HTTP Headers Analyzer
4 / 10
https://facebook.com
WordPress → Browser3 missing headers, 3 warnings, 8 notices
Header
Value
Explanation
vary
accept-encoding
The
Vary
header specifies a list of headers that must be considered when caching responses. For a cached response to be used, these headers must match between the cached response and the new request. This ensures that the appropriate version of a resource is served based on factors like language, encoding, or device type.reporting-endpoints
coop_report="https://www.facebook.com/browser_reporting/coop/?minimize=0", default="https://www.facebook.com/ajax/browser_error_reports/?device_level=unknown&brsid=7524090308151605366&cpp=c3&cv=1024476753&st=1751838789150", permissions_policy="https://www.facebook.com/ajax/browser_error_reports/"
report-to
{"max_age":2592000,"endpoints":[{"url":"https:\/\/www.facebook.com\/browser_reporting\/coop\/?minimize=0"}],"group":"coop_report","include_subdomains":true}, {"max_age":259200,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown&brsid=7524090308151605366&cpp=c3&cv=1024476753&st=1751838789150"}]}, {"max_age":21600,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/"}],"group":"permissions_policy"}
This header is part of the Reporting API specification. They are used to configure the reporting of network errors and other issues to a specified endpoint.
The
The
Report-To
header specifies where reports should be sent.group
defines the reporting group. Groups allow reports to be grouped logically; e.g. there could be a group for network errors and a second group for browser feature deprecation reports.max_age
defines the number of seconds the browser should remember these settings. Prevents the browser from having to parse the JSON on each request.endpoints
defines one or more URLs where the reports need to be send to. Multiple URLs can be specified for failover and load-balancing. Endpoints can be assigned a weight
to distribute load, with each endpoint receiving a specified fraction of the reporting traffic. Endpoints can also be assigned a priority
to set up fallback collectors.include_subdomains
is a boolean that enables or disables NEL reporting for subdomains of the origin.content-security-policy
default-src blob: 'self' https://*.fbsbx.com *.facebook.com *.fbcdn.net;script-src *.facebook.com *.fbcdn.net *.facebook.net 127.0.0.1:* 'nonce-ddsevr3r' blob: 'self' connect.facebook.net 'unsafe-eval' https://*.google-analytics.com *.google.com;style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline' https://fonts.googleapis.com;connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net wss://*.facebook.com:* wss://*.whatsapp.com:* wss://*.fbcdn.net attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ v.whatsapp.net *.fbsbx.com *.fb.com https://*.google-analytics.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com https://fonts.gstatic.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net connect.facebook.net *.carriersignal.info blob: android-webview-video-poster: *.whatsapp.net *.fb.com *.oculuscdn.com *.tenor.co *.tenor.com *.giphy.com https://trustly.one/ https://*.trustly.one/ https://paywithmybank.com/ https://*.paywithmybank.com/ https://www.googleadservices.com https://googleads.g.doubleclick.net https://*.google-analytics.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data: *.tenor.co *.tenor.com https://*.giphy.com;child-src data: blob: 'self' https://*.fbsbx.com *.facebook.com *.fbcdn.net;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: www.instagram.com *.fbcdn.net accounts.meta.com https://trustly.one/ https://*.trustly.one/ https://paywithmybank.com/ https://*.paywithmybank.com/ https://www.googleadservices.com https://googleads.g.doubleclick.net https://www.google.com https://td.doubleclick.net *.google.com *.doubleclick.net;manifest-src data: blob: 'self' https://*.fbsbx.com *.facebook.com *.fbcdn.net;object-src data: blob: 'self' https://*.fbsbx.com *.facebook.com *.fbcdn.net;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;
The Content Security Policy (CSP) header helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks by specifying which dynamic resources are allowed to load.
default-src
sets the default policy for fetching resources like JavaScript, images, CSS, fonts, AJAX requests, frames, HTML5 media.script-src
specifies valid sources for JavaScript. This includes not only URLs loaded directly into <script>
elements, but also things like inline script event handlers (onclick) and XSLT stylesheets which can trigger script execution.object-src
defines what <object>
, <embed>
and <applet>
elements are allowed to be loaded and executed.style-src
defines what CSS stylesheets are allowed to be loaded.media-src
defines what <audio>
, <video>
and <track>
elements are allowed to be loaded.img-src
defines what images and favicons can be loaded.worker-src
defines what workers scripts (e.g. Worker
, ServiceWorker
or SharedWorker
) can be loaded and executed.font-src
defines what fonts can be loaded using CSS's font-face
.frame-src
defines what <frame>
and <iframe>
elements can be loaded.child-src
defines what <frame>
, <iframe>
or workers can be loaded.manifest-src
defines what manifest files can be loaded.upgrade-insecure-requests
instructs browsers to replace insecure URLs (HTTP) with secure URLs (HTTPS).document-policy
force-load-at-top
document-policy
include-js-call-stacks-in-crash-reports
permissions-policy
accelerometer=(), attribution-reporting=(self), autoplay=(), bluetooth=(), browsing-topics=(self), camera=(self), ch-device-memory=(), ch-downlink=(), ch-dpr=(), ch-ect=(), ch-rtt=(), ch-save-data=(), ch-ua-arch=(), ch-ua-bitness=(), ch-viewport-height=(), ch-viewport-width=(), ch-width=(), clipboard-read=(self), clipboard-write=(self), compute-pressure=(), display-capture=(self), encrypted-media=(self), fullscreen=(self), gamepad=*, geolocation=(self), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(self), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(self), midi=(), otp-credentials=(), payment=(), picture-in-picture=(self), private-state-token-issuance=(), publickey-credentials-get=(self), screen-wake-lock=(), serial=(), shared-storage=(), shared-storage-select-url=(), private-state-token-redemption=(), usb=(), unload=(self), window-management=(), xr-spatial-tracking=(self);report-to="permissions_policy"
Instructs a browser to selectively allow or deny certain browser APIs and features. It helps improve security.
