HTTP Headers Analyzer
7 / 10
https://disqus.com/by/anasjaan/about
Website → Nginx → Browser7 missing headers, 0 warnings, 3 notices
Header
Value
Explanation
connection
keep-alive
Specifies whether the network connection stays open after the current request.
keep-alive
specifies that the browser would like to keep the connection open, while close
indicates that the browser wants to close the connection.content-length
5105
The size of the message body, in bytes.
server
nginx
p3p
cp="dsp idc cur adm deli stp nav com uni int phy dem"
P3P
stands for Platform for Privacy Preferences. It is used to specify a privacy policy in a machine-readable way. The privacy policy is described in a compact format using tokens. A browser can use the information to inform readers about the website's privacy practices. Unfortunately, it is not well supported by current browsers.cache-control
stale-while-revalidate=3600, public, max-age=300
public
means the response may be stored by all caches, including browser caches, CDNs, and shared caches.max-age
specifies the maximum amount of seconds a page is considered valid. The higher max-age
, the longer a page can be cached.stale-while-revalidate
instructs the browser to accept a stale response, while asynchronously checking in the background for a fresh one. The value is the number of seconds the client will accept a stale response for.x-content-type-options
nosniff
The
The value
X-Content-Type-Options
header, when set to nosniff
, prevents MIME type sniffing. This enhances security by ensuring browsers respect the declared Content-Type of the response, mitigating MIME confusion attacks.The value
nosniff
is correctly set, providing protection against MIME type sniffing attacks.x-xss-protection
1; mode=block
This header enables the browser's built-in XSS protection. However, it's considered legacy and modern browsers may ignore it.
Notice While this header provides some protection, it's recommended to use
1
enables the browser's cross-site scripting (XSS) filtering.mode=block
instructs the browser to block the response if a XSS attack is detected, instead of sanitizing the page.Notice While this header provides some protection, it's recommended to use
Content-Security-Policy
instead, as it offers more comprehensive and flexible protection against XSS and other injection attacks.age
180
The time in seconds that the page has been in the shared proxy cache. The maximum age is set by
max-age
or s-maxage
in the Cache-Control
header.date
mon, 23 dec 2024 02:18:54 gmt
The date and time at which the request was made. A browser uses it for age calculations rather than using its own internal date and time; e.g. when comparing against
Max-Age
or Expires
.cross-origin-resource-policy
cross-origin
The
Notice
Cross-Origin-Resource-Policy
header is part of the Fetch metadata request headers. It controls how resources can be shared across origins, enhancing security by preventing unauthorized access to resources.Notice
cross-origin
means the resource can be loaded by documents from any origin. This is the least secure option.strict-transport-security
max-age=300; includesubdomains
The
Notice For optimal security, consider increasing
Strict-Transport-Security
header (HSTS) instructs browsers to only use HTTPS for future connections to this domain, enhancing security by preventing downgrade attacks and cookie hijacking.max-age
specifies the time, in seconds, that the browser should remember to use HTTPS only for this domain.Notice For optimal security, consider increasing
max-age
to at least 31,536,000 seconds (1 year), especially if you're considering preloading.includesubdomains
instructs the browser that all subdomains are HTTPS-only as well.content-security-policy
missing Add a
Content-Security-Policy
header. The Content-Security-Policy
header helps browsers prevent cross site scripting (XSS) and data injection attacks.referrer-policy
missing Add a
Referrer-Policy
header. When a visitor navigates from one page to another, browsers often pass along referrer information. The Referrer-Policy
header controls how much referrer information a browser can share. This is important to configure when private information is embedded in the path or query string and passed onto an external destination.permissions-policy
missing Add a
Permissions-Policy
header. Restrict access to device features like the camera, microphone, location, accelerometer and much more.cross-origin-embedder-policy
missing Add a
Cross-Origin-Embedder-Policy
to specify how this page can be loaded by cross-origin resources.cross-origin-opener-policy
missing Add a
Cross-Origin-Opener-Policy
header to opt-in into better browser isolation.x-frame-options
missing Add a
X-Frame-Options
header. The X-Frame-Options
header prevents this URL from being embedded in an iframe
. This protects against clickjacking attacks. Alternatively, set a Content-Security-Policy
header with a frame-ancestor
directive.x-permitted-cross-domain-policies
missing Add a
X-Permitted-Cross-Domain-Policies
header to prevent Flash, Adobe Reader and other clients from sharing data across domains.Questions or feedback? Email dries@buytaert.net.