Dries Buytaert

HTTP Headers Analyzer

3 / 10
Website → Google Cloud → Fastly → Browser
3 missing headers, 2 warnings, 7 notices
This site is paying for a CDN but not caching anything for anonymous visitors. It's like lighting money on fire! 💵 🔥
Header
Value
Explanation
accept-ranges
bytes bytes
Used by the server to advertise its support of partial HTTP requests. It's a feature that allows a browser to resume an interrupted download, for example.
age
0
The time in seconds that the page has been in the shared proxy cache. The maximum age is set by max-age or s-maxage in the Cache-Control header.
cache-control
private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
private means the page can only be stored by the browser, but not by CDNs, Varnish or any other shared caches.
no-cache means the response can be stored by any cache, but that the stored page must be validated with the origin before it can be served. If the origin confirms that the page has not changed, downloading of the body can be skipped.
Warning no-cache will cause a roundtrip to the origin web server for every request. Consider using public to avoid roundtrips and improve caching.
Warning no-store means the response may not be stored in any cache, including the browser's cache.
must-revalidate indicates that once a page becomes stale, both shared caches and browser caches must not use their stale copy without validating it with the origin server first.
Notice It does not make sense to set must-revalidate with no-store; when nothing is cached, there is nothing to revalidate.
Notice It does not make sense to set must-revalidate with no-cache; must-revalidate is implied.
Notice no-store is set, so it does not make sense to set no-cache as well.
Notice no-store is set, so it does not make sense to set private as well.
Notice pre-check is a legacy directive introduced by Internet Explorer 5 and is no longer supported. No other browser supports it. Including pre-check is unnecessary, wastes bandwidth and processsing power.
Notice pre-check is a legacy directive introduced by Internet Explorer 5 and is no longer supported. No other browser supports it. Including post-check is unnecessary, wastes bandwidth and processsing power.
content-security-policy-report-only
frame-ancestors 'self'; report-uri /beacon/csp.php
Allows web developers to debug content security policies. Violations are reported to the specified report-uri, but not enforced.
content-type
text/html; charset=utf-8
expires
thu, 19 nov 1981 08:52:00 gmt
This Expires date is in the past: the page is considered stale and will be removed from all caches.
missing The Cache-Control header, introduced in HTTP/1.1, supersedes the Expires header. Use a Cache-Control header with a max-age directive instead of Expires. Cache-Control is more powerful, but also more efficient in that it avoids roundtrips to the origin server.
PS: November 19th is my birthday! 🎂
server
apache
Some of the software used to generate or serve this page.
strict-transport-security
max-age=631138520; includesubdomains; preload
The Strict-Transport-Security header or HSTS header is used to instruct browsers to only use HTTPS, instead of using HTTP.
max-age is the time, in seconds, that the browser should remember to use HTTPS only.
includesubdomains instructs the browser that all subdomains are HTTPS-only as well.
preload recommends the domain for inclusion in browsers' preload lists. If accepted, the domain would get hardcoded into browsers as HTTPS-only.
transfer-encoding
chunked
Specifies how the resource is transfered. Not to be confused with Content-Encoding which specifies how the request body is compressed. chunked means that the data is send in chuncks. Chunks are sent out and received independently of one another. The server can stream the document and does not have to wait for the full document to be generated. Similarly, the browser can start processing chunks as they come in rather than having to wait for the entire document to be downloaded.
vary
accept-encoding
A list of request headers that need to be taken into account to determine whether a cached response can be used rather than making a new request with the origin server. All the headers specified by Vary must match with those of the cached response.
via
1.1 google 1.1 varnish
The Via header tracks how a page is forwarded from proxy to proxy. Beware, not all proxies append themselves to the Via header.
x-cache
miss
The page was not served from Drupal's page cache.
x-cache-hits
0
The number of times this page has been served from the Varnish cache. Higher numbers are better.
x-cloud-trace-context
4929acc98041d63a4ce839ea82f6092f/6414629746884213321;o=0
A unique request identifier generated by Google Cloud. Google Cloud's customer support can use this ID to trace a request through its network.
x-fastly-backend-reqs
35
x-frame-options
sameorigin
X-Frame-Options prevents this URL from being embedded in an iframe. This protects against clickjacking attacks.
sameorigin means that this page can be displayed in a iframe, but only on the currrent origin. It can't be displayed on another domain. Consider setting this to deny for added security.
x-recruiting
is code your craft? https://www.etsy.com/careers
x-served-by
cache-bwi5074-bwi
Fastly's shield and edge servers that were queried for the request.
x-timer
s1597460696.886072,vs0,ve292
This header provides timing information about the journey of a request through Fastly's network. Format: s<timestamp>,vs<seconds>,ve<seconds>, where s is the start time of the request, ve stands for Varnish start and ve stands for Varnish end. The length of the trip is ve - vs milliseconds.
x-xss-protection
1; mode=block; report=/beacon/csp.php
1; mode=block enables the browser's cross-site scripting (XSS) filtering. Browsers that support X-Xss-Protection will stop rendering the page when an attack is detected.
report enables the browser's cross-site scripting (XSS) filtering. Browsers that support X-Xss-Protection will stop rendering the page when an attack is detected and will report the attack to the specified reporting URL.
Notice It is recommended to use Content-Security-Policy instead of X-XSS-Protection. Some browsers like Firefox refuse to support X-XSS-Protection. Content-Security-Policy is more advanced, a W3C recommendation, and supported by all modern browsers.
content-security-policy
missing Add a Content-Security-Policy header. The Content-Security-Policy header helps browsers prevent cross site scripting (XSS) and data injection attacks.
referrer-policy
missing Add a Referrer-Policy header. When a visitor navigates from one page to another, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important to configure when private information is embedded in the path or query string and passed onto an external destination.

Questions or feedback? Email dries@buytaert.net.