Dries Buytaert

Explanation

Identifies the software used by the origin server to handle the request (e.g. Apache, Nginx, Cloudflare).
Warning The server header exposes a specific version number (1.21.4). This makes it easier for attackers to find known vulnerabilities for that version. Remove or suppress the version number.

The date and time at which the request was made. A browser uses it for age calculations rather than using its own internal date and time; e.g. when comparing against Max-Age or Expires.

The type of the message body, specified as a MIME type.

The Vary header specifies a list of headers that must be considered when caching responses. For a cached response to be used, these headers must match between the cached response and the new request. This ensures that the appropriate version of a resource is served based on factors like language, encoding, or device type.

The Vary header specifies a list of headers that must be considered when caching responses. For a cached response to be used, these headers must match between the cached response and the new request. This ensures that the appropriate version of a resource is served based on factors like language, encoding, or device type.

X-Frame-Options prevents this URL from being embedded in an iframe. This protects against clickjacking attacks.
allow-from means that this page can be displayed in an iframe but only on the listed URLs.
Notice allow-from is deprecated. Use the Content-Security-Policy header with the frame-ancestors directive.

Indicates whether a browser can share this resource with other code.
The browser will only allow code from the specified origin to access this resource.

Indicates whether a browser can expose the request's credentials, including cookies and authorization headers, to frontend JavaScript code.

The Content Security Policy (CSP) header helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks by specifying which dynamic resources are allowed to load.
frame-ancestors defines what parents may embed a page using <frame>, <iframe>, <object>, <embed> or <applet>.
Notice Consider adding the upgrade-insecure-requests directive to automatically upgrade HTTP requests to HTTPS, helping to prevent mixed content issues.
Notice No default-src directive is set. Without it, directives that are not explicitly defined have no fallback restriction.
Notice Consider adding base-uri 'self' or base-uri 'none' to prevent base tag injection, which can redirect relative URLs to an attacker-controlled domain.

A unique identifier that changes every time a page at a given URL changes. It acts as a fingerprint. A cache can compare ETag values to see if the page has changed and has become stale. For example, a browser will send the ETag value of a cached page in an If-None-Match header. The web server compares the ETag value sent by the browser with the ETag value of the current version of the page. If both values are the same, the web server sends back a 304 Not Modified status and no body. This particular ETag value starts with W/ which means that it is a weak identifier; while unlikely, multiple pages might have the same identifier. Weak identifiers are used because strong identifiers can be difficult and costly to generate.

private means the response can only be stored by the browser's cache, but not by CDNs, proxies, or any other shared caches.
max-age=0 with must-revalidate means caching is disabled and all requests must be validated with the origin server.

A cookie that was sent from the server to the browser.
path= indicates the path that must exist in the requested URL for the browser to send the cookie.
Warning samesite=none instructs the browser to send the cookie to all cross-site requests, such as on requests to load images or frames from other sites. This enables third-party sites to log cookie data. This could lead to data leaks and cross-site request forgery attacks. To improve security, set to samesite=strict or samesite=lax.
secure instructs the browser to only send the cookie back when HTTPS requests are used, making it more resistant to man-in-the-middle attacks.
Notice This cookie is missing the httponly flag. Without it, JavaScript can access the cookie, increasing the risk of cross-site scripting (XSS) attacks.

A cookie that was sent from the server to the browser.
expires= sets the maximum lifetime of the cookie using a specific date.
domain= sets the domain to which the cookie will be sent.
path= indicates the path that must exist in the requested URL for the browser to send the cookie.
Warning samesite=none instructs the browser to send the cookie to all cross-site requests, such as on requests to load images or frames from other sites. This enables third-party sites to log cookie data. This could lead to data leaks and cross-site request forgery attacks. To improve security, set to samesite=strict or samesite=lax.
secure instructs the browser to only send the cookie back when HTTPS requests are used, making it more resistant to man-in-the-middle attacks.
Notice This cookie is missing the httponly flag. Without it, JavaScript can access the cookie, increasing the risk of cross-site scripting (XSS) attacks.

A unique identifier for the HTTP request. This can be useful for tracking a request through complex systems or for debugging purposes.

Indicates the time taken to generate the response on the server, typically in seconds. This can be useful for performance monitoring and debugging.

missing Add a Strict-Transport-Security header. The Strict-Transport-Security header or HSTS header is used to instruct browsers to only use HTTPS, instead of using HTTP. It helps enforce secure communication.

missing Add a Referrer-Policy header. When a visitor navigates from one page to another, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important to configure when private information is embedded in the path or query string and passed onto an external destination.

missing Add a Permissions-Policy header. Restrict access to device features like the camera, microphone, location, accelerometer and much more.

missing Add a Cross-Origin-Embedder-Policy to specify how this page can be loaded by cross-origin resources.

missing Add a Cross-Origin-Opener-Policy header to opt-in into better browser isolation.

missing Add a Cross-Origin-Resource-Policy header to specify who can load this page.

missing Add an X-Content-Type-Options: nosniff header to prevent browsers from MIME type sniffing. Without it, browsers may interpret files as a different content type than intended, which can lead to security vulnerabilities.

missing Add a X-Permitted-Cross-Domain-Policies header to prevent Flash, Adobe Reader and other clients from sharing data across domains.