Dries Buytaert

Explanation

The date and time at which the request was made. A browser uses it for age calculations rather than using its own internal date and time; e.g. when comparing against Max-Age or Expires.

The type of the message body, specified as a MIME type.

The size of the message body, in bytes.

A cookie that was sent from the server to the browser.
expires= sets the maximum lifetime of the cookie using a specific date.
path= indicates the path that must exist in the requested URL for the browser to send the cookie.

A cookie that was sent from the server to the browser.
expires= sets the maximum lifetime of the cookie using a specific date.
max-age= sets the maximum lifetime of the cookie in seconds.
path= indicates the path that must exist in the requested URL for the browser to send the cookie.
Notice samesite=lax instructs the browser not to share the cookie with third-party sites (e.g. when loading images, videos or frames from other sites), with one exception. The cookie will be sent when a user is navigating to the origin site from an external site (for example, when following a link). To improve protection against cross-site request forgery attacks, set to samesite=strict.
secure instructs the browser to only send the cookie back when HTTPS requests are used, making it more resistant to man-in-the-middle attacks.
httponly forbids JavaScript from accessing the cookie. Helps mitigate the risk of client side scripts accessing a protected cookie.

The X-Content-Type-Options header, when set to nosniff, prevents MIME type sniffing. This enhances security by ensuring browsers respect the declared Content-Type of the response, mitigating MIME confusion attacks.
The value nosniff is correctly set, providing protection against MIME type sniffing attacks.

The X-Content-Type-Options header, when set to nosniff, prevents MIME type sniffing. This enhances security by ensuring browsers respect the declared Content-Type of the response, mitigating MIME confusion attacks.
The value nosniff is correctly set, providing protection against MIME type sniffing attacks.

When a visitor navigates from one page to another page, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important because private information can be embedded in the path or query string.
strict-origin-when-cross-origin means that the protocol, host, port, path and query string are shared for same-site requests. For cross-site requests, protocol, host, and port are shared, but only when the protocol security level remains the same (HTTP → HTTP, HTTPS → HTTPS). For cross-site requests where the protocol becomes less secure (HTTPS → HTTP), nothing is shared.

The Strict-Transport-Security header (HSTS) instructs browsers to only use HTTPS for future connections to this domain, enhancing security by preventing downgrade attacks and cookie hijacking.
max-age specifies the time, in seconds, that the browser should remember to use HTTPS only for this domain.
includesubdomains instructs the browser that all subdomains are HTTPS-only as well.

missing Add a Content-Security-Policy header. The Content-Security-Policy header helps browsers prevent cross site scripting (XSS) and data injection attacks.

missing Add a Permissions-Policy header. Restrict access to device features like the camera, microphone, location, accelerometer and much more.

missing Add a Cross-Origin-Embedder-Policy to specify how this page can be loaded by cross-origin resources.

missing Add a Cross-Origin-Opener-Policy header to opt-in into better browser isolation.

missing Add a Cross-Origin-Resource-Policy header to specify who can load this page.

missing Add a X-Frame-Options header. The X-Frame-Options header prevents this URL from being embedded in an iframe. This protects against clickjacking attacks. Alternatively, set a Content-Security-Policy header with a frame-ancestor directive.

missing Add a X-Permitted-Cross-Domain-Policies header to prevent Flash, Adobe Reader and other clients from sharing data across domains.