Dries Buytaert

Explanation

Set a timeout and/or a maximum amount of requests. timeout specifies the time in seconds that the host will allow an idle connection to remain open. max specifies the maximum number of requests that can be sent before the connection is closed.

Some of the software used to generate or serve this page.
Warning Sharing too many details about a server or web application makes it easier for hackers to target a website. Avoid specific version numbers such as 7.2.34, especially when running software that is end-of-life and/or has known security bugs. Consider removing this header. At a miminum, remove any version number.

The type of the message body, specified as a MIME type.

rel="https://api.w.org/" is where you can learn more about WordPress' REST API. Applications can interact with this WordPress site by sending and receiving JSON objects.

The date and time at which the request was made. A browser uses it for age calculations rather than using its own internal date and time; e.g. when compairing against Max-Age or Expires.

Some of the software used to generate or serve this page.

Some of the software used to generate or serve this page.

X-Frame-Options prevents this URL from being embedded in an iframe. This protects against clickjacking attacks.
sameorigin means that this page can be displayed in a iframe, but only on the currrent origin. It can't be displayed on another domain. Consider setting this to deny for added security.

1; mode=block enables the browser's cross-site scripting (XSS) filtering. Browsers that support X-Xss-Protection will stop rendering the page when an attack is detected.
Notice It is recommended to use Content-Security-Policy instead of X-XSS-Protection. Some browsers like Firefox refuse to support X-XSS-Protection. Content-Security-Policy is more advanced, a W3C recommendation, and supported by all modern browsers.

Instructs the browser not to change the MIME type of the request. Browsers sometimes sniff or inspect the document to determine if the specified MIME type is correct. A browser changing the MIME type of a document can introduce security vulnerabilities. These vulnerabilities can occur when a website allows users to upload content and the user disguises a particular file type as something else. For example, a JavaScript file is uploaded as a JPEG file. When the browser changes the MIME type from image/jpeg to test/javascript, it gives attackers an opportunity to perform a cross-site scripting attack.

The Strict-Transport-Security header or HSTS header is used to instruct browsers to only use HTTPS, instead of using HTTP.
max-age is the time, in seconds, that the browser should remember to use HTTPS only.
includesubdomains instructs the browser that all subdomains are HTTPS-only as well.
preload recommends the domain for inclusion in browsers' preload lists. If accepted, the domain would get hardcoded into browsers as HTTPS-only.

When a visitor navigates from one page to another page, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important because private information can be embedded in the path or query string.
no-referrer-when-downgrade means that the protocol, host, port, path and query string are shared. It is only shared when the protocol security level remains the same (HTTP → HTTP, HTTPS → HTTPS) or improves (HTTP → HTTPS). When the protocol becomes less secure (HTTPS → HTTP), nothing is shared.

missing Add a Content-Security-Policy header. The Content-Security-Policy header helps browsers prevent cross site scripting (XSS) and data injection attacks.

missing Add a Permissions-Policy header. Restrict access to device features like the camera, microphone, location, accelerometer and much more.

missing Add a Cross-Origin-Embedder-Policy to specify how this page can be loaded by cross-origin resources.

missing Add a Cross-Origin-Opener-Policy header to opt-in into better browser isolation.

missing Add a Cross-Origin-Resource-Policy header to specify who can load this page.

missing Add a X-Permitted-Cross-Domain-Policies header to prevent Flash, Adobe Reader and other clients from sharing data across domains.