Dries Buytaert

HTTP Headers Analyzer

2 / 10
Website → Browser
3 missing headers, 3 warnings, 7 notices
Header
Value
Explanation
alt-svc
h3-29=":443"; ma=3600,h3-27=":443"; ma=3600
Used to promote alternative services through which the same resource can be retrieved.
h3 stands for HTTP/3. The number after the dash indicates the draft; e.g. h3-27 would be draft 27 of the HTTP/3 protocol.
ma is the number of seconds the alternative service is considered fresh.
cache-control
private, no-cache, no-store, must-revalidate
private means the page can only be stored by the browser, but not by CDNs, Varnish or any other shared caches.
no-cache means the response can be stored by any cache, but that the stored page must be validated with the origin before it can be served. If the origin confirms that the page has not changed, downloading of the body can be skipped.
Warning no-cache will cause a roundtrip to the origin web server for every request. Consider using public to avoid roundtrips and improve caching.
Warning no-store means the response may not be stored in any cache, including the browser's cache.
must-revalidate indicates that once a page becomes stale, both shared caches and browser caches must not use their stale copy without validating it with the origin server first.
Notice It does not make sense to set must-revalidate with no-store; when nothing is cached, there is nothing to revalidate.
Notice It does not make sense to set must-revalidate with no-cache; must-revalidate is implied.
Notice no-store is set, so it does not make sense to set no-cache as well.
Notice no-store is set, so it does not make sense to set private as well.
content-type
text/html; charset="utf-8"
expires
sat, 01 jan 2000 00:00:00 gmt
This Expires date is in the past: the page is considered stale and will be removed from all caches.
missing The Cache-Control header, introduced in HTTP/1.1, supersedes the Expires header. Use a Cache-Control header with a max-age directive instead of Expires. Cache-Control is more powerful, but also more efficient in that it avoids roundtrips to the origin server.
pragma
no-cache
Warning The page can't be cached by any shared caches such as Varnish or a CDN. If the page is something everybody can access, this behavior is not desired.
Notice Pragma is a HTTP/1.0 header. This request uses HTTP/1.1. In HTTP/1.1, Pragma is deprecated and superseded by the Cache-Control header. Remove Pragma to save bandwidth and processing power.
strict-transport-security
max-age=15552000; preload
The Strict-Transport-Security header or HSTS header is used to instruct browsers to only use HTTPS, instead of using HTTP.
max-age is the time, in seconds, that the browser should remember to use HTTPS only.
preload recommends the domain for inclusion in browsers' preload lists. If accepted, the domain would get hardcoded into browsers as HTTPS-only.
Notice In order to be eligible for preloading, max-age must be least 31,536,000 seconds (roughly 1 year).
transfer-encoding
chunked
Specifies how the resource is transfered. Not to be confused with Content-Encoding which specifies how the request body is compressed. chunked means that the data is send in chuncks. Chunks are sent out and received independently of one another. The server can stream the document and does not have to wait for the full document to be generated. Similarly, the browser can start processing chunks as they come in rather than having to wait for the entire document to be downloaded.
vary
accept-encoding
A list of request headers that need to be taken into account to determine whether a cached response can be used rather than making a new request with the origin server. All the headers specified by Vary must match with those of the cached response.
x-fb-debug
glk5znp6geenrge7rzau/kej+bg62idukroos6oqiqasmb2y3jkjsputf58ad40clwreqyanslih3no7nynb4q==
x-frame-options
deny
X-Frame-Options prevents this URL from being embedded in an iframe. This protects against clickjacking attacks.
deny means that this page can never be displayed in an iframe. It's the most secure option.
x-xss-protection
0
Notice It is recommended to use Content-Security-Policy instead of X-XSS-Protection. Some browsers like Firefox refuse to support X-XSS-Protection. Content-Security-Policy is more advanced, a W3C recommendation, and supported by all modern browsers.
content-security-policy
missing Add a Content-Security-Policy header. The Content-Security-Policy header helps browsers prevent cross site scripting (XSS) and data injection attacks.
referrer-policy
missing Add a Referrer-Policy header. When a visitor navigates from one page to another, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important to configure when private information is embedded in the path or query string and passed onto an external destination.

Questions or feedback? Email dries@buytaert.net.