HTTP Headers Analyzer
6 / 10
https://theblogposts.site
Website → Browser10 missing headers, 1 warnings, 0 notices
Header
Value
Explanation
date
mon, 23 dec 2024 10:25:22 gmt
The date and time at which the request was made. A browser uses it for age calculations rather than using its own internal date and time; e.g. when comparing against
Max-Age
or Expires
.content-length
9973
The size of the message body, in bytes.
vary
accept-encoding
The
Vary
header specifies a list of headers that must be considered when caching responses. For a cached response to be used, these headers must match between the cached response and the new request. This ensures that the appropriate version of a resource is served based on factors like language, encoding, or device type.server
hcdn
alt-svc
h3=":443"; ma=86400
The
alt-svc
header advertises alternative services for accessing the same resource, enabling protocol negotiation and potential performance improvements.h3
indicates that HTTP/3 is supported. Variants like h3-29
refer to specific drafts of the HTTP/3 protocol.ma=86400
specifies that the alternative service information is fresh for 86400 seconds.x-hcdn-request-id
49d854ae8e036807947970edf8be42ec-asc-edge4
expires
mon, 23 dec 2024 10:25:21 gmt
The date and time after which the page should be considered stale and all caches should be refreshed.
missing The
missing The
Cache-Control
header, introduced in HTTP/1.1, supersedes the Expires
header. Use a Cache-Control
header with a max-age
directive instead of Expires
. Cache-Control
is more powerful, but also more efficient in that it avoids roundtrips to the origin server.cache-control
no-cache
no-cache
means the response can be stored by any cache, but the stored response must be validated with the origin server before each reuse. If the origin confirms that the response hasn't changed, downloading of the full response body can be skipped.Warning
no-cache
will cause a revalidation request to the origin server for every use of the cached response. Consider using public
with appropriate max-age
to improve caching efficiency.accept-ranges
bytes
Used by the server to advertise its support of partial HTTP requests. The browser can ask for a range or subset of the response body. It's a feature that allows a browser to resume an interrupted download.
bytes
is the only range unit currently supported. none
means that the server does not support range requests.strict-transport-security
missing Add a
Strict-Transport-Security
header. The Strict-Transport-Security
header or HSTS header is used to instruct browsers to only use HTTPS, instead of using HTTP. It helps enforce secure communication.content-security-policy
missing Add a
Content-Security-Policy
header. The Content-Security-Policy
header helps browsers prevent cross site scripting (XSS) and data injection attacks.referrer-policy
missing Add a
Referrer-Policy
header. When a visitor navigates from one page to another, browsers often pass along referrer information. The Referrer-Policy
header controls how much referrer information a browser can share. This is important to configure when private information is embedded in the path or query string and passed onto an external destination.permissions-policy
missing Add a
Permissions-Policy
header. Restrict access to device features like the camera, microphone, location, accelerometer and much more.cross-origin-embedder-policy
missing Add a
Cross-Origin-Embedder-Policy
to specify how this page can be loaded by cross-origin resources.cross-origin-opener-policy
missing Add a
Cross-Origin-Opener-Policy
header to opt-in into better browser isolation.cross-origin-resource-policy
missing Add a
Cross-Origin-Resource-Policy
header to specify who can load this page.x-frame-options
missing Add a
X-Frame-Options
header. The X-Frame-Options
header prevents this URL from being embedded in an iframe
. This protects against clickjacking attacks. Alternatively, set a Content-Security-Policy
header with a frame-ancestor
directive.x-permitted-cross-domain-policies
missing Add a
X-Permitted-Cross-Domain-Policies
header to prevent Flash, Adobe Reader and other clients from sharing data across domains.Questions or feedback? Email dries@buytaert.net.