Dries Buytaert

HTTP Headers Analyzer

5 / 10
Website → Browser
3 missing headers, 1 warnings, 2 notices
Header
Value
Explanation
accept-ch
sec-ch-ua-arch,sec-ch-ua-bitness,sec-ch-ua-full-version-list,sec-ch-ua-model,sec-ch-ua-platform-version
accept-ranges
bytes
Used by the server to advertise its support of partial HTTP requests. It's a feature that allows a browser to resume an interrupted download, for example.
age
73282
The time in seconds that the page has been in the shared proxy cache. The maximum age is set by max-age or s-maxage in the Cache-Control header.
cache-control
s-maxage=86400, must-revalidate, max-age=3600
max-age specifies the maximum amount of seconds a page is considered valid. The higher max-age, the longer a page can be cached.
s-maxage overrides max-age header, but only for shared caches (e.g. CDN, Varnsh) and not for browser caches.
must-revalidate indicates that once a page becomes stale, both shared caches and browser caches must not use their stale copy without validating it with the origin server first.
Notice age is larger than max-age, so it seems max-age is ignored by a shared cache. This can be confusing when max-age is configured in your content management system.
content-length
75189
The size of the message body, in bytes.
content-type
text/html
The type of the message body, specified as a MIME type.
etag
w/"125b5-5e993e48aee81"
A unique identifier that changes every time a page at a given URL changes. It acts as a fingerprint. A cache can compare Etag values to see if the page has changed and became stale. For example, a browsers will send the ETag value of a cached page in an If-None-Match header. The web server compares the ETag value sent by the browser with the ETag value of the current version of the page. If both values match, the web server sends back a 304 Not Modified status and no body. This particular Etag value starts with w/ which means that it is a weak identifier; while unlikely, multiple pages might have the same identifier. Weak identifiers are used because strong identifiers can be difficult and costly to generate.
last-modified
mon, 26 sep 2022 12:44:47 gmt
The date and time at which the origin server believes the page was last modified.
Notice Because there is an Etag header, Last-Modified is likely to be ignored. The ETag hash is more accurate than the date/time in Last-Modified. Consider removing Last-Modified to save bandwidth and processing power.
nel
{ "report_to": "wm_nel", "max_age": 86400, "failure_fraction": 0.05, "success_fraction": 0.0}
The "Network Error Logging" (NEL) header is used to configure network request logging; enables websites and applications to receive reports about failed network fetches from supporting browsers.
permissions-policy
interest-cohort=(),ch-ua-arch=(self "intake-analytics.wikimedia.org"),ch-ua-bitness=(self "intake-analytics.wikimedia.org"),ch-ua-full-version-list=(self "intake-analytics.wikimedia.org"),ch-ua-model=(self "intake-analytics.wikimedia.org"),ch-ua-platform-version=(self "intake-analytics.wikimedia.org")
Instructs a browser to selectively allow or deny certain browser APIs and features. It helps improve security.
report-to
{ "group": "wm_nel", "max_age": 86400, "endpoints": [{ "url": "https://intake-logging.wikimedia.org/v1/events?stream=w3c.reportingapi.network_error&schema_uri=/w3c/reportingapi/network_error/1.0.0" }] }
server
ats/9.1.3
Some of the software used to generate or serve this page.
Warning Sharing too many details about a server or web application makes it easier for hackers to target a website. Avoid specific version numbers such as 9.1.3, especially when running software that is end-of-life and/or has known security bugs. Consider removing this header. At a miminum, remove details version numbers.
server-timing
cache;desc="hit-front", host;desc="cp1087"
Communicates one or more metrics for a given request-response cycle. Can includes metrics for CPU time, database read/writes, file system access, etc.
strict-transport-security
max-age=106384710; includesubdomains; preload
The Strict-Transport-Security header or HSTS header is used to instruct browsers to only use HTTPS, instead of using HTTP.
max-age is the time, in seconds, that the browser should remember to use HTTPS only.
includesubdomains instructs the browser that all subdomains are HTTPS-only as well.
preload recommends the domain for inclusion in browsers' preload lists. If accepted, the domain would get hardcoded into browsers as HTTPS-only.
vary
accept-encoding
A list of request headers that need to be taken into account to determine whether a cached response can be used rather than making a new request with the origin server. All the headers specified by Vary must match with those of the cached response.
x-cache
cp1079 hit, cp1087 hit/1301898
The page was served from a cache.
x-cache-status
hit-front
x-client-ip
3.88.176.43
content-security-policy
missing Add a Content-Security-Policy header. The Content-Security-Policy header helps browsers prevent cross site scripting (XSS) and data injection attacks.
referrer-policy
missing Add a Referrer-Policy header. When a visitor navigates from one page to another, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important to configure when private information is embedded in the path or query string and passed onto an external destination.
x-frame-options
missing Add a X-Frame-Options header. The X-Frame-Options header prevents this URL from being embedded in an iframe. This protects against clickjacking attacks. Alternatively, set a Content-Security-Policy header with a frame-ancestor directive.

Questions or feedback? Email dries@buytaert.net.