HTTP Headers Analyzer
6 / 10
https://bit.ly/4gH1uuD
Website → CloudFlare → Browser9 missing headers, 1 warnings, 0 notices
Header
Value
Explanation
date
mon, 30 dec 2024 17:16:08 gmt
The date and time at which the request was made. A browser uses it for age calculations rather than using its own internal date and time; e.g. when comparing against
Max-Age
or Expires
.cf-ray
8fa3ad06eda7c953-iad
The
cf-ray
header provides a unique identifier for each request through Cloudflare. It's useful for troubleshooting and tracking requests in Cloudflare logs.cf-cache-status
dynamic
Warning The
dynamic
status indicates that Cloudflare did not cache the requested HTML page, similar to a "cache miss". By default, Cloudflare caches static assets such as images, CSS, and JavaScript but excludes HTML due to its dynamic nature. To cache HTML content, change the 'Cache Level' setting from dynamic
to cache everything
in Cloudflare. This adjustment allows HTML pages to be cached, leveraging Cloudflare's global network for faster and more efficient content delivery.set-cookie
__cf_bm=72fpeh_qwo4oy.e4h4ogmx6349jv9ulp6hsukwsgrvq-1735578968-1.0.1.1-5b_oelhvhqkstdp18ya1n0adyuwglnrt2cdcnwx0ixpt3td2rhlc12yrdnko.k7hu_tx8vnblzuua9cwfylr0g; path=/; expires=mon, 30-dec-24 17:46:08 gmt; domain=.weebly.com; httponly; secure
A cookie that was sent from the server to the browser.
expires=
sets the maximum lifetime of the cookie using a specific date.domain=
sets the domain to which the cookie will be sent.path=
indicates the path that must exist in the requested URL for the browser to send the cookie.secure
instructs the browser to only send the cookie back when HTTPS requests are used, making it more resistant to man-in-the-middle attacks.httponly
forbids JavaScript from accessing the cookie. Helps mitigate the risk of client side scripts accessing a protected cookie.cf_bm
is a cookie set by Cloudflare to support bot management. This is a technical cookie; it's exempt from GDPR and doesn't need user consent.server
cloudflare
strict-transport-security
missing Add a
Strict-Transport-Security
header. The Strict-Transport-Security
header or HSTS header is used to instruct browsers to only use HTTPS, instead of using HTTP. It helps enforce secure communication.content-security-policy
missing Add a
Content-Security-Policy
header. The Content-Security-Policy
header helps browsers prevent cross site scripting (XSS) and data injection attacks.referrer-policy
missing Add a
Referrer-Policy
header. When a visitor navigates from one page to another, browsers often pass along referrer information. The Referrer-Policy
header controls how much referrer information a browser can share. This is important to configure when private information is embedded in the path or query string and passed onto an external destination.permissions-policy
missing Add a
Permissions-Policy
header. Restrict access to device features like the camera, microphone, location, accelerometer and much more.cross-origin-embedder-policy
missing Add a
Cross-Origin-Embedder-Policy
to specify how this page can be loaded by cross-origin resources.cross-origin-opener-policy
missing Add a
Cross-Origin-Opener-Policy
header to opt-in into better browser isolation.cross-origin-resource-policy
missing Add a
Cross-Origin-Resource-Policy
header to specify who can load this page.x-frame-options
missing Add a
X-Frame-Options
header. The X-Frame-Options
header prevents this URL from being embedded in an iframe
. This protects against clickjacking attacks. Alternatively, set a Content-Security-Policy
header with a frame-ancestor
directive.x-permitted-cross-domain-policies
missing Add a
X-Permitted-Cross-Domain-Policies
header to prevent Flash, Adobe Reader and other clients from sharing data across domains.Questions or feedback? Email dries@buytaert.net.