HTTP Headers Analyzer
6 / 10
https://muhammadseo8.gumroad.com/
WordPress → CloudFlare → Browser6 missing headers, 1 warnings, 4 notices
The site is using a CDN, but the HTML page is not cached.
Header
Value
Explanation
date
tue, 24 feb 2026 04:52:43 gmt
The date and time at which the request was made. A browser uses it for age calculations rather than using its own internal date and time; e.g. when comparing against
Max-Age or Expires.cf-ray
9d2c5aed2d200cef-iad
The
cf-ray header provides a unique identifier for each request through Cloudflare. It's useful for troubleshooting and tracking requests in Cloudflare logs.x-revision
b17c8d945758
x-gr
prod
vary
x-inertia, origin
The
Vary header specifies a list of headers that must be considered when caching responses. For a cached response to be used, these headers must match between the cached response and the new request. This ensures that the appropriate version of a resource is served based on factors like language, encoding, or device type.link
<https://assets.gumroad.com/packs/css/design-16442c44.css>; rel=preload; as=style; crossorigin=anonymous; nopush,<https://assets.gumroad.com/assets/application-cbf244e9109e70d7b04497041636f00173a1e588f9b879b3a3ef11f8dfb86e5c.js>; rel=preload; as=script; nopush
rel="preload" informs the browser that the page intends to download the specified resource. To reduce latency and optimize performance, the browser is encouraged to start the download process immediately, rather than waiting for the body of the page to be downloaded and parsed.cache-control
max-age=0, private, must-revalidate
private means the response can only be stored by the browser's cache, but not by CDNs, proxies, or any other shared caches.max-age=0 with must-revalidate means caching is disabled and all requests must be validated with the origin server.set-cookie
_gumroad_guid=a4a27948-bc33-4012-8c0c-32c5b37647ee; domain=gumroad.com; path=/; expires=sun, 24 feb 2036 04:52:43 gmt; httponly; samesite=lax; secure
A cookie that was sent from the server to the browser.
Notice
expires= sets the maximum lifetime of the cookie using a specific date.domain= sets the domain to which the cookie will be sent.path= indicates the path that must exist in the requested URL for the browser to send the cookie.Notice
samesite=lax instructs the browser not to share the cookie with third-party sites (e.g. when loading images, videos or frames from other sites), with one exception. The cookie will be sent when a user is navigating to the origin site from an external site (for example, when following a link). To improve protection against cross-site request forgery attacks, set to samesite=strict.secure instructs the browser to only send the cookie back when HTTPS requests are used, making it more resistant to man-in-the-middle attacks.httponly forbids JavaScript from accessing the cookie. Helps mitigate the risk of client side scripts accessing a protected cookie.set-cookie
xsrf-token=04_zdmxnk3szylvns2n89zcejc-ngzl8d-ux9zuhshapdqrkzom_tedznqzvtuwol5t92cvobaop8eapgrk_xa; path=/; samesite=lax; secure; httponly
A cookie that was sent from the server to the browser.
