Dries Buytaert

HTTP Headers Analyzer

9 / 10
Drupal → Acquia Cloud → Varnish → CloudFlare → Browser
0 missing headers, 0 warnings, 3 notices
The time in seconds that the page has been in the shared proxy cache. The maximum age is set by max-age or s-maxage in the Cache-Control header.
max-age=10800, public, stale-if-error=21600, stale-while-revalidate=3600
public means the response may be stored by all caches, including browser caches.
max-age specifies the maximum amount of seconds a page is considered valid. The higher max-age, the longer a page can be cached.
stale-while-revalidate instructs the browser to accept a stale response, while asynchronously checking in the background for a fresh one. The value is the number of seconds the client will accept a stale response for.
stale-if-error instructs the browser to accept a stale response if the check for a fresh one fails. The value is the number of seconds the browser will accept a stale response for. This is good for reliability; e.g. when the origin goes down.
The page was served from Cloudflare's cache.
A unique request ID generated by Cloudflare. Cloudflare's customer support can use this identifier to trace a request through its network.
Notice Cf-Ray is deprecated and no longer guaranteed to be unique. Cf-Request-Id is the new preferred header.
base-uri 'self'; upgrade-insecure-requests; default-src 'self' *.youtube-nocookie.com *.ytimg.com;
Specifies a security policy to help browsers detect and block cross-site scripting (XSS) and data injection attacks.
default-src defines the loading policy for all resource types. It acts as the fallback in absence of a more specific resource type being specified.
base-uri defines what URLs can be used in the <base> URL.
upgrade-insecure-requests instructs browsers to replace insecure URLs (HTTP) with secure URLs (HTTPS).
text/html; charset=utf-8
The type of the message body, specified as a MIME type.
A unique identifier that changes every time a page at a given URL changes. It acts as a fingerprint. A cache can compare Etag values to see if the page has changed and became stale. For example, a browsers will send the ETag value of a cached page in an If-None-Match header. The web server compares the ETag value sent by the browser with the ETag value of the current version of the page. If both values match, the web server sends back a 304 Not Modified status and no body. This particular Etag value starts with w/ which means that it is a weak identifier; while unlikely, multiple pages might have the same identifier. Weak identifiers are used because strong identifiers can be difficult and costly to generate.
accelerometer=(), camera=(), geolocation=(), gyroscope=(), microphone=(), payment=(), usb=(), interest-cohort=()
Instructs a browser to selectively allow or deny certain browser APIs and features. It helps improve security.
When a visitor navigates from one page to another page, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important because private information can be embedded in the path or query string.
strict-origin-when-cross-origin means that the protocol, host, port, path and query string are shared for same-site requests. For cross-site requests, protocol, host, and port are shared, but only when the protocol security level remains the same (HTTP → HTTP, HTTPS → HTTPS). For cross-site requests where the protocol becomes less secure (HTTPS → HTTP), nothing is shared.
Some of the software used to generate or serve this page.
max-age=15768000; includesubdomains
The Strict-Transport-Security header or HSTS header is used to instruct browsers to only use HTTPS, instead of using HTTP.
max-age is the time, in seconds, that the browser should remember to use HTTPS only.
includesubdomains instructs the browser that all subdomains are HTTPS-only as well.
Specifies how the resource is transfered. Not to be confused with Content-Encoding which specifies how the request body is compressed. chunked means that the data is send in chuncks. Chunks are sent out and received independently of one another. The server can stream the document and does not have to wait for the full document to be generated. Similarly, the browser can start processing chunks as they come in rather than having to wait for the entire document to be downloaded.
A list of request headers that need to be taken into account to determine whether a cached response can be used rather than making a new request with the origin server. All the headers specified by Vary must match with those of the cached response.
The Via header tracks how a page is forwarded from proxy to proxy. Beware, not all proxies append themselves to the Via header.
Notice The Via header uses an incorrect format. Each proxy needs to specify the version of the HTTP protocol used (e.g. varnish/1.1).
The type of Acquia Cloud environment that generated this page; could be a production, development, or staging environment.
The page was served from a cache.
The number of times this page has been served from the Varnish cache. Higher numbers are better.
The page was not found in Drupal's "dynamic page cache". This is a special cache that can cache pages minus the personalized parts. It makes it possible to cache pages with dynamic content.
X-Frame-Options prevents this URL from being embedded in an iframe. This protects against clickjacking attacks.
sameorigin means that this page can be displayed in a iframe, but only on the currrent origin. It can't be displayed on another domain. Consider setting this to deny for added security.
drupal 9 (https://www.drupal.org)
Some of the software used to generate or serve this page.
When Acquia Cloud receives a web request, it assigns each request a unique request ID and preserves that request ID across different log files.
1; mode=block
1; mode=block enables the browser's cross-site scripting (XSS) filtering. Browsers that support X-Xss-Protection will stop rendering the page when an attack is detected.
Notice Add a Content-Length header. Without it some servers will respond with 400 (bad request) or terminate connections early.

Questions or feedback? Email dries@buytaert.net.