Dries Buytaert

HTTP Headers Analyzer

3 / 10
Website → CloudFlare → Browser
5 missing headers, 1 warnings, 4 notices
This site is paying for a CDN but not caching anything for anonymous visitors. It's like lighting money on fire! 💵 🔥
h3=":443"; ma=86400, h3-29=":443"; ma=86400
Used to promote alternative services through which the same resource can be retrieved.
h3 stands for HTTP/3. The number after the dash indicates the draft; e.g. h3-27 would be draft 27 of the HTTP/3 protocol.
ma is the number of seconds the alternative service is considered fresh.
max-age specifies the maximum amount of seconds a page is considered valid. The higher max-age, the longer a page can be cached.
Warning dynamic is equivalent to miss, but tells us that Cloudflare does not consider the asset eligible to cache. The reason is that Cloudflare's dynamic cache setting only caches static assets like images, videos, CSS files, JavaScript files and more. HTML pages will never be cached and will always be requested from the origin web server. This can be expensive for dynamically generated pages. To cache HTML files in Cloudflare, change the 'Cache level' setting from dynamic to everything.
A unique request ID generated by Cloudflare. Cloudflare's customer support can use this identifier to trace a request through its network.
Notice Cf-Ray is deprecated and no longer guaranteed to be unique. Cf-Request-Id is the new preferred header.
text/html; charset=utf-8
The type of the message body, specified as a MIME type.
wed, 24 aug 2022 13:31:29 gmt
This Expires date is in the future: the page can be served from a cache. The page is set to expire in 691200 seconds. At that point, caches should be refreshed.
Notice Because there is a Cache-Control header with a max-age and/or s-maxage directive, the Expires header will be ignored. Consider removing Expires to save bandwidth and processing power.
The "Network Error Logging" (NEL) header is used to configure network request logging; enables websites and applications to receive reports about failed network fetches from supporting browsers.
Some of the software used to generate or serve this page.
Specifies how the resource is transfered. Not to be confused with Content-Encoding which specifies how the request body is compressed. chunked means that the data is send in chuncks. Chunks are sent out and received independently of one another. The server can stream the document and does not have to wait for the full document to be generated. Similarly, the browser can start processing chunks as they come in rather than having to wait for the entire document to be downloaded.
A list of request headers that need to be taken into account to determine whether a cached response can be used rather than making a new request with the origin server. All the headers specified by Vary must match with those of the cached response.
Notice Add a Content-Length header. Without it some servers will respond with 400 (bad request) or terminate connections early.
missing Add a Strict-Transport-Security header. The Strict-Transport-Security header or HSTS header is used to instruct browsers to only use HTTPS, instead of using HTTP. It helps enforce secure communication.
missing Add a Content-Security-Policy header. The Content-Security-Policy header helps browsers prevent cross site scripting (XSS) and data injection attacks.
missing Add a Referrer-Policy header. When a visitor navigates from one page to another, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important to configure when private information is embedded in the path or query string and passed onto an external destination.
missing Add a X-Frame-Options header. The X-Frame-Options header prevents this URL from being embedded in an iframe. This protects against clickjacking attacks. Alternatively, set a Content-Security-Policy header with a frame-ancestor directive.
missing Add a Permissions-Policy header. Restrict access to device features like the camera, microphone, location, accelerometer and much more.

Questions or feedback? Email dries@buytaert.net.