Notice
path= indicates the path that must exist in the requested URL for the browser to send the cookie.Notice
samesite=lax instructs the browser not to share the cookie with third-party sites (e.g. when loading images, videos or frames from other sites), with one exception. The cookie will be sent when a user is navigating to the origin site from an external site (for example, when following a link). To improve protection against cross-site request forgery attacks, set to samesite=strict.secure instructs the browser to only send the cookie back when HTTPS requests are used, making it more resistant to man-in-the-middle attacks.httponly forbids JavaScript from accessing the cookie. Helps mitigate the risk of client side scripts accessing a protected cookie.set-cookie
_gumroad_app_session=ekl4ez5s3spnmdplfl21vkhbbdkthgdytdfgatfn57osvllsaipw97g7wa3qwocsau9wqrejot6bmkp8ipucsfucmds0zhfof5qslpkkgr15fol4gw1rlht5fjejstpjjpzdvwf%2bvqs5teupmsjxbtojl%2b1sigadu7lni6gffvbeqrrm36kr%2blprtl%2fy9ueknyeko%2bxfuyohgfoz4uny%2bz3c0knkomt9fuoz8ugssgddyxudquablscoloijzm8awei7azu%2fgcidax%2bnqxoxsyg1l4bqyybizibvc1gxdksfysol%2bkmpnuqnnjepzviivyp5jf5bj3cyc0n3co6fd7r32rb%2fkzt1v7b67jai%2byupbzwdiysg7vby7ak5ew%3d%3d--c83uhrh3kx5jwo8v--fodgod1f9dre4l6gbrbw3w%3d%3d; domain=gumroad.com; path=/; expires=tue, 24 mar 2026 04:52:43 gmt; secure; httponly; samesite=lax
A cookie that was sent from the server to the browser.
Notice
expires= sets the maximum lifetime of the cookie using a specific date.domain= sets the domain to which the cookie will be sent.path= indicates the path that must exist in the requested URL for the browser to send the cookie.Notice
samesite=lax instructs the browser not to share the cookie with third-party sites (e.g. when loading images, videos or frames from other sites), with one exception. The cookie will be sent when a user is navigating to the origin site from an external site (for example, when following a link). To improve protection against cross-site request forgery attacks, set to samesite=strict.secure instructs the browser to only send the cookie back when HTTPS requests are used, making it more resistant to man-in-the-middle attacks.httponly forbids JavaScript from accessing the cookie. Helps mitigate the risk of client side scripts accessing a protected cookie.x-request-id
0e3a3508-87a8-44a6-97db-e62937b45bef
A unique identifier for the HTTP request. This can be useful for tracking a request through complex systems or for debugging purposes.
x-runtime
0.028050
Indicates the time taken to generate the response on the server, typically in seconds. This can be useful for performance monitoring and debugging.
x-original-headers-class
rack::headers
x-content-type-options
nosniff
The
The value
X-Content-Type-Options header, when set to nosniff, prevents MIME type sniffing. This enhances security by ensuring browsers respect the declared Content-Type of the response, mitigating MIME confusion attacks.The value
nosniff is correctly set, providing protection against MIME type sniffing attacks.x-xss-protection
1; mode=block
This header enables the browser's built-in XSS protection. However, it's considered legacy and modern browsers may ignore it.
1 enables the browser's cross-site scripting (XSS) filtering.mode=block instructs the browser to block the response if a XSS attack is detected, instead of sanitizing the page.x-download-options
noopen
Alters the download dialog by removing the "Open with" option. Only supported by Internet Explorer.
x-permitted-cross-domain-policies
none
Instructs clients like Flash and Acrobat Reader what cross-domain policy they have to use.
