Dries Buytaert

HTTP Headers Analyzer

8 / 10
Website → Browser
0 missing headers, 2 warnings, 1 notices
Header
Value
Explanation
accept-ranges
bytes
Used by the server to advertise its support of partial HTTP requests. It's a feature that allows a browser to resume an interrupted download, for example.
cache-control
max-age=0, private, must-revalidate
private means the page can only be stored by the browser, but not by CDNs, Varnish or any other shared caches.
max-age specifies the maximum amount of seconds a page is considered valid. The higher max-age, the longer a page can be cached.
must-revalidate indicates that once a page becomes stale, both shared caches and browser caches must not use their stale copy without validating it with the origin server first.
Warning Because max-age is set to 0 seconds, nothing will ever be cached in shared caches or browsers. Caching is effectively disabled!
content-security-policy
default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com customer-stories-feed.github.com spotlights-feed.github.com; manifest-src 'self'; media-src 'none'; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; worker-src github.com/socket-worker.js gist.github.com/socket-worker.js
Specifies a security policy to help browsers detect and block cross-site scripting (XSS) and data injection attacks.
default-src defines the loading policy for all resource types. It acts as the fallback in absence of a more specific resource type being specified.
base-uri defines what URLs can be used in the <base> URL.
script-src defines what JavaScript is allowed to be loaded and executed.
style-src defines what CSS stylesheets are allowed to be loaded.
media-src defines what <audio>, <video> and <track> elements are allowed to be loaded.
img-src defines what images and favicons can be loaded.
worker-src defines what workers scripts (e.g. Worker, ServiceWorker or SharedWorker) can be loaded and executed.
font-src defines what fonts can be loaded using CSS's font-face.
frame-src defines what <frame> and <iframe> elements can be loaded.
frame-ancestors defines what parents may embed a page using <frame>, <iframe>, <object>, <embed> or <applet>.
manifest-src defines what manifest files can be loaded.
form-action defines what URLs can be used for form submissions.
content-type
text/html; charset=utf-8
etag
w/"82d25d9c09a7d7a9f3bafbc903281a50"
A unique identifier that changes every time a page at a given URL changes. It acts as a fingerprint. A cache can compare Etag values to see if the page has changed and became stale. For example, a browsers will send the ETag value of a cached page in an If-None-Match header. The web server compares the ETag value sent by the browser with the ETag value of the current version of the page. If both values match, the web server sends back a 304 Not Modified status and no body. This particular Etag value starts with w/ which means that it is a weak identifier; while unlikely, multiple pages might have the same identifier. Weak identifiers are used because strong identifiers can be difficult and costly to generate.
referrer-policy
origin-when-cross-origin, strict-origin-when-cross-origin
When a visitor navigates from one page to another page, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important because private information can be embedded in the path or query string.
Warning The value of this header is not valid.
server
github.com
Some of the software used to generate or serve this page.
status
200 ok
strict-transport-security
max-age=31536000; includesubdomains; preload
The Strict-Transport-Security header or HSTS header is used to instruct browsers to only use HTTPS, instead of using HTTP.
max-age is the time, in seconds, that the browser should remember to use HTTPS only.
includesubdomains instructs the browser that all subdomains are HTTPS-only as well.
preload recommends the domain for inclusion in browsers' preload lists. If accepted, the domain would get hardcoded into browsers as HTTPS-only.
transfer-encoding
chunked
Specifies how the resource is transfered. Not to be confused with Content-Encoding which specifies how the request body is compressed. chunked means that the data is send in chuncks. Chunks are sent out and received independently of one another. The server can stream the document and does not have to wait for the full document to be generated. Similarly, the browser can start processing chunks as they come in rather than having to wait for the entire document to be downloaded.
vary
x-pjax, accept-encoding, accept, x-requested-with
A list of request headers that need to be taken into account to determine whether a cached response can be used rather than making a new request with the origin server. All the headers specified by Vary must match with those of the cached response.
Notice This request has a lot of Vary headers. The more headers, the less likely the page is to be cached.
x-frame-options
deny
X-Frame-Options prevents this URL from being embedded in an iframe. This protects against clickjacking attacks.
deny means that this page can never be displayed in an iframe. It's the most secure option.
x-github-request-id
950a:63c4:709110:ce8617:5f37407d
x-xss-protection
1; mode=block
1; mode=block enables the browser's cross-site scripting (XSS) filtering. Browsers that support X-Xss-Protection will stop rendering the page when an attack is detected.

Questions or feedback? Email dries@buytaert.net.