Dries Buytaert

HTTP Headers Analyzer

2 / 10
Website → Apache → Browser
4 missing headers, 2 warnings, 8 notices
Header
Value
Explanation
cache-control
private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
private means the page can only be stored by the browser, but not by CDNs, Varnish or any other shared caches.
no-cache means the response can be stored by any cache, but that the stored page must be validated with the origin before it can be served. If the origin confirms that the page has not changed, downloading of the body can be skipped.
Warning no-cache will cause a roundtrip to the origin web server for every request. Consider using public to avoid roundtrips and improve caching.
Warning no-store means the response may not be stored in any cache, including the browser's cache.
must-revalidate indicates that once a page becomes stale, both shared caches and browser caches must not use their stale copy without validating it with the origin server first.
Notice It does not make sense to set must-revalidate with no-store; when nothing is cached, there is nothing to revalidate.
Notice It does not make sense to set must-revalidate with no-cache; must-revalidate is implied.
Notice no-store is set, so it does not make sense to set no-cache as well.
Notice no-store is set, so it does not make sense to set private as well.
Notice pre-check is a legacy directive introduced by Internet Explorer 5 and is no longer supported. No other browser supports it. Including pre-check is unnecessary, wastes bandwidth and processsing power.
Notice pre-check is a legacy directive introduced by Internet Explorer 5 and is no longer supported. No other browser supports it. Including post-check is unnecessary, wastes bandwidth and processsing power.
content-security-policy-report-only
frame-ancestors 'self'; report-uri /beacon/csp.php
Allows web developers to debug content security policies. Violations are reported to the specified report-uri, but not enforced.
content-type
text/html; charset=utf-8
expires
thu, 19 nov 1981 08:52:00 gmt
This Expires date is in the past: the page is considered stale and will be removed from all caches.
missing The Cache-Control header, introduced in HTTP/1.1, supersedes the Expires header. Use a Cache-Control header with a max-age directive instead of Expires. Cache-Control is more powerful, but also more efficient in that it avoids roundtrips to the origin server.
PS: November 19th is my birthday! 🎂
server
apache
Some of the software used to generate or serve this page.
strict-transport-security
max-age=631138520; includesubdomains; preload
The Strict-Transport-Security header or HSTS header is used to instruct browsers to only use HTTPS, instead of using HTTP.
max-age is the time, in seconds, that the browser should remember to use HTTPS only.
includesubdomains instructs the browser that all subdomains are HTTPS-only as well.
preload recommends the domain for inclusion in browsers' preload lists. If accepted, the domain would get hardcoded into browsers as HTTPS-only.
transfer-encoding
chunked
Specifies how the resource is transfered. Not to be confused with Content-Encoding which specifies how the request body is compressed. chunked means that the data is send in chuncks. Chunks are sent out and received independently of one another. The server can stream the document and does not have to wait for the full document to be generated. Similarly, the browser can start processing chunks as they come in rather than having to wait for the entire document to be downloaded.
x-cloud-trace-context
0959107a00f438e46514a408839d7bb8/6624590348081110386;o=0
A unique request identifier generated by Google Cloud. Google Cloud's customer support can use this ID to trace a request through its network.
x-frame-options
sameorigin
X-Frame-Options prevents this URL from being embedded in an iframe. This protects against clickjacking attacks.
sameorigin means that this page can be displayed in a iframe, but only on the currrent origin. It can't be displayed on another domain. Consider setting this to deny for added security.
x-recruiting
is code your craft? https://careers.etsy.com
x-xss-protection
1; mode=block; report=/beacon/csp.php
1; mode=block enables the browser's cross-site scripting (XSS) filtering. Browsers that support X-Xss-Protection will stop rendering the page when an attack is detected.
report enables the browser's cross-site scripting (XSS) filtering. Browsers that support X-Xss-Protection will stop rendering the page when an attack is detected and will report the attack to the specified reporting URL.
Notice It is recommended to use Content-Security-Policy instead of X-XSS-Protection. Some browsers like Firefox refuse to support X-XSS-Protection. Content-Security-Policy is more advanced, a W3C recommendation, and supported by all modern browsers.
content-length
Notice Add a Content-Length header. Without it some servers will respond with 400 (bad request) or terminate connections early.
content-security-policy
missing Add a Content-Security-Policy header. The Content-Security-Policy header helps browsers prevent cross site scripting (XSS) and data injection attacks.
referrer-policy
missing Add a Referrer-Policy header. When a visitor navigates from one page to another, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important to configure when private information is embedded in the path or query string and passed onto an external destination.
permissions-policy
missing Add a Permissions-Policy header. Restrict access to features like your camera, microphone, location, accelerometer and much more.

Questions or feedback? Email dries@buytaert.net.