary
Accept-Encoding, Origin, Access-Control-Request-Method, Access-Control-Request-Headers
X-Frame-Options
Deny
Content-Type
application/javascript
Cache-Control
no-cache, no-store, max-age=0, must-revalidate
Expires
0
capitaStarLogoNewTemplate.588871d4.png
pay.capitastar.com/static/ 		16 KB
17 KB 		Image
General
Check archive.org
Download Go to Show image
Full URL
https://pay.capitastar.com/static/capitaStarLogoNewTemplate.588871d4.png
Requested by
Host: pay.capitastar.com
URL: https://pay.capitastar.com/
Protocol
HTTP/1.1
Security
TLS 1.3, , AES_256_GCM
Server
20.43.173.20 Singapore, Singapore, ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US),
Reverse DNS
Software
/
Resource Hash
0d97b0700a9d0159353827a20eed88a3668808cf1cb7178694cce8610cac59b3
Security Headers
Name Value
Content-Security-Policy default-src 'self' https://api-js.mixpanel.com *.capitastar.com *.dc.capitaland.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.capitastar.com https://diaochan.capitastar.com https://storacctcstartableprod.blob.core.windows.net data:; frame-src 'self' https://www.google.com; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; child-src 'self' blob:
Strict-Transport-Security max-age=15724800; includeSubDomains
X-Content-Type-Options nosniff
X-Frame-Options Deny
X-Xss-Protection 1; mode=block

Request headers

accept-language
zh-SG,zh;q=0.9
Referer
https://pay.capitastar.com/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.129 Safari/537.36

Response headers

Date
Mon, 08 Jan 2024 05:06:30 GMT
Strict-Transport-Security
max-age=15724800; includeSubDomains
X-Content-Type-Options
nosniff
Content-Security-Policy
default-src 'self' https://api-js.mixpanel.com *.capitastar.com *.dc.capitaland.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.capitastar.com https://diaochan.capitastar.com https://storacctcstartableprod.blob.core.windows.net data:; frame-src 'self' https://www.google.com; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; child-src 'self' blob:
X-Permitted-Cross-Domain-Policies
none
Connection
keep-alive
Content-Length
16009
X-XSS-Protection
1; mode=block
Pragma
no-cache
Referrer-Policy
same-origin
Last-Modified
Fri, 24 Nov 2023 07:24:27 GMT
Vary
Origin, Access-Control-Request-Method, Access-Control-Request-Headers
X-Frame-Options
Deny
Content-Type
image/png
Cache-Control
no-cache, no-store, max-age=0, must-revalidate
Accept-Ranges
bytes
Expires
0
public-config
moba.capitastar.com/mbs/api/web-wallet/v1/ 		612 B
1 KB 		Fetch
General
Check archive.org
Download Go to
Full URL
https://moba.capitastar.com/mbs/api/web-wallet/v1/public-config
Requested by
Host: pay.capitastar.com
URL: https://pay.capitastar.com/umi.d5bfd9c8.js
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
20.43.153.233 Singapore, Singapore, ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US),
Reverse DNS
Software
/
Resource Hash
b2a3fcca0bde1724d35725724a59f4cc0e0e2f9a8719bc0744981339d7db4a0d
Security Headers
Name Value
Content-Security-Policy default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content;
Strict-Transport-Security max-age=15724800; includeSubDomains
X-Content-Type-Options nosniff
X-Frame-Options Deny
X-Xss-Protection 1; mode=block

Request headers

Accept
application/json
Referer
accept-language
zh-SG,zh;q=0.9
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.129 Safari/537.36
Content-Type
application/json;charset=UTF-8

