Dries Buytaert

HTTP Headers Analyzer

7 / 10
Website → Varnish → Varnish → Fastly → Browser
3 missing headers, 0 warnings, 1 notices
Header
Value
Explanation
accept-ranges
bytes
Used by the server to advertise its support of partial HTTP requests. It's a feature that allows a browser to resume an interrupted download, for example.
access-control-allow-origin
*
Indicates whether a browser can share this resource with other code. * is a wildcard. It means the browser should allow code from any origin to access this resource.
age
0
The time in seconds that the page has been in the shared proxy cache. The maximum age is set by max-age or s-maxage in the Cache-Control header.
cache-control
max-age=60
max-age specifies the maximum amount of seconds a page is considered valid. The higher max-age, the longer a page can be cached.
Notice A max-age of 60 seconds is short, especially if your content doesn't change frequently. Consider increasing max-age unless the URL has live updates.
content-length
1110320
content-security-policy
default-src 'self' blob: https://*.cnn.com:* http://*.cnn.com:* *.cnn.io:* *.cnn.net:* *.turner.com:* *.turner.io:* *.ugdturner.com:* courageousstudio.com *.vgtf.net:*; script-src 'unsafe-eval' 'unsafe-inline' 'self' *; style-src 'unsafe-inline' 'self' blob: *; child-src 'self' blob: *; frame-src 'self' *; object-src 'self' *; img-src 'self' data: blob: *; media-src 'self' data: blob: *; font-src 'self' data: *; connect-src 'self' *; frame-ancestors 'self' https://*.cnn.com:* http://*.cnn.com:* https://*.cnn.io:* http://*.cnn.io:* *.turner.com:* courageousstudio.com;
Specifies a security policy to help browsers detect and block cross-site scripting (XSS) and data injection attacks.
default-src defines the loading policy for all resource types. It acts as the fallback in absence of a more specific resource type being specified.
script-src defines what JavaScript is allowed to be loaded and executed.
object-src defines what <object>, <embed> and <applet> elements are allowed to be loaded and executed.
style-src defines what CSS stylesheets are allowed to be loaded.
media-src defines what <audio>, <video> and <track> elements are allowed to be loaded.
img-src defines what images and favicons can be loaded.
font-src defines what fonts can be loaded using CSS's font-face.
frame-src defines what <frame> and <iframe> elements can be loaded.
frame-ancestors defines what parents may embed a page using <frame>, <iframe>, <object>, <embed> or <applet>.
child-src defines what <frame>, <iframe> or workers can be loaded.
content-type
text/html; charset=utf-8
vary
, accept-encoding
A list of request headers that need to be taken into account to determine whether a cached response can be used rather than making a new request with the origin server. All the headers specified by Vary must match with those of the cached response.
via
1.1 varnish, 1.1 varnish
The Via header tracks how a page is forwarded from proxy to proxy. Beware, not all proxies append themselves to the Via header.
x-cache
hit, hit
The page was served from Fastly's cache. This site is a customer of Fastly's origin shielding feature for improved reliability.
x-cache-hits
2, 1
The number of times this page has been served from the Varnish cache. Higher numbers are better.
x-served-by
cache-dca12920-dca, cache-wdc5557-wdc
Fastly's shield and edge servers that were queried for the request.
x-servedbyhost
::ffff:127.0.0.1
x-timer
s1623958422.360601,vs0,ve2
This header provides timing information about the journey of a request through Fastly's network. Format: s<timestamp>,vs<seconds>,ve<seconds>, where s is the start time of the request, ve stands for Varnish start and ve stands for Varnish end. The length of the trip is ve - vs milliseconds.
x-xss-protection
1; mode=block
1; mode=block enables the browser's cross-site scripting (XSS) filtering. Browsers that support X-Xss-Protection will stop rendering the page when an attack is detected.
strict-transport-security
missing Add a Strict-Transport-Security header. The Strict-Transport-Security header or HSTS header is used to instruct browsers to only use HTTPS, instead of using HTTP. It helps enforce secure communication.
referrer-policy
missing Add a Referrer-Policy header. When a visitor navigates from one page to another, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important to configure when private information is embedded in the path or query string and passed onto an external destination.
permissions-policy
missing Add a Permissions-Policy header. Restrict access to features like your camera, microphone, location, accelerometer and much more.

Questions or feedback? Email dries@buytaert.net.