none is the most secure setting. Data can't be shared across domains.content-security-policy
default-src https 'self'; child-src * data: blob:; connect-src 'self' blob: www.dropbox.com api.dropboxapi.com s3.amazonaws.com/gumroad s3.amazonaws.com/gumroad/ s3.amazonaws.com/gumroad-public-storage s3.amazonaws.com/gumroad-public-storage/ gumroad-public-storage.s3.amazonaws.com gumroad-public-storage.s3.amazonaws.com/ www.google.com www.gstatic.com *.facebook.com *.facebook.net *.google-analytics.com *.g.doubleclick.net *.googletagmanager.com analytics.google.com *.analytics.google.com files.gumroad.com/ d1bdh6c3ceakz5.cloudfront.net/ *.braintreegateway.com www.paypalobjects.com *.paypal.com *.braintree-api.com iframe.ly help.gumroad.com gumroad.com wss://cable.gumroad.com assets.gumroad.com; font-src * data: blob:; frame-src * data: blob:; img-src * data: blob:; media-src * data: blob:; object-src * data: blob:; script-src 'self' 'unsafe-eval' ajax.cloudflare.com static.cloudflareinsights.com js.stripe.com api.stripe.com connect-js.stripe.com *.braintreegateway.com *.braintree-api.com www.paypalobjects.com *.paypal.com *.google-analytics.com *.googletagmanager.com optimize.google.com www.googleadservices.com www.google.com www.gstatic.com *.facebook.net *.facebook.com www.dropbox.com s.ytimg.com cdn.iframe.ly platform.twitter.com cdn.jwplayer.com *.jwpcdn.com gumroad.us3.list-manage.com analytics.twitter.com help.gumroad.com unpkg.com/@lottiefiles/lottie-player@latest/ gumroad.com assets.gumroad.com 'nonce-fn4irtu0na6qifhdqc5oqbadmu1sbkcewhsptugpwty=' 'unsafe-inline'; style-src 'self' 'unsafe-inline' s.ytimg.com optimize.google.com fonts.googleapis.com assets.gumroad.com; worker-src * data: blob:
The Content Security Policy (CSP) header helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks by specifying which dynamic resources are allowed to load.
Notice Consider adding the
default-src sets the default policy for fetching resources like JavaScript, images, CSS, fonts, AJAX requests, frames, HTML5 media.script-src specifies valid sources for JavaScript. This includes not only URLs loaded directly into <script> elements, but also things like inline script event handlers (onclick) and XSLT stylesheets which can trigger script execution.object-src defines what <object>, <embed> and <applet> elements are allowed to be loaded and executed.style-src defines what CSS stylesheets are allowed to be loaded.media-src defines what <audio>, <video> and <track> elements are allowed to be loaded.img-src defines what images and favicons can be loaded.worker-src defines what workers scripts (e.g. Worker, ServiceWorker or SharedWorker) can be loaded and executed.font-src defines what fonts can be loaded using CSS's font-face.frame-src defines what <frame> and <iframe> elements can be loaded.child-src defines what <frame>, <iframe> or workers can be loaded.Notice Consider adding the
upgrade-insecure-requests directive to automatically upgrade HTTP requests to HTTPS, helping to prevent mixed content issues.cf-cache-status
dynamic
Warning The
dynamic status indicates that Cloudflare did not cache the requested HTML page, similar to a "cache miss". By default, Cloudflare caches static assets such as images, CSS, and JavaScript but excludes HTML due to its dynamic nature. To cache HTML content, change the 'Cache Level' setting from dynamic to cache everything in Cloudflare. This adjustment allows HTML pages to be cached, leveraging Cloudflare's global network for faster and more efficient content delivery.server
cloudflare
alt-svc
h3=":443"; ma=86400
The
alt-svc header advertises alternative services for accessing the same resource, enabling protocol negotiation and potential performance improvements.h3 indicates that HTTP/3 is supported. Variants like h3-29 refer to specific drafts of the HTTP/3 protocol.ma=86400 specifies that the alternative service information is fresh for 86400 seconds.strict-transport-security
missing Add a
Strict-Transport-Security header. The Strict-Transport-Security header or HSTS header is used to instruct browsers to only use HTTPS, instead of using HTTP. It helps enforce secure communication.referrer-policy
missing Add a
Referrer-Policy header. When a visitor navigates from one page to another, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important to configure when private information is embedded in the path or query string and passed onto an external destination.permissions-policy
missing Add a
Permissions-Policy header. Restrict access to device features like the camera, microphone, location, accelerometer and much more.cross-origin-embedder-policy
missing Add a
Cross-Origin-Embedder-Policy to specify how this page can be loaded by cross-origin resources.cross-origin-opener-policy
missing Add a
Cross-Origin-Opener-Policy header to opt-in into better browser isolation.cross-origin-resource-policy
missing Add a
Cross-Origin-Resource-Policy header to specify who can load this page.Questions or feedback? Email dries@buytaert.net.