Response headers

Content-Security-Policy
default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content;
Content-Encoding
gzip
X-Content-Type-Options
nosniff
Strict-Transport-Security
max-age=15724800; includeSubDomains
X-Permitted-Cross-Domain-Policies
none
Date
Mon, 08 Jan 2024 05:06:31 GMT
Transfer-Encoding
chunked
X-XSS-Protection
1; mode=block
Referrer-Policy
same-origin
Vary
Accept-Encoding
Access-Control-Allow-Methods
GET, POST, OPTIONS
Content-Type
application/json;charset=UTF-8
Access-Control-Allow-Origin
https://pay.capitastar.com
Cache-Control
no-store, no-cache, must-revalidate, max-age=0
X-Frame-Options
Deny
Access-Control-Allow-Headers
Access-Control-Allow-Headers, Origin, Accept, X-Requested-With, Content-Type, fToken, token, Access-Control-Request-Method, Access-Control-Request-Headers
version
pay.capitastar.com/ 		19 B
1 KB 		Fetch
General
Check archive.org
Download Go to
Full URL
https://pay.capitastar.com/version
Requested by
Host: pay.capitastar.com
URL: https://pay.capitastar.com/umi.d5bfd9c8.js
Protocol
HTTP/1.1
Security
TLS 1.3, , AES_256_GCM
Server
20.43.173.20 Singapore, Singapore, ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US),
Reverse DNS
Software
/
Resource Hash
71570290b1ffff16efb8f216b3ba6d62092c32da606d2f74e9f48bb9b4de0a40
Security Headers
Name Value
Content-Security-Policy default-src 'self' https://api-js.mixpanel.com *.capitastar.com *.dc.capitaland.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.capitastar.com https://diaochan.capitastar.com https://storacctcstartableprod.blob.core.windows.net data:; frame-src 'self' https://www.google.com; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; child-src 'self' blob:
Strict-Transport-Security max-age=15724800; includeSubDomains
X-Content-Type-Options nosniff
X-Frame-Options Deny
X-Xss-Protection 1; mode=block

Request headers

Accept
application/json
Referer
https://pay.capitastar.com/
accept-language
zh-SG,zh;q=0.9
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.129 Safari/537.36
Content-Type
application/json;charset=UTF-8

Response headers

Date
Mon, 08 Jan 2024 05:06:30 GMT
Strict-Transport-Security
max-age=15724800; includeSubDomains
X-Content-Type-Options
nosniff
Content-Security-Policy
default-src 'self' https://api-js.mixpanel.com *.capitastar.com *.dc.capitaland.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.capitastar.com https://diaochan.capitastar.com https://storacctcstartableprod.blob.core.windows.net data:; frame-src 'self' https://www.google.com; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; child-src 'self' blob:
Content-Encoding
gzip
X-Permitted-Cross-Domain-Policies
none
Transfer-Encoding
chunked
Connection
keep-alive
X-XSS-Protection
1; mode=block
Pragma
no-cache
Referrer-Policy
same-origin
Vary
Accept-Encoding, Origin, Access-Control-Request-Method, Access-Control-Request-Headers
X-Frame-Options
Deny
Content-Type
application/json
Access-Control-Allow-Origin
*
Cache-Control
no-cache, no-store, max-age=0, must-revalidate
Expires
0
public-config
moba.capitastar.com/mbs/api/web-wallet/v1/ 		0
0 		Preflight
General
Check archive.org
Download Go to
Full URL
https://moba.capitastar.com/mbs/api/web-wallet/v1/public-config
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
20.43.153.233 Singapore, Singapore, ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US),
Reverse DNS
Software
/
Resource Hash
Security Headers
Name Value
Content-Security-Policy default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content;
Strict-Transport-Security max-age=15724800; includeSubDomains
X-Content-Type-Options nosniff
X-Frame-Options Deny
X-Xss-Protection 1; mode=block

Request headers

Accept
*/*
Access-Control-Request-Headers
content-type
Access-Control-Request-Method
POST
Origin
https://pay.capitastar.com
Sec-Fetch-Mode
cors
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.129 Safari/537.36

