Dries Buytaert

HTTP Headers Analyzer

7 / 10
Website → Varnish → Varnish → Fastly → Browser
3 missing headers, 0 warnings, 1 notices
Used by the server to advertise its support of partial HTTP requests. It's a feature that allows a browser to resume an interrupted download, for example.
Indicates whether a browser can share this resource with other code. * is a wildcard. It means the browser should allow code from any origin to access this resource.
The time in seconds that the page has been in the shared proxy cache. The maximum age is set by max-age or s-maxage in the Cache-Control header.
max-age specifies the maximum amount of seconds a page is considered valid. The higher max-age, the longer a page can be cached.
Notice A max-age of 60 seconds is short, especially if your content doesn't change frequently. Consider increasing max-age unless the URL has live updates.
default-src 'self' blob: https://*.cnn.com:* http://*.cnn.com:* *.cnn.io:* *.cnn.net:* *.turner.com:* *.turner.io:* *.ugdturner.com:* courageousstudio.com *.vgtf.net:*; script-src 'unsafe-eval' 'unsafe-inline' 'self' *; style-src 'unsafe-inline' 'self' blob: *; child-src 'self' blob: *; frame-src 'self' *; object-src 'self' *; img-src 'self' data: blob: *; media-src 'self' data: blob: *; font-src 'self' data: *; connect-src 'self' *; frame-ancestors 'self' https://*.cnn.com:* http://*.cnn.com:* https://*.cnn.io:* http://*.cnn.io:* *.turner.com:* courageousstudio.com;
Specifies a security policy to help browsers detect and block cross-site scripting (XSS) and data injection attacks.
default-src defines the loading policy for all resource types. It acts as the fallback in absence of a more specific resource type being specified.
script-src defines what JavaScript is allowed to be loaded and executed.
object-src defines what <object>, <embed> and <applet> elements are allowed to be loaded and executed.
style-src defines what CSS stylesheets are allowed to be loaded.
media-src defines what <audio>, <video> and <track> elements are allowed to be loaded.
img-src defines what images and favicons can be loaded.
font-src defines what fonts can be loaded using CSS's font-face.
frame-src defines what <frame> and <iframe> elements can be loaded.
frame-ancestors defines what parents may embed a page using <frame>, <iframe>, <object>, <embed> or <applet>.
child-src defines what <frame>, <iframe> or workers can be loaded.
text/html; charset=utf-8
, accept-encoding
A list of request headers that need to be taken into account to determine whether a cached response can be used rather than making a new request with the origin server. All the headers specified by Vary must match with those of the cached response.
1.1 varnish, 1.1 varnish
The Via header tracks how a page is forwarded from proxy to proxy. Beware, not all proxies append themselves to the Via header.
hit, hit
The page was served from Fastly's cache. This site is a customer of Fastly's origin shielding feature for improved reliability.
2, 1
The number of times this page has been served from the Varnish cache. Higher numbers are better.
cache-dca12920-dca, cache-wdc5557-wdc
Fastly's shield and edge servers that were queried for the request.
This header provides timing information about the journey of a request through Fastly's network. Format: s<timestamp>,vs<seconds>,ve<seconds>, where s is the start time of the request, ve stands for Varnish start and ve stands for Varnish end. The length of the trip is ve - vs milliseconds.
1; mode=block
1; mode=block enables the browser's cross-site scripting (XSS) filtering. Browsers that support X-Xss-Protection will stop rendering the page when an attack is detected.
missing Add a Strict-Transport-Security header. The Strict-Transport-Security header or HSTS header is used to instruct browsers to only use HTTPS, instead of using HTTP. It helps enforce secure communication.
missing Add a Referrer-Policy header. When a visitor navigates from one page to another, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important to configure when private information is embedded in the path or query string and passed onto an external destination.
missing Add a Permissions-Policy header. Restrict access to features like your camera, microphone, location, accelerometer and much more.

Questions or feedback? Email dries@buytaert.net.