cross-origin-resource-policy
same-origin
The
Cross-Origin-Resource-Policy
header is part of the Fetch metadata request headers. It controls how resources can be shared across origins, enhancing security by preventing unauthorized access to resources.same-origin
means the resource can only be loaded by documents from the same origin.cross-origin-opener-policy
same-origin-allow-popups
A Cross-Origin Opener Policy (COOP) header specifies how this page's browsing context can be shared when opened in a 'browser tab', 'popup', 'iframe', etc. The policy can force the creation of a new top-level browsing context to make sure the browser context is protected or isolated.
same-origin-allow-popups
specifies that if a popup is created, and the popup comes from the same origin, then we have full access to that popup.pragma
no-cache
Warning The page can't be cached by any shared caches such as Varnish or a CDN. If the page is something everybody can access, this behavior is not desired.
Notice
Notice
Pragma
is a HTTP/1.0 header. This request uses HTTP/1.1. In HTTP/1.1, Pragma
is deprecated and superseded by the Cache-Control
header. Remove Pragma
to save bandwidth and processing power.cache-control
private, no-cache, no-store, must-revalidate
private
means the response can only be stored by the browser's cache, but not by CDNs, proxies, or any other shared caches.no-cache
means the response can be stored by any cache, but the stored response must be validated with the origin server before each reuse. If the origin confirms that the response hasn't changed, downloading of the full response body can be skipped.Warning
no-cache
will cause a revalidation request to the origin server for every use of the cached response. Consider using public
with appropriate max-age
to improve caching efficiency.Warning
no-store
means the response may not be stored in any cache, including the browser's cache.must-revalidate
indicates that once a page becomes stale, both shared caches and browser caches must not use their stale copy without validating it with the origin server first.Notice It does not make sense to set
must-revalidate
with no-store
; when nothing is cached, there is nothing to revalidate.Notice It does not make sense to set
must-revalidate
with no-cache
; must-revalidate
is implied.Notice
no-store
is set, so it does not make sense to set no-cache
as well.Notice
no-store
is set, so it does not make sense to set private
as well.expires
sat, 01 jan 2000 00:00:00 gmt
This
Notice Because there is a
Expires
date is in the past: the page is considered stale and will be removed from all caches.Notice Because there is a
Cache-Control
header with a max-age
and/or s-maxage
directive, the Expires
header will be ignored. Consider removing Expires
to save bandwidth and processing power.x-content-type-options
nosniff
The
The value
X-Content-Type-Options
header, when set to nosniff
, prevents MIME type sniffing. This enhances security by ensuring browsers respect the declared Content-Type of the response, mitigating MIME confusion attacks.The value
nosniff
is correctly set, providing protection against MIME type sniffing attacks.x-xss-protection
0
This header enables the browser's built-in XSS protection. However, it's considered legacy and modern browsers may ignore it.
x-frame-options
deny
X-Frame-Options
prevents this URL from being embedded in an iframe
. This protects against clickjacking attacks.deny
means that this page can never be displayed in an iframe
. It's the most secure option.origin-agent-cluster
?1
A security header that enables or disables the "Origin-Agent-Cluster" isolation for a document. When set to "?1", it indicates that the document should be placed in an origin-keyed agent cluster, which can enhance security isolation.
strict-transport-security
max-age=15552000; preload
The
Notice For optimal security, consider increasing
Notice In order to be eligible for preloading,
Strict-Transport-Security
header (HSTS) instructs browsers to only use HTTPS for future connections to this domain, enhancing security by preventing downgrade attacks and cookie hijacking.max-age
specifies the time, in seconds, that the browser should remember to use HTTPS only for this domain.Notice For optimal security, consider increasing
max-age
to at least 31,536,000 seconds (1 year), especially if you're considering preloading.preload
recommends the domain for inclusion in browsers' preload lists. If accepted, the domain would get hardcoded into browsers as HTTPS-only.Notice In order to be eligible for preloading,
max-age
must be least 31,536,000 seconds (roughly 1 year).x-fb-debug
u1j77lt0hemkxz7qqfq05bxq7aqvirldalgqnvstp1zo6pojpvarj9cmoq34ehsc06bfuqikypo6ogincv330g==
date
sun, 06 jul 2025 21:53:09 gmt
The date and time at which the request was made. A browser uses it for age calculations rather than using its own internal date and time; e.g. when comparing against
Max-Age
or Expires
.x-fb-connection-quality
excellent; q=0.9, rtt=10, rtx=0, c=10, mss=1380, tbw=3909, tp=-1, tpl=-1, uplat=60, ullat=0
alt-svc
h3=":443"; ma=86400
The
alt-svc
header advertises alternative services for accessing the same resource, enabling protocol negotiation and potential performance improvements.h3
indicates that HTTP/3 is supported. Variants like h3-29
refer to specific drafts of the HTTP/3 protocol.ma=86400
specifies that the alternative service information is fresh for 86400 seconds.referrer-policy
missing Add a
Referrer-Policy
header. When a visitor navigates from one page to another, browsers often pass along referrer information. The Referrer-Policy
header controls how much referrer information a browser can share. This is important to configure when private information is embedded in the path or query string and passed onto an external destination.cross-origin-embedder-policy
missing Add a
Cross-Origin-Embedder-Policy
to specify how this page can be loaded by cross-origin resources.x-permitted-cross-domain-policies
missing Add a
X-Permitted-Cross-Domain-Policies
header to prevent Flash, Adobe Reader and other clients from sharing data across domains.Questions or feedback? Email dries@buytaert.net.