{
"url": "https://ahmedblaoch143.systeme.io/bisp-8171",
"score": 5,
"summary": {
"missing": 9,
"warnings": 1,
"notices": 3
},
"caches": [
"Website",
"Nginx",
"Amazon CloudFront",
"Browser"
],
"headers": {
"content-type": {
"value": "text/html; charset=utf-8",
"findings": [
{
"severity": "info",
"message": "The type of the message body, specified as a MIME type."
}
]
},
"date": {
"value": "sun, 03 may 2026 08:25:24 gmt",
"findings": [
{
"severity": "info",
"message": "The date and time at which the request was made. A browser uses it for age calculations rather than using its own internal date and time; e.g. when comparing against Max-Age or Expires."
}
]
},
"x-content-type-options": {
"value": "nosniff",
"findings": [
{
"severity": "info",
"message": "The X-Content-Type-Options header prevents browsers from guessing a response's content type. Without it, browsers may interpret files differently than intended, which can lead to security vulnerabilities."
},
{
"severity": "info",
"message": "The value nosniff is correctly set."
}
]
},
"content-encoding": {
"value": "gzip",
"findings": [
{
"severity": "info",
"message": "Specifies how the resource is compressed. Not to be confused with Transfer-Encoding which specifies how the data is transferred."
},
{
"severity": "info",
"message": "gzip means that the data is compressed with gzip."
},
{
"severity": "warning",
"message": "Add a Content-Length header. The Content-Length header is required, unless the message is transported using chunked encoding. Without a Content-Length header some servers will respond with 400 (bad request) or terminate connections early."
}
]
},
"server": {
"value": "nginx",
"findings": [
{
"severity": "info",
"message": "Identifies the software used by the origin server to handle the request (e.g. Apache, Nginx, Cloudflare)."
},
{
"severity": "notice",
"message": "Consider removing or minimizing the Server header. Even without a version number, it reveals the server software, which aids reconnaissance."
}
]
},
"cache-control": {
"value": "max-age=5, must-revalidate, public",
"findings": [
{
"severity": "info",
"message": "public means the response may be stored by all caches, including browser caches, CDNs, and shared caches."
},
{
"severity": "info",
"message": "max-age specifies the maximum amount of seconds a page is considered valid. The higher max-age, the longer a page can be cached."
},
{
"severity": "notice",
"message": "A max-age of 5 seconds is short, especially if your content doesn't change frequently. Consider increasing max-age unless the URL has live updates."
},
{
"severity": "info",
"message": "must-revalidate indicates that once a page becomes stale, both shared caches and browser caches must not use their stale copy without validating it with the origin server first."
}
]
},
"x-xss-protection": {
"value": "1; mode=block",
"findings": [
{
"severity": "info",
"message": "A legacy header that enables the browser's built-in cross-site scripting (XSS) filter. Modern browsers ignore it in favor of Content-Security-Policy."
},
{
"severity": "info",
"message": "1 enables XSS filtering."
},
{
"severity": "info",
"message": "mode=block blocks the response entirely if an attack is detected, instead of sanitizing the page."
},
{
"severity": "notice",
"message": "Add a Content-Security-Policy header for more comprehensive protection."
}
]
},
"vary": {
"value": "accept-encoding,origin",
"findings": [
{
"severity": "info",
"message": "The Vary header specifies a list of headers that must be considered when caching responses. For a cached response to be used, these headers must match between the cached response and the new request. This ensures that the appropriate version of a resource is served based on factors like language, encoding, or device type."
}
]
},
"via": {
"value": "1.1 4c6791f6512d8ae3b564d0ef4751f078.cloudfront.net (cloudfront)",
