Dries Buytaert

HTTP Headers Analyzer

3 / 10
Website → CloudFlare → Browser
5 missing headers, 1 warnings, 4 notices
Header
Value
Explanation
alt-svc
h3=":443"; ma=86400, h3-29=":443"; ma=86400
Used to promote alternative services through which the same resource can be retrieved.
h3 stands for HTTP/3. The number after the dash indicates the draft; e.g. h3-27 would be draft 27 of the HTTP/3 protocol.
ma is the number of seconds the alternative service is considered fresh.
cache-control
max-age=691200
max-age specifies the maximum amount of seconds a page is considered valid. The higher max-age, the longer a page can be cached.
cf-cache-status
dynamic
Warning dynamic means that Cloudflare did not cache the HTML page. It's equivalent to a cache miss. Cloudflare's dynamic cache setting only caches static assets like images, videos, CSS files, JavaScript files and more. HTML pages will never be cached and will always be requested from the origin web server. This can be expensive for dynamically generated HTML. To cache HTML files in Cloudflare, change the 'Cache level' setting from dynamic to everything.
cf-ray
75647551fca08000-iad
A unique request ID generated by Cloudflare. Cloudflare's customer support can use this identifier to trace a request through its network.
Notice Cf-Ray is deprecated and no longer guaranteed to be unique. Cf-Request-Id is the new preferred header.
content-type
text/html; charset=utf-8
The type of the message body, specified as a MIME type.
expires
sat, 15 oct 2022 06:07:45 gmt
This Expires date is in the future: the page can be served from a cache. The page is set to expire in 691200 seconds. At that point, caches should be refreshed.
Notice Because there is a Cache-Control header with a max-age and/or s-maxage directive, the Expires header will be ignored. Consider removing Expires to save bandwidth and processing power.
nel
{"success_fraction":0,"report_to":"cf-nel","max_age":604800}
The "Network Error Logging" (NEL) header is used to configure network request logging; enables websites and applications to receive reports about failed network fetches from supporting browsers.
report-to
{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=5mxhq3eswmmk3zvnpwhk5pcuhakozl9o9ecsly%2fdisebo5czuoqkmyaytimgygmb%2f8urrgfwetl2ycevlen8s%2fk5jgjidgvw62v5pk%2bwsqjuracqufadzrt%2boljhxabwa2833aoqtg%3d%3d"}],"group":"cf-nel","max_age":604800}
server
cloudflare
Some of the software used to generate or serve this page.
transfer-encoding
chunked
Specifies how the resource is transfered. Not to be confused with Content-Encoding which specifies how the request body is compressed. chunked means that the data is send in chuncks. Chunks are sent out and received independently of one another. The server can stream the document and does not have to wait for the full document to be generated. Similarly, the browser can start processing chunks as they come in rather than having to wait for the entire document to be downloaded.
vary
accept-encoding
A list of request headers that need to be taken into account to determine whether a cached response can be used rather than making a new request with the origin server. All the headers specified by Vary must match with those of the cached response.
content-length
Notice Add a Content-Length header. Without it some servers will respond with 400 (bad request) or terminate connections early.
strict-transport-security
missing Add a Strict-Transport-Security header. The Strict-Transport-Security header or HSTS header is used to instruct browsers to only use HTTPS, instead of using HTTP. It helps enforce secure communication.
content-security-policy
missing Add a Content-Security-Policy header. The Content-Security-Policy header helps browsers prevent cross site scripting (XSS) and data injection attacks.
referrer-policy
missing Add a Referrer-Policy header. When a visitor navigates from one page to another, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important to configure when private information is embedded in the path or query string and passed onto an external destination.
x-frame-options
missing Add a X-Frame-Options header. The X-Frame-Options header prevents this URL from being embedded in an iframe. This protects against clickjacking attacks. Alternatively, set a Content-Security-Policy header with a frame-ancestor directive.
permissions-policy
missing Add a Permissions-Policy header. Restrict access to device features like the camera, microphone, location, accelerometer and much more.

Questions or feedback? Email dries@buytaert.net.