Dries Buytaert

HTTP Headers Analyzer

5 / 10
https://vendingvendingmachine.com/start-a-vending-machine-business
WordPress → CloudFlare → Browser
9 missing headers, 1 warnings, 2 notices
The site is using a CDN, but the HTML page is not cached.
Header
Value
Explanation
date
wed, 12 feb 2025 17:02:18 gmt
The date and time at which the request was made. A browser uses it for age calculations rather than using its own internal date and time; e.g. when comparing against Max-Age or Expires.
content-type
text/html; charset=utf-8
The type of the message body, specified as a MIME type.
cf-ray
910e253dafe45aff-iad
The cf-ray header provides a unique identifier for each request through Cloudflare. It's useful for troubleshooting and tracking requests in Cloudflare logs.
cf-cache-status
miss
The page was not served from Cloudflare's cache.
cache-control
max-age=0
max-age specifies the maximum amount of seconds a page is considered valid. The higher max-age, the longer a page can be cached.
Warning Because max-age is set to 0 seconds and no s-maxage is set, nothing will be cached in browsers or shared caches. Caching is effectively disabled!
expires
wed, 12 feb 2025 17:02:17 gmt
The date and time after which the page should be considered stale and all caches should be refreshed.
Notice Because there is a Cache-Control header with a max-age and/or s-maxage directive, the Expires header will be ignored. Consider removing Expires to save bandwidth and processing power.
last-modified
wed, 12 feb 2025 17:02:17 gmt
The date and time at which the origin server believes the page was last modified.
Notice According to the Last-Modified header the site's content was changed less than ten minutes ago. If that is not the case, consider fixing your Last-Modified headers to improve caching.
vary
accept-encoding, accept-encoding
The Vary header specifies a list of headers that must be considered when caching responses. For a cached response to be used, these headers must match between the cached response and the new request. This ensures that the appropriate version of a resource is served based on factors like language, encoding, or device type.
x-pingback
https://vendingvendingmachine.com/xmlrpc.php
The URL of the XML-RPC Pingback endpoint. Used to notify the site owner about a new post linking to this site. Webention is a newer alternative to Pingbacks.
server
cloudflare
alt-svc
h3=":443"; ma=86400
The alt-svc header advertises alternative services for accessing the same resource, enabling protocol negotiation and potential performance improvements.
h3 indicates that HTTP/3 is supported. Variants like h3-29 refer to specific drafts of the HTTP/3 protocol.
ma=86400 specifies that the alternative service information is fresh for 86400 seconds.
strict-transport-security
missing Add a Strict-Transport-Security header. The Strict-Transport-Security header or HSTS header is used to instruct browsers to only use HTTPS, instead of using HTTP. It helps enforce secure communication.
content-security-policy
missing Add a Content-Security-Policy header. The Content-Security-Policy header helps browsers prevent cross site scripting (XSS) and data injection attacks.
referrer-policy
missing Add a Referrer-Policy header. When a visitor navigates from one page to another, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important to configure when private information is embedded in the path or query string and passed onto an external destination.
permissions-policy
missing Add a Permissions-Policy header. Restrict access to device features like the camera, microphone, location, accelerometer and much more.
cross-origin-embedder-policy
missing Add a Cross-Origin-Embedder-Policy to specify how this page can be loaded by cross-origin resources.
cross-origin-opener-policy
missing Add a Cross-Origin-Opener-Policy header to opt-in into better browser isolation.
cross-origin-resource-policy
missing Add a Cross-Origin-Resource-Policy header to specify who can load this page.
x-frame-options
missing Add a X-Frame-Options header. The X-Frame-Options header prevents this URL from being embedded in an iframe. This protects against clickjacking attacks. Alternatively, set a Content-Security-Policy header with a frame-ancestor directive.
x-permitted-cross-domain-policies
missing Add a X-Permitted-Cross-Domain-Policies header to prevent Flash, Adobe Reader and other clients from sharing data across domains.

Questions or feedback? Email dries@buytaert.net.