Dries Buytaert

HTTP Headers Analyzer

6 / 10
Website → Browser
7 missing headers, 1 warnings, 2 notices
A Cross-Origin Resource Policy (CORP) header specifies the origins that are allowed to read this page.
  • cross-origin specifies that any origin can read this page. This is the default option and the least safe.
  • M
  • same-origin specifies that only requests from the same origin can read the resource. This is the most strict and safest option.
  • same-site specifies that only requests from the same site can read the page. Is a bit more relaxed than same-origin as it allows different subdomains, schemes and ports.

Notice cross-origin should be avoided if possible, but is sometimes necessary to support third-party CDNs.
text/html; charset=utf-8
The type of the message body, specified as a MIME type.
wed, 27 sep 2023 06:07:36 gmt
The date and time at which the request was made. A browser uses it for age calculations rather than using its own internal date and time; e.g. when compairing against Max-Age or Expires.
blogger render server 1.0
Some of the software used to generate or serve this page.
Warning Sharing too many details about a server or web application makes it easier for hackers to target a website. Avoid specific version numbers such as 1.0, especially when running software that is end-of-life and/or has known security bugs. Consider removing this header. At a miminum, remove details version numbers.
The size of the message body, in bytes.
Notice It is recommended to use Content-Security-Policy instead of X-XSS-Protection. Some browsers like Firefox refuse to support X-XSS-Protection. Content-Security-Policy is more advanced, a W3C recommendation, and supported by all modern browsers.
X-Frame-Options prevents this URL from being embedded in an iframe. This protects against clickjacking attacks.
sameorigin means that this page can be displayed in a iframe, but only on the currrent origin. It can't be displayed on another domain. Consider setting this to deny for added security.
h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Used to promote alternative services through which the same resource can be retrieved.
h3 stands for HTTP/3. The number after the dash indicates the draft; e.g. h3-27 would be draft 27 of the HTTP/3 protocol.
ma is the number of seconds the alternative service is considered fresh.
missing Add a Strict-Transport-Security header. The Strict-Transport-Security header or HSTS header is used to instruct browsers to only use HTTPS, instead of using HTTP. It helps enforce secure communication.
missing Add a Content-Security-Policy header. The Content-Security-Policy header helps browsers prevent cross site scripting (XSS) and data injection attacks.
missing Add a Referrer-Policy header. When a visitor navigates from one page to another, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important to configure when private information is embedded in the path or query string and passed onto an external destination.
missing Add a Permissions-Policy header. Restrict access to device features like the camera, microphone, location, accelerometer and much more.
missing Add a Cross-Origin-Embedder-Policy to specify how this page can be loaded by cross-origin resources.
missing Add a Cross-Origin-Opener-Policy header to opt-in into better browser isolation.
missing Add a X-Permitted-Cross-Domain-Policies header to prevent Flash, Adobe Reader and other clients from sharing data across domains.

Questions or feedback? Email dries@buytaert.net.