9 / 10
0 missing headers, 0 warnings, 3 notices
The time in seconds that the page has been in the shared proxy cache. The maximum age is set by
max-age=1800, public, stale-if-error=21600, stale-while-revalidate=3600
publicmeans the response may be stored by all caches, including browser caches.
max-agespecifies the maximum amount of seconds a page is considered valid. The higher
max-age, the longer a page can be cached.
stale-while-revalidateinstructs the browser to accept a stale response, while asynchronously checking in the background for a fresh one. The value is the number of seconds the client will accept a stale response for.
stale-if-errorinstructs the browser to accept a stale response if the check for a fresh one fails. The value is the number of seconds the browser will accept a stale response for. This is good for reliability; e.g. when the origin goes down.
The page was served from Cloudflare's cache.
A unique request ID generated by Cloudflare. Cloudflare's customer support can use this identifier to trace a request through its network.
Cf-Rayis deprecated and no longer guaranteed to be unique.
Cf-Request-Idis the new preferred header.
upgrade-insecure-requests; default-src 'self' *.youtube-nocookie.com *.ytimg.com;
Specifies a security policy to help browsers detect and block cross-site scripting (XSS) and data injection attacks.
default-srcdefines the loading policy for all resource types. It acts as the fallback in absence of a more specific resource type being specified.
upgrade-insecure-requestsinstructs browsers to replace insecure URLs (HTTP) with secure URLs (HTTPS).
A unique identifier that changes every time a page at a given URL changes. It acts as a fingerprint. A cache can compare
Etagvalues to see if the page has changed and became stale. For example, a browsers will send the
ETagvalue of a cached page in an
If-None-Matchheader. The web server compares the
ETagvalue sent by the browser with the
ETagvalue of the current version of the page. If both values match, the web server sends back a
304 Not Modifiedstatus and no body. This particular
Etagvalue starts with
w/which means that it is a weak identifier; while unlikely, multiple pages might have the same identifier. Weak identifiers are used because strong identifiers can be difficult and costly to generate.
accelerometer=(), camera=(), geolocation=(), gyroscope=(), microphone=(), payment=(), usb=(), interest-cohort=()
Instructs a browser to selectively allow or deny certain browser APIs and features. It helps improve security.
When a visitor navigates from one page to another page, browsers often pass along referrer information. The
Referrer-Policyheader controls how much referrer information a browser can share. This is important because private information can be embedded in the path or query string.
strict-origin-when-cross-originmeans that the protocol, host, port, path and query string are shared for same-site requests. For cross-site requests, protocol, host, and port are shared, but only when the protocol security level remains the same (HTTP → HTTP, HTTPS → HTTPS). For cross-site requests where the protocol becomes less secure (HTTPS → HTTP), nothing is shared.
Some of the software used to generate or serve this page.
Strict-Transport-Securityheader or HSTS header is used to instruct browsers to only use HTTPS, instead of using HTTP.
max-ageis the time, in seconds, that the browser should remember to use HTTPS only.
includesubdomainsinstructs the browser that all subdomains are HTTPS-only as well.
Specifies how the resource is transfered. Not to be confused with
Content-Encodingwhich specifies how the request body is compressed.
chunkedmeans that the data is send in chuncks. Chunks are sent out and received independently of one another. The server can stream the document and does not have to wait for the full document to be generated. Similarly, the browser can start processing chunks as they come in rather than having to wait for the entire document to be downloaded.
A list of request headers that need to be taken into account to determine whether a cached response can be used rather than making a new request with the origin server. All the headers specified by
Varymust match with those of the cached response.
Viaheader tracks how a page is forwarded from proxy to proxy. Beware, not all proxies append themselves to the
Viaheader uses an incorrect format. Each proxy needs to specify the version of the HTTP protocol used (e.g. varnish/1.1).
The type of Acquia Cloud environment that generated this page; could be a production, development, or staging environment.
The page was served from a cache.
The number of times this page has been served from the Varnish cache. Higher numbers are better.
The page was served from Drupal's "dynamic page cache". This is a special cache that can cache pages minus the personalized parts. It makes it possible to cache pages with dynamic content.
X-Frame-Optionsprevents this URL from being embedded in an
iframe. This protects against clickjacking attacks.
sameoriginmeans that this page can be displayed in a
iframe, but only on the currrent origin. It can't be displayed on another domain. Consider setting this to
denyfor added security.
drupal 9 (https://www.drupal.org)
Some of the software used to generate or serve this page.
When Acquia Cloud receives a web request, it assigns each request a unique request ID and preserves that request ID across different log files.
1; mode=blockenables the browser's cross-site scripting (XSS) filtering. Browsers that support
X-Xss-Protectionwill stop rendering the page when an attack is detected.
Notice Add a
Content-Lengthheader. Without it some servers will respond with 400 (bad request) or terminate connections early.
Questions or feedback? Email firstname.lastname@example.org.