Dries Buytaert

HTTP Headers Analyzer

7 / 10
https://ahaiders-organization.gitbook.io/untitled
Website → CloudFlare → Browser
5 missing headers, 0 warnings, 2 notices
Header
Value
Explanation
date
mon, 14 jul 2025 20:34:07 gmt
The date and time at which the request was made. A browser uses it for age calculations rather than using its own internal date and time; e.g. when comparing against Max-Age or Expires.
content-type
text/html; charset=utf-8
The type of the message body, specified as a MIME type.
cf-ray
95f3cc8d5e58a0ca-iad
The cf-ray header provides a unique identifier for each request through Cloudflare. It's useful for troubleshooting and tracking requests in Cloudflare logs.
cache-control
s-maxage=1, stale-while-revalidate=2592000
s-maxage overrides max-age header, but only for shared caches (e.g. CDN, Varnish) and not for browser caches.
stale-while-revalidate instructs the browser to accept a stale response, while asynchronously checking in the background for a fresh one. The value is the number of seconds the client will accept a stale response for.
strict-transport-security
max-age=31536000
The Strict-Transport-Security header (HSTS) instructs browsers to only use HTTPS for future connections to this domain, enhancing security by preventing downgrade attacks and cookie hijacking.
max-age specifies the time, in seconds, that the browser should remember to use HTTPS only for this domain.
vary
rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch, next-url, accept-encoding
The Vary header specifies a list of headers that must be considered when caching responses. For a cached response to be used, these headers must match between the cached response and the new request. This ensures that the appropriate version of a resource is served based on factors like language, encoding, or device type.
Notice This request has many Vary headers. More headers decrease the likelihood of a cache hit.
content-security-policy
default-src 'self' *; script-src 'self' 'unsafe-inline' 'unsafe-eval' *; style-src 'self' 'unsafe-inline' *; img-src * 'self' blob: data:; connect-src *; font-src *; frame-src *; object-src 'none'; base-uri 'self' https://static-2c.gitbook.com; form-action 'self' https://static-2c.gitbook.com *; frame-ancestors https: ;
The Content Security Policy (CSP) header helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks by specifying which dynamic resources are allowed to load.
default-src sets the default policy for fetching resources like JavaScript, images, CSS, fonts, AJAX requests, frames, HTML5 media.
script-src specifies valid sources for JavaScript. This includes not only URLs loaded directly into <script> elements, but also things like inline script event handlers (onclick) and XSLT stylesheets which can trigger script execution.
base-uri defines what URLs can be used in the <base> URL.
object-src defines what <object>, <embed> and <applet> elements are allowed to be loaded and executed.
style-src defines what CSS stylesheets are allowed to be loaded.
img-src defines what images and favicons can be loaded.
font-src defines what fonts can be loaded using CSS's font-face.
frame-src defines what <frame> and <iframe> elements can be loaded.
frame-ancestors defines what parents may embed a page using <frame>, <iframe>, <object>, <embed> or <applet>.
form-action defines what URLs can be used for form submissions.
Notice Consider adding the upgrade-insecure-requests directive to automatically upgrade HTTP requests to HTTPS, helping to prevent mixed content issues.
referrer-policy
no-referrer-when-downgrade
When a visitor navigates from one page to another page, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important because private information can be embedded in the path or query string.
no-referrer-when-downgrade means that the protocol, host, port, path and query string are shared. It is only shared when the protocol security level remains the same (HTTP → HTTP, HTTPS → HTTPS) or improves (HTTP → HTTPS). When the protocol becomes less secure (HTTPS → HTTP), nothing is shared.
x-content-type-options
nosniff
The X-Content-Type-Options header, when set to nosniff, prevents MIME type sniffing. This enhances security by ensuring browsers respect the declared Content-Type of the response, mitigating MIME confusion attacks.
The value nosniff is correctly set, providing protection against MIME type sniffing attacks.
x-gitbook-route-site
ahaiders-organization.gitbook.io/untitled/
x-gitbook-route-type
static
x-gitbook-target
2c
x-next-cache-tags
_n_t_/layout,_n_t_/sites/layout,_n_t_/sites/static/layout,_n_t_/sites/static/[mode]/layout,_n_t_/sites/static/[mode]/[siteurl]/layout,_n_t_/sites/static/[mode]/[siteurl]/[sitedata]/layout,_n_t_/sites/static/[mode]/[siteurl]/[sitedata]/[pagepath]/layout,_n_t_/sites/static/[mode]/[siteurl]/[sitedata]/[pagepath]/page,_n_t_/sites/static/url-host/ahaiders-organization.gitbook.io%2funtitled%2f/(apitoken:eyjhbgcioijiuzi1niisinr5cci6ikpxvcj9.eyjzdwiioijjb250zw50xzu1m2q1odhiy2q2mtrmyjiyowvjzdc1zti1yjhkmza4ngjmmze0oduilcj0yxjnzxqioijjb250zw50iiwia2luzci6innpdguilcjvcmdhbml6yxrpb24ioijyr3ryam9kulmzympjbuvtak00yyisinnwywnlcyi6wyi0z0x1vxhes3r4snk3c09uaxb3qyisikswamn4q1jiug52akxkeelorvl5iiwir2jkbwfozxbdbei0azrwovfxm1cilcj2nelnt1pxymmwtty5ovyzvg13rsisinbhogf3otnlmwx0ttnhnmtfnhpxil0sinnpdguioijzaxrlx3ezc3fkiiwic2l0zvnwywnlijoic2l0zxnwx3nhv3noiiwic3bhy2uioii0z0x1vxhes3r4snk3c09uaxb3qyisinjhdgvmaw1pde11bhrpcgxpzxiiojewmdawmdasimlhdci6mtc1mjewntywmcwizxhwijoxnzuynzewnzawfq.jiwexjfuvtocwuzeft9kclu8bnh9s79mv4lrvpf588c,basepath:%2funtitled%2f,imagescontextid:ahaiders-organization.gitbook.io,organization:rgtxjojrs3bjcmesjm4c,site:site_q3sqj,sitebasepath:%2funtitled%2f,sitespace:sitesp_sawsn,space:'4gluuxdktxjy7sotipwc')/%2f,site:site_q3sqj,release:10.9.1292,space:4gluuxdktxjy7sotipwc
x-nextjs-stale-time
300
x-opennext-cache
stale
x-opennext-request-id
0.t9576wy5pzc
server
cloudflare
alt-svc
h3=":443"; ma=86400
The alt-svc header advertises alternative services for accessing the same resource, enabling protocol negotiation and potential performance improvements.
h3 indicates that HTTP/3 is supported. Variants like h3-29 refer to specific drafts of the HTTP/3 protocol.
ma=86400 specifies that the alternative service information is fresh for 86400 seconds.
permissions-policy
missing Add a Permissions-Policy header. Restrict access to device features like the camera, microphone, location, accelerometer and much more.
cross-origin-embedder-policy
missing Add a Cross-Origin-Embedder-Policy to specify how this page can be loaded by cross-origin resources.
cross-origin-opener-policy
missing Add a Cross-Origin-Opener-Policy header to opt-in into better browser isolation.
cross-origin-resource-policy
missing Add a Cross-Origin-Resource-Policy header to specify who can load this page.
x-permitted-cross-domain-policies
missing Add a X-Permitted-Cross-Domain-Policies header to prevent Flash, Adobe Reader and other clients from sharing data across domains.

Questions or feedback? Email dries@buytaert.net.