HTTP Headers Analyzer
6 / 10
https://seonews1977.blogspot.com
Website → Browser7 missing headers, 1 warnings, 2 notices
Header
Value
Explanation
date
mon, 23 dec 2024 15:00:58 gmt
The date and time at which the request was made. A browser uses it for age calculations rather than using its own internal date and time; e.g. when comparing against
Max-Age
or Expires
.expires
mon, 23 dec 2024 15:00:58 gmt
The date and time after which the page should be considered stale and all caches should be refreshed.
Notice Because there is a
Notice Because there is a
Cache-Control
header with a max-age
and/or s-maxage
directive, the Expires
header will be ignored. Consider removing Expires
to save bandwidth and processing power.cache-control
private, max-age=0
private
means the response can only be stored by the browser's cache, but not by CDNs, proxies, or any other shared caches.max-age
specifies the maximum amount of seconds a page is considered valid. The higher max-age
, the longer a page can be cached.Warning Because
max-age
is set to 0 seconds, nothing will ever be cached in shared caches or browsers. Caching is effectively disabled!x-content-type-options
nosniff
The
The value
X-Content-Type-Options
header, when set to nosniff
, prevents MIME type sniffing. This enhances security by ensuring browsers respect the declared Content-Type of the response, mitigating MIME confusion attacks.The value
nosniff
is correctly set, providing protection against MIME type sniffing attacks.x-frame-options
sameorigin
X-Frame-Options
prevents this URL from being embedded in an iframe
. This protects against clickjacking attacks.sameorigin
means that this page can be displayed in a iframe
, but only on the currrent origin. It can't be displayed on another domain. Consider setting this to deny
for added security.content-security-policy
frame-ancestors 'self'
The Content Security Policy (CSP) header helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks by specifying which dynamic resources are allowed to load.
Notice Consider adding the
frame-ancestors
defines what parents may embed a page using <frame>
, <iframe>
, <object>
, <embed>
or <applet>
.Notice Consider adding the
upgrade-insecure-requests
directive to automatically upgrade HTTP requests to HTTPS, helping to prevent mixed content issues.x-xss-protection
1; mode=block
This header enables the browser's built-in XSS protection. However, it's considered legacy and modern browsers may ignore it.
1
enables the browser's cross-site scripting (XSS) filtering.mode=block
instructs the browser to block the response if a XSS attack is detected, instead of sanitizing the page.server
gse
alt-svc
h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
The
alt-svc
header advertises alternative services for accessing the same resource, enabling protocol negotiation and potential performance improvements.h3
indicates that HTTP/3 is supported. Variants like h3-29
refer to specific drafts of the HTTP/3 protocol.ma=2592000
specifies that the alternative service information is fresh for 2592000 seconds.ma=2592000
specifies that the alternative service information is fresh for 2592000 seconds.accept-ranges
none
Used by the server to advertise its support of partial HTTP requests. The browser can ask for a range or subset of the response body. It's a feature that allows a browser to resume an interrupted download.
bytes
is the only range unit currently supported. none
means that the server does not support range requests.vary
accept-encoding
The
Vary
header specifies a list of headers that must be considered when caching responses. For a cached response to be used, these headers must match between the cached response and the new request. This ensures that the appropriate version of a resource is served based on factors like language, encoding, or device type.strict-transport-security
missing Add a
Strict-Transport-Security
header. The Strict-Transport-Security
header or HSTS header is used to instruct browsers to only use HTTPS, instead of using HTTP. It helps enforce secure communication.referrer-policy
missing Add a
Referrer-Policy
header. When a visitor navigates from one page to another, browsers often pass along referrer information. The Referrer-Policy
header controls how much referrer information a browser can share. This is important to configure when private information is embedded in the path or query string and passed onto an external destination.permissions-policy
missing Add a
Permissions-Policy
header. Restrict access to device features like the camera, microphone, location, accelerometer and much more.cross-origin-embedder-policy
missing Add a
Cross-Origin-Embedder-Policy
to specify how this page can be loaded by cross-origin resources.cross-origin-opener-policy
missing Add a
Cross-Origin-Opener-Policy
header to opt-in into better browser isolation.cross-origin-resource-policy
missing Add a
Cross-Origin-Resource-Policy
header to specify who can load this page.x-permitted-cross-domain-policies
missing Add a
X-Permitted-Cross-Domain-Policies
header to prevent Flash, Adobe Reader and other clients from sharing data across domains.Questions or feedback? Email dries@buytaert.net.