Dries Buytaert

Explanation

The date and time at which the request was made. A browser uses it for age calculations rather than using its own internal date and time; e.g. when comparing against Max-Age or Expires.

The type of the message body, specified as a MIME type.

The cf-ray header provides a unique identifier for each request through Cloudflare. It's useful for troubleshooting and tracking requests in Cloudflare logs.

s-maxage overrides max-age header, but only for shared caches (e.g. CDN, Varnish) and not for browser caches.
stale-while-revalidate instructs the browser to accept a stale response, while asynchronously checking in the background for a fresh one. The value is the number of seconds the client will accept a stale response for.

The Strict-Transport-Security header (HSTS) instructs browsers to only use HTTPS for future connections to this domain, enhancing security by preventing downgrade attacks and cookie hijacking.
max-age specifies the time, in seconds, that the browser should remember to use HTTPS only for this domain.

The Vary header specifies a list of headers that must be considered when caching responses. For a cached response to be used, these headers must match between the cached response and the new request. This ensures that the appropriate version of a resource is served based on factors like language, encoding, or device type.
Notice This request has many Vary headers. More headers decrease the likelihood of a cache hit.

The Content Security Policy (CSP) header helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks by specifying which dynamic resources are allowed to load.
default-src sets the default policy for fetching resources like JavaScript, images, CSS, fonts, AJAX requests, frames, HTML5 media.
script-src specifies valid sources for JavaScript. This includes not only URLs loaded directly into <script> elements, but also things like inline script event handlers (onclick) and XSLT stylesheets which can trigger script execution.
base-uri defines what URLs can be used in the <base> URL.
object-src defines what <object>, <embed> and <applet> elements are allowed to be loaded and executed.
style-src defines what CSS stylesheets are allowed to be loaded.
img-src defines what images and favicons can be loaded.
font-src defines what fonts can be loaded using CSS's font-face.
frame-src defines what <frame> and <iframe> elements can be loaded.
frame-ancestors defines what parents may embed a page using <frame>, <iframe>, <object>, <embed> or <applet>.
form-action defines what URLs can be used for form submissions.
Notice Consider adding the upgrade-insecure-requests directive to automatically upgrade HTTP requests to HTTPS, helping to prevent mixed content issues.

When a visitor navigates from one page to another page, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important because private information can be embedded in the path or query string.
no-referrer-when-downgrade means that the protocol, host, port, path and query string are shared. It is only shared when the protocol security level remains the same (HTTP → HTTP, HTTPS → HTTPS) or improves (HTTP → HTTPS). When the protocol becomes less secure (HTTPS → HTTP), nothing is shared.

The X-Content-Type-Options header, when set to nosniff, prevents MIME type sniffing. This enhances security by ensuring browsers respect the declared Content-Type of the response, mitigating MIME confusion attacks.
The value nosniff is correctly set, providing protection against MIME type sniffing attacks.

The alt-svc header advertises alternative services for accessing the same resource, enabling protocol negotiation and potential performance improvements.
h3 indicates that HTTP/3 is supported. Variants like h3-29 refer to specific drafts of the HTTP/3 protocol.
ma=86400 specifies that the alternative service information is fresh for 86400 seconds.

missing Add a Permissions-Policy header. Restrict access to device features like the camera, microphone, location, accelerometer and much more.

missing Add a Cross-Origin-Embedder-Policy to specify how this page can be loaded by cross-origin resources.

missing Add a Cross-Origin-Opener-Policy header to opt-in into better browser isolation.

missing Add a Cross-Origin-Resource-Policy header to specify who can load this page.

missing Add a X-Permitted-Cross-Domain-Policies header to prevent Flash, Adobe Reader and other clients from sharing data across domains.