Dries Buytaert

Explanation

The date and time at which the request was made. A browser uses it for age calculations rather than using its own internal date and time; e.g. when comparing against Max-Age or Expires.

The type of the message body, specified as a MIME type.

The size of the message body, in bytes.

The Vary header specifies a list of headers that must be considered when caching responses. For a cached response to be used, these headers must match between the cached response and the new request. This ensures that the appropriate version of a resource is served based on factors like language, encoding, or device type.

The Vary header specifies a list of headers that must be considered when caching responses. For a cached response to be used, these headers must match between the cached response and the new request. This ensures that the appropriate version of a resource is served based on factors like language, encoding, or device type.

P3P stands for Platform for Privacy Preferences. It is used to specify a privacy policy in a machine-readable way. The privacy policy is described in a compact format using tokens. A browser can use the information to inform readers about the website's privacy practices. Unfortunately, it is not well supported by current browsers.

This header enables the browser's built-in XSS protection. However, it's considered legacy and modern browsers may ignore it.
1 enables the browser's cross-site scripting (XSS) filtering.
mode=block instructs the browser to block the response if a XSS attack is detected, instead of sanitizing the page.
Notice While this header provides some protection, it's recommended to use Content-Security-Policy instead, as it offers more comprehensive and flexible protection against XSS and other injection attacks.

The X-Content-Type-Options header, when set to nosniff, prevents MIME type sniffing. This enhances security by ensuring browsers respect the declared Content-Type of the response, mitigating MIME confusion attacks.
The value nosniff is correctly set, providing protection against MIME type sniffing attacks.

The Strict-Transport-Security header (HSTS) instructs browsers to only use HTTPS for future connections to this domain, enhancing security by preventing downgrade attacks and cookie hijacking.
max-age specifies the time, in seconds, that the browser should remember to use HTTPS only for this domain.
Notice For optimal security, consider increasing max-age to at least 31,536,000 seconds (1 year), especially if you're considering preloading.

Specifies a link that might be of interest to the browser.

Instructs crawlers (e.g. Googlebot) how to crawl or index the content on this page. Possible options include: noindex, nofollow, noarchive, nosnippet, notranslate and more.

Instructs Internet Explorer what compatibility mode to use to render this page. For example, ie=9 specifies that the page should be rendered as if the user was using Internet Explorer 9, even if they use Internet Explorer 11 or later. It's basically a hack for working around compatibility issues between different versions of Internet Explorer.

Used by the server to advertise its support of partial HTTP requests. The browser can ask for a range or subset of the response body. It's a feature that allows a browser to resume an interrupted download. bytes is the only range unit currently supported. none means that the server does not support range requests.

missing Add a Content-Security-Policy header. The Content-Security-Policy header helps browsers prevent cross site scripting (XSS) and data injection attacks.

missing Add a Referrer-Policy header. When a visitor navigates from one page to another, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important to configure when private information is embedded in the path or query string and passed onto an external destination.

missing Add a Permissions-Policy header. Restrict access to device features like the camera, microphone, location, accelerometer and much more.

missing Add a Cross-Origin-Embedder-Policy to specify how this page can be loaded by cross-origin resources.

missing Add a Cross-Origin-Opener-Policy header to opt-in into better browser isolation.

missing Add a Cross-Origin-Resource-Policy header to specify who can load this page.

missing Add a X-Frame-Options header. The X-Frame-Options header prevents this URL from being embedded in an iframe. This protects against clickjacking attacks. Alternatively, set a Content-Security-Policy header with a frame-ancestor directive.

missing Add a X-Permitted-Cross-Domain-Policies header to prevent Flash, Adobe Reader and other clients from sharing data across domains.