7 / 10
3 missing headers, 0 warnings, 1 notices
Used by the server to advertise its support of partial HTTP requests. It's a feature that allows a browser to resume an interrupted download, for example.
Indicates whether a browser can share this resource with other code.
*is a wildcard. It means the browser should allow code from any origin to access this resource.
The time in seconds that the page has been in the shared proxy cache. The maximum age is set by
max-agespecifies the maximum amount of seconds a page is considered valid. The higher
max-age, the longer a page can be cached.
max-ageof 60 seconds is short, especially if your content doesn't change frequently. Consider increasing
max-ageunless the URL has live updates.
The size of the message body, in bytes.
default-src 'self' blob: https://*.cnn.com:* http://*.cnn.com:* *.cnn.io:* *.cnn.net:* *.turner.com:* *.turner.io:* *.ugdturner.com:* courageousstudio.com *.vgtf.net:*; script-src 'unsafe-eval' 'unsafe-inline' 'self' *; style-src 'unsafe-inline' 'self' blob: *; child-src 'self' blob: *; frame-src 'self' *; object-src 'self' *; img-src 'self' data: blob: *; media-src 'self' data: blob: *; font-src 'self' data: *; connect-src 'self' data: *; frame-ancestors 'self' https://*.cnn.com:* http://*.cnn.com:* https://*.cnn.io:* http://*.cnn.io:* *.turner.com:* https://www.google.com https://news.google.com https://www.google.co.uk https://amp-cnn-com.cdn.ampproject.org courageousstudio.com;
Specifies a security policy to help browsers detect and block cross-site scripting (XSS) and data injection attacks.
default-srcdefines the loading policy for all resource types. It acts as the fallback in absence of a more specific resource type being specified.
<applet>elements are allowed to be loaded and executed.
style-srcdefines what CSS stylesheets are allowed to be loaded.
<track>elements are allowed to be loaded.
img-srcdefines what images and favicons can be loaded.
font-srcdefines what fonts can be loaded using CSS's
<iframe>elements can be loaded.
frame-ancestorsdefines what parents may embed a page using
<iframe>or workers can be loaded.
A list of request headers that need to be taken into account to determine whether a cached response can be used rather than making a new request with the origin server. All the headers specified by
Varymust match with those of the cached response.
1.1 varnish, 1.1 varnish
Viaheader tracks how a page is forwarded from proxy to proxy. Beware, not all proxies append themselves to the
The page was served from Fastly's cache. This site is a customer of Fastly's origin shielding feature for improved reliability.
The number of times this page has been served from the Varnish cache. Higher numbers are better.
Fastly's shield and edge servers that were queried for the request.
This header provides timing information about the journey of a request through Fastly's network. Format:
sis the start time of the request,
vestands for Varnish start and
vestands for Varnish end. The length of the trip is
ve - vsmilliseconds.
1; mode=blockenables the browser's cross-site scripting (XSS) filtering. Browsers that support
X-Xss-Protectionwill stop rendering the page when an attack is detected.
missing Add a
Strict-Transport-Securityheader or HSTS header is used to instruct browsers to only use HTTPS, instead of using HTTP. It helps enforce secure communication.
missing Add a
Referrer-Policyheader. When a visitor navigates from one page to another, browsers often pass along referrer information. The
Referrer-Policyheader controls how much referrer information a browser can share. This is important to configure when private information is embedded in the path or query string and passed onto an external destination.
missing Add a
Permissions-Policyheader. Restrict access to features like your camera, microphone, location, accelerometer and much more.
Questions or feedback? Email email@example.com.