HTTP Headers Analyzer
6 / 10
https://www.bitsdujour.com/profiles/HhL8qG
Website → Browser10 missing headers, 1 warnings, 1 notices
Header
Value
Explanation
cache-control
private
private
means the response can only be stored by the browser's cache, but not by CDNs, proxies, or any other shared caches.content-length
346502
The size of the message body, in bytes.
expires
mon, 10 mar 2025 11:18:27 gmt
This
missing The
Expires
date is in the past: the page is considered stale and will be removed from all caches.missing The
Cache-Control
header, introduced in HTTP/1.1, supersedes the Expires
header. Use a Cache-Control
header with a max-age
directive instead of Expires
. Cache-Control
is more powerful, but also more efficient in that it avoids roundtrips to the origin server.server
microsoft-iis/10.0
set-cookie
asp.net_sessionid=c5oohwsf3xk0d5ej03d2zqlq; domain=.bitsdujour.com; path=/; httponly; samesite=lax
A cookie that was sent from the server to the browser.
Notice
domain=
sets the domain to which the cookie will be sent.path=
indicates the path that must exist in the requested URL for the browser to send the cookie.Notice
samesite=lax
instructs the browser not to share the cookie with third-party sites (e.g. when loading images, videos or frames from other sites), with one exception. The cookie will be sent when a user is navigating to the origin site from an external site (for example, when following a link). To improve protection against cross-site request forgery attacks, set to samesite=strict
.httponly
forbids JavaScript from accessing the cookie. Helps mitigate the risk of client side scripts accessing a protected cookie.p3p
cp="iva con our ind dsp idc cor"
P3P
stands for Platform for Privacy Preferences. It is used to specify a privacy policy in a machine-readable way. The privacy policy is described in a compact format using tokens. A browser can use the information to inform readers about the website's privacy practices. Unfortunately, it is not well supported by current browsers.x-aspnet-version
4.0.30319
Some of the software used to generate or serve this page.
Warning Sharing too many details about a server or web application makes it easier for hackers to target a website. Avoid specific version numbers such as 4.0.30319, especially when running software that is end-of-life and/or has known security bugs. Consider removing this header. At a miminum, remove any version number.
Warning Sharing too many details about a server or web application makes it easier for hackers to target a website. Avoid specific version numbers such as 4.0.30319, especially when running software that is end-of-life and/or has known security bugs. Consider removing this header. At a miminum, remove any version number.
x-powered-by
asp.net
Some of the software used to generate or serve this page.
date
tue, 11 mar 2025 11:18:26 gmt
The date and time at which the request was made. A browser uses it for age calculations rather than using its own internal date and time; e.g. when comparing against
Max-Age
or Expires
.strict-transport-security
missing Add a
Strict-Transport-Security
header. The Strict-Transport-Security
header or HSTS header is used to instruct browsers to only use HTTPS, instead of using HTTP. It helps enforce secure communication.content-security-policy
missing Add a
Content-Security-Policy
header. The Content-Security-Policy
header helps browsers prevent cross site scripting (XSS) and data injection attacks.referrer-policy
missing Add a
Referrer-Policy
header. When a visitor navigates from one page to another, browsers often pass along referrer information. The Referrer-Policy
header controls how much referrer information a browser can share. This is important to configure when private information is embedded in the path or query string and passed onto an external destination.permissions-policy
missing Add a
Permissions-Policy
header. Restrict access to device features like the camera, microphone, location, accelerometer and much more.cross-origin-embedder-policy
missing Add a
Cross-Origin-Embedder-Policy
to specify how this page can be loaded by cross-origin resources.cross-origin-opener-policy
missing Add a
Cross-Origin-Opener-Policy
header to opt-in into better browser isolation.cross-origin-resource-policy
missing Add a
Cross-Origin-Resource-Policy
header to specify who can load this page.x-frame-options
missing Add a
X-Frame-Options
header. The X-Frame-Options
header prevents this URL from being embedded in an iframe
. This protects against clickjacking attacks. Alternatively, set a Content-Security-Policy
header with a frame-ancestor
directive.x-permitted-cross-domain-policies
missing Add a
X-Permitted-Cross-Domain-Policies
header to prevent Flash, Adobe Reader and other clients from sharing data across domains.Questions or feedback? Email dries@buytaert.net.