Dries Buytaert

HTTP Headers Analyzer

7 / 10
Website → Browser
0 missing headers, 2 warnings, 2 notices
Used by the server to advertise its support of partial HTTP requests. It's a feature that allows a browser to resume an interrupted download, for example.
max-age=0, private, must-revalidate
private means the page can only be stored by the browser, but not by CDNs, Varnish or any other shared caches.
max-age specifies the maximum amount of seconds a page is considered valid. The higher max-age, the longer a page can be cached.
must-revalidate indicates that once a page becomes stale, both shared caches and browser caches must not use their stale copy without validating it with the origin server first.
Warning Because max-age is set to 0 seconds, nothing will ever be cached in shared caches or browsers. Caching is effectively disabled!
default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src github.githubassets.com; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events translator.github.com wss://alive.github.com github.githubassets.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com viewscreen.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com secured-user-images.githubusercontent.com/ *.githubusercontent.com customer-stories-feed.github.com spotlights-feed.github.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ github.githubassets.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; worker-src github.githubassets.com github.com/socket-worker-0af8a29d.js gist.github.com/socket-worker-0af8a29d.js
Specifies a security policy to help browsers detect and block cross-site scripting (XSS) and data injection attacks.
default-src defines the loading policy for all resource types. It acts as the fallback in absence of a more specific resource type being specified.
base-uri defines what URLs can be used in the <base> URL.
script-src defines what JavaScript is allowed to be loaded and executed.
style-src defines what CSS stylesheets are allowed to be loaded.
media-src defines what <audio>, <video> and <track> elements are allowed to be loaded.
img-src defines what images and favicons can be loaded.
worker-src defines what workers scripts (e.g. Worker, ServiceWorker or SharedWorker) can be loaded and executed.
font-src defines what fonts can be loaded using CSS's font-face.
frame-src defines what <frame> and <iframe> elements can be loaded.
frame-ancestors defines what parents may embed a page using <frame>, <iframe>, <object>, <embed> or <applet>.
child-src defines what <frame>, <iframe> or workers can be loaded.
manifest-src defines what manifest files can be loaded.
form-action defines what URLs can be used for form submissions.
text/html; charset=utf-8
A unique identifier that changes every time a page at a given URL changes. It acts as a fingerprint. A cache can compare Etag values to see if the page has changed and became stale. For example, a browsers will send the ETag value of a cached page in an If-None-Match header. The web server compares the ETag value sent by the browser with the ETag value of the current version of the page. If both values match, the web server sends back a 304 Not Modified status and no body. This particular Etag value starts with w/ which means that it is a weak identifier; while unlikely, multiple pages might have the same identifier. Weak identifiers are used because strong identifiers can be difficult and costly to generate.
Instructs a browser to selectively allow or deny certain browser APIs and features. It helps improve security.
origin-when-cross-origin, strict-origin-when-cross-origin
When a visitor navigates from one page to another page, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important because private information can be embedded in the path or query string.
Warning The value of this header is not valid.
Some of the software used to generate or serve this page.
max-age=31536000; includesubdomains; preload
The Strict-Transport-Security header or HSTS header is used to instruct browsers to only use HTTPS, instead of using HTTP.
max-age is the time, in seconds, that the browser should remember to use HTTPS only.
includesubdomains instructs the browser that all subdomains are HTTPS-only as well.
preload recommends the domain for inclusion in browsers' preload lists. If accepted, the domain would get hardcoded into browsers as HTTPS-only.
Specifies how the resource is transfered. Not to be confused with Content-Encoding which specifies how the request body is compressed. chunked means that the data is send in chuncks. Chunks are sent out and received independently of one another. The server can stream the document and does not have to wait for the full document to be generated. Similarly, the browser can start processing chunks as they come in rather than having to wait for the entire document to be downloaded.
x-pjax, x-pjax-container, accept-language, accept-encoding, accept, x-requested-with
A list of request headers that need to be taken into account to determine whether a cached response can be used rather than making a new request with the origin server. All the headers specified by Vary must match with those of the cached response.
Notice This request has a lot of Vary headers. The more headers, the less likely the page is to be cached.
X-Frame-Options prevents this URL from being embedded in an iframe. This protects against clickjacking attacks.
deny means that this page can never be displayed in an iframe. It's the most secure option.
Notice Add a Content-Length header. Without it some servers will respond with 400 (bad request) or terminate connections early.

Questions or feedback? Email dries@buytaert.net.