Dries Buytaert

HTTP Headers Analyzer

9 / 10
Drupal → Acquia Cloud → Varnish → CloudFlare → Browser
0 missing headers, 0 warnings, 3 notices
Header
Value
Explanation
age
1756
The time in seconds that the page has been in the shared proxy cache. The maximum age is set by max-age or s-maxage in the Cache-Control header.
cache-control
max-age=1800, public, stale-if-error=21600, stale-while-revalidate=3600
public means the response may be stored by all caches, including browser caches.
max-age specifies the maximum amount of seconds a page is considered valid. The higher max-age, the longer a page can be cached.
stale-while-revalidate instructs the browser to accept a stale response, while asynchronously checking in the background for a fresh one. The value is the number of seconds the client will accept a stale response for.
stale-if-error instructs the browser to accept a stale response if the check for a fresh one fails. The value is the number of seconds the browser will accept a stale response for. This is good for reliability; e.g. when the origin goes down.
cf-cache-status
hit
The page was served from Cloudflare's cache.
cf-ray
5f86d3c68f3b73f9-iad
A unique request ID generated by Cloudflare. Cloudflare's customer support can use this identifier to trace a request through its network.
Notice Cf-Ray is deprecated and no longer guaranteed to be unique. Cf-Request-Id is the new preferred header.
cf-request-id
06a822b013000073f9ab309000000001
A unique request identifier generated by Cloudflare. Cloudflare's customer support can use this ID to trace a request through its network.
content-security-policy
upgrade-insecure-requests; default-src 'self' *.youtube-nocookie.com *.ytimg.com;
Specifies a security policy to help browsers detect and block cross-site scripting (XSS) and data injection attacks.
default-src defines the loading policy for all resource types. It acts as the fallback in absence of a more specific resource type being specified.
upgrade-insecure-requests instructs browsers to replace insecure URLs (HTTP) with secure URLs (HTTPS).
content-type
text/html; charset=utf-8
etag
w/"1606423843"
A unique identifier that changes every time a page at a given URL changes. It acts as a fingerprint. A cache can compare Etag values to see if the page has changed and became stale. For example, a browsers will send the ETag value of a cached page in an If-None-Match header. The web server compares the ETag value sent by the browser with the ETag value of the current version of the page. If both values match, the web server sends back a 304 Not Modified status and no body. This particular Etag value starts with w/ which means that it is a weak identifier; while unlikely, multiple pages might have the same identifier. Weak identifiers are used because strong identifiers can be difficult and costly to generate.
feature-policy
accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; microphone 'none'; payment 'none'
Instructs a browser to selectively allow or deny certain browser APIs and features. It can help bolster security.
referrer-policy
origin
When a visitor navigates from one page to another page, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important because private information can be embedded in the path or query string.
origin means that the protocol, host, and port are shared. The path and query string are not shared.
server
cloudflare
Some of the software used to generate or serve this page.
strict-transport-security
max-age=15768000; includesubdomains
The Strict-Transport-Security header or HSTS header is used to instruct browsers to only use HTTPS, instead of using HTTP.
max-age is the time, in seconds, that the browser should remember to use HTTPS only.
includesubdomains instructs the browser that all subdomains are HTTPS-only as well.
transfer-encoding
chunked
Specifies how the resource is transfered. Not to be confused with Content-Encoding which specifies how the request body is compressed. chunked means that the data is send in chuncks. Chunks are sent out and received independently of one another. The server can stream the document and does not have to wait for the full document to be generated. Similarly, the browser can start processing chunks as they come in rather than having to wait for the entire document to be downloaded.
vary
cookie,accept-encoding
A list of request headers that need to be taken into account to determine whether a cached response can be used rather than making a new request with the origin server. All the headers specified by Vary must match with those of the cached response.
Notice Varying on cookie is often a bad practice, especially for anonymous visitors like this crawler. Make sure your cookie is not unique to each anonymous visitor or you'll have abysmal cache hit rates.
via
varnish
The Via header tracks how a page is forwarded from proxy to proxy. Beware, not all proxies append themselves to the Via header.
Notice The Via header uses an incorrect format. Each proxy needs to specify the version of the HTTP protocol used (e.g. 1.1). This does not impact caching.
x-ah-environment
prod
The Acquia Cloud environment that provides the page response. Usually prod, but could also include values such as dev or stage.
x-cache
hit
The page was served from a cache.
x-cache-hits
10
The number of times this page has been served from the Varnish cache. Higher numbers are better.
x-drupal-dynamic-cache
hit
The page was served from Drupal's "dynamic page cache". This is a special cache that can cache pages minus the personalized parts. It makes it possible to cache pages with dynamic content.
x-frame-options
sameorigin
X-Frame-Options prevents this URL from being embedded in an iframe. This protects against clickjacking attacks.
sameorigin means that this page can be displayed in a iframe, but only on the currrent origin. It can't be displayed on another domain. Consider setting this to deny for added security.
x-generator
drupal 9 (https://www.drupal.org)
Some of the software used to generate or serve this page.
x-request-id
v-0cff6052-3029-11eb-8e91-ebcf1a5951c5
When Acquia Cloud receives a web request, it assigns each request a unique request ID and preserves that request ID across different log files.
x-xss-protection
1; mode=block
1; mode=block enables the browser's cross-site scripting (XSS) filtering. Browsers that support X-Xss-Protection will stop rendering the page when an attack is detected.

Questions or feedback? Email dries@buytaert.net.