HTTP Headers Analyzer
7 / 10
https://disqus.com/by/disqus_bHe7W7uZeU/about
Website → Nginx → Browser7 missing headers, 0 warnings, 3 notices
Header
Value
Explanation
connection
keep-alive
Specifies whether the network connection stays open after the current request.
keep-alive
specifies that the browser would like to keep the connection open, while close
indicates that the browser wants to close the connection.content-length
5159
The size of the message body, in bytes.
server
nginx
p3p
cp="dsp idc cur adm deli stp nav com uni int phy dem"
P3P
stands for Platform for Privacy Preferences. It is used to specify a privacy policy in a machine-readable way. The privacy policy is described in a compact format using tokens. A browser can use the information to inform readers about the website's privacy practices. Unfortunately, it is not well supported by current browsers.cache-control
stale-while-revalidate=3600, public, max-age=300
public
means the response may be stored by all caches, including browser caches, CDNs, and shared caches.max-age
specifies the maximum amount of seconds a page is considered valid. The higher max-age
, the longer a page can be cached.stale-while-revalidate
instructs the browser to accept a stale response, while asynchronously checking in the background for a fresh one. The value is the number of seconds the client will accept a stale response for.x-content-type-options
nosniff
The
The value
X-Content-Type-Options
header, when set to nosniff
, prevents MIME type sniffing. This enhances security by ensuring browsers respect the declared Content-Type of the response, mitigating MIME confusion attacks.The value
nosniff
is correctly set, providing protection against MIME type sniffing attacks.x-xss-protection
1; mode=block
This header enables the browser's built-in XSS protection. However, it's considered legacy and modern browsers may ignore it.
Notice While this header provides some protection, it's recommended to use
1
enables the browser's cross-site scripting (XSS) filtering.mode=block
instructs the browser to block the response if a XSS attack is detected, instead of sanitizing the page.Notice While this header provides some protection, it's recommended to use
Content-Security-Policy
instead, as it offers more comprehensive and flexible protection against XSS and other injection attacks.age
0
The time in seconds that the page has been in the shared proxy cache. The maximum age is set by
max-age
or s-maxage
in the Cache-Control
header.date
mon, 23 dec 2024 02:13:47 gmt
The date and time at which the request was made. A browser uses it for age calculations rather than using its own internal date and time; e.g. when comparing against
Max-Age
or Expires
.cross-origin-resource-policy
cross-origin
The
Notice
Cross-Origin-Resource-Policy
header is part of the Fetch metadata request headers. It controls how resources can be shared across origins, enhancing security by preventing unauthorized access to resources.Notice
cross-origin
means the resource can be loaded by documents from any origin. This is the least secure option.strict-transport-security
max-age=300; includesubdomains
The
Notice For optimal security, consider increasing
Strict-Transport-Security
header (HSTS) instructs browsers to only use HTTPS for future connections to this domain, enhancing security by preventing downgrade attacks and cookie hijacking.max-age
specifies the time, in seconds, that the browser should remember to use HTTPS only for this domain.Notice For optimal security, consider increasing
max-age
to at least 31,536,000 seconds (1 year), especially if you're considering preloading.includesubdomains
instructs the browser that all subdomains are HTTPS-only as well.content-security-policy
missing Add a
Content-Security-Policy
header. The Content-Security-Policy
header helps browsers prevent cross site scripting (XSS) and data injection attacks.referrer-policy
missing Add a
Referrer-Policy
header. When a visitor navigates from one page to another, browsers often pass along referrer information. The Referrer-Policy
header controls how much referrer information a browser can share. This is important to configure when private information is embedded in the path or query string and passed onto an external destination.permissions-policy
missing Add a
Permissions-Policy
header. Restrict access to device features like the camera, microphone, location, accelerometer and much more.cross-origin-embedder-policy
missing Add a
Cross-Origin-Embedder-Policy
to specify how this page can be loaded by cross-origin resources.cross-origin-opener-policy
missing Add a
Cross-Origin-Opener-Policy
header to opt-in into better browser isolation.x-frame-options
missing Add a
X-Frame-Options
header. The X-Frame-Options
header prevents this URL from being embedded in an iframe
. This protects against clickjacking attacks. Alternatively, set a Content-Security-Policy
header with a frame-ancestor
directive.x-permitted-cross-domain-policies
missing Add a
X-Permitted-Cross-Domain-Policies
header to prevent Flash, Adobe Reader and other clients from sharing data across domains.Questions or feedback? Email dries@buytaert.net.