Response headers

Access-Control-Allow-Headers
Access-Control-Allow-Headers, Origin, Accept, X-Requested-With, Content-Type, fToken, token, Access-Control-Request-Method, Access-Control-Request-Headers
Access-Control-Allow-Methods
GET, POST, OPTIONS
Access-Control-Allow-Origin
https://pay.capitastar.com
Allow
GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH
Cache-Control
no-store, no-cache, must-revalidate, max-age=0
Content-Length
0
Content-Security-Policy
default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content;
Content-Type
application/json;charset=UTF-8
Date
Mon, 08 Jan 2024 05:06:31 GMT
Referrer-Policy
same-origin
Strict-Transport-Security
max-age=15724800; includeSubDomains
Vary
Access-Control-Request-Headers
X-Content-Type-Options
nosniff
X-Frame-Options
Deny
X-Permitted-Cross-Domain-Policies
none
X-XSS-Protection
1; mode=block
capitaStarLogoNewTemplate.588871d4.png
pay.capitastar.com/static/ 		16 KB
17 KB 		Image
General
Check archive.org
Download Go to Show image
Full URL
https://pay.capitastar.com/static/capitaStarLogoNewTemplate.588871d4.png
Requested by
Host: pay.capitastar.com
URL: https://pay.capitastar.com/umi.d5bfd9c8.js
Protocol
HTTP/1.1
Security
TLS 1.3, , AES_256_GCM
Server
20.43.173.20 Singapore, Singapore, ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US),
Reverse DNS
Software
/
Resource Hash
0d97b0700a9d0159353827a20eed88a3668808cf1cb7178694cce8610cac59b3
Security Headers
Name Value
Content-Security-Policy default-src 'self' https://api-js.mixpanel.com *.capitastar.com *.dc.capitaland.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.capitastar.com https://diaochan.capitastar.com https://storacctcstartableprod.blob.core.windows.net data:; frame-src 'self' https://www.google.com; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; child-src 'self' blob:
Strict-Transport-Security max-age=15724800; includeSubDomains
X-Content-Type-Options nosniff
X-Frame-Options Deny
X-Xss-Protection 1; mode=block

Request headers

accept-language
zh-SG,zh;q=0.9
Referer
https://pay.capitastar.com/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.129 Safari/537.36

Response headers

Date
Mon, 08 Jan 2024 05:06:31 GMT
Strict-Transport-Security
max-age=15724800; includeSubDomains
X-Content-Type-Options
nosniff
Content-Security-Policy
default-src 'self' https://api-js.mixpanel.com *.capitastar.com *.dc.capitaland.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.capitastar.com https://diaochan.capitastar.com https://storacctcstartableprod.blob.core.windows.net data:; frame-src 'self' https://www.google.com; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; child-src 'self' blob:
X-Permitted-Cross-Domain-Policies
none
Connection
keep-alive
Content-Length
16009
X-XSS-Protection
1; mode=block
Pragma
no-cache
Referrer-Policy
same-origin
Last-Modified
Fri, 24 Nov 2023 07:24:27 GMT
Vary
Origin, Access-Control-Request-Method, Access-Control-Request-Headers
X-Frame-Options
Deny
Content-Type
image/png
Cache-Control
no-cache, no-store, max-age=0, must-revalidate
Accept-Ranges
bytes
Expires
0
helvetica.06113bf7.ttf
pay.capitastar.com/static/ 		311 KB
166 KB 		Font
General
Check archive.org
Download Go to
Full URL
https://pay.capitastar.com/static/helvetica.06113bf7.ttf
Requested by
Host: pay.capitastar.com
URL: https://pay.capitastar.com/umi.d403f1ae.css
Protocol
HTTP/1.1
Security
TLS 1.3, , AES_256_GCM
Server
20.43.173.20 Singapore, Singapore, ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US),
Reverse DNS
Software
/
Resource Hash
5f865ddf37549ae44630b13a501f813086e2ae974adc86b97337cd9ee4b1e4ff
Security Headers
Name Value
Content-Security-Policy default-src 'self' https://api-js.mixpanel.com *.capitastar.com *.dc.capitaland.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.capitastar.com https://diaochan.capitastar.com https://storacctcstartableprod.blob.core.windows.net data:; frame-src 'self' https://www.google.com; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; child-src 'self' blob:
Strict-Transport-Security max-age=15724800; includeSubDomains
X-Content-Type-Options nosniff
X-Frame-Options Deny
X-Xss-Protection 1; mode=block

Request headers

Referer
https://pay.capitastar.com/umi.d403f1ae.css
Origin
https://pay.capitastar.com
accept-language
zh-SG,zh;q=0.9
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.129 Safari/537.36

Response headers

Date
Mon, 08 Jan 2024 05:06:31 GMT
Strict-Transport-Security
max-age=15724800; includeSubDomains
X-Content-Type-Options
nosniff
Content-Security-Policy
default-src 'self' https://api-js.mixpanel.com *.capitastar.com *.dc.capitaland.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.capitastar.com https://diaochan.capitastar.com https://storacctcstartableprod.blob.core.windows.net data:; frame-src 'self' https://www.google.com; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; child-src 'self' blob:
Content-Encoding
gzip
X-Permitted-Cross-Domain-Policies
none
Transfer-Encoding
chunked
Connection
keep-alive
X-XSS-Protection
1; mode=block
Pragma
no-cache
Referrer-Policy
same-origin
Last-Modified
Fri, 24 Nov 2023 07:24:27 GMT
Vary
Accept-Encoding, Origin, Access-Control-Request-Method, Access-Control-Request-Headers
X-Frame-Options
Deny
Content-Type
application/x-font-ttf
Access-Control-Allow-Origin
*
Cache-Control
no-cache, no-store, max-age=0, must-revalidate
Expires
0

Verdicts & Comments Add Verdict or Comment

10 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

object| documentPictureInPicture string| routerBase object| webpackJsonp function| setImmediate function| clearImmediate object| regeneratorRuntime function| __NEXT_PRELOADREADY object| g_umi function| reloadAuthorized object| lastApiTime

4 Cookies

Domain/Path Name / Value
.cstar.sg/ Name: ApplicationGatewayAffinity
Value: 84998525af2692d471a1bc94f916ccc39e0f9a7a7df8c65bec17b5610b03858c
.cstar.sg/ Name: ApplicationGatewayAffinityCORS
Value: 84998525af2692d471a1bc94f916ccc39e0f9a7a7df8c65bec17b5610b03858c
pay.capitastar.com/ Name: CSCOOKIE
Value: 17474dd76ef58c59904f60f5a354e7a4|4bd5b50d4d52de02f66cb45135d50183
.capitastar.com/ Name: mp_b9bd268b2337dae4296945fb8a4ef7cc_mixpanel
Value: %7B%22distinct_id%22%3A%20%2218ce77716e8646-028fb2f5f7098-6b3d5753-1d4c00-18ce77716e9a1a%22%2C%22%24device_id%22%3A%20%2218ce77716e8646-028fb2f5f7098-6b3d5753-1d4c00-18ce77716e9a1a%22%2C%22%24initial_referrer%22%3A%20%22%24direct%22%2C%22%24initial_referring_domain%22%3A%20%22%24direct%22%7D

Security Headers

This page lists any security headers set by the main page. If you want to understand what these mean and how to use them, head on over to this page

Header Value
Content-Security-Policy default-src 'self' https://api-js.mixpanel.com *.capitastar.com *.dc.capitaland.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.capitastar.com https://diaochan.capitastar.com https://storacctcstartableprod.blob.core.windows.net data:; frame-src 'self' https://www.google.com; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; child-src 'self' blob:
Strict-Transport-Security max-age=15724800; includeSubDomains
X-Content-Type-Options nosniff
X-Frame-Options Deny
X-Xss-Protection 1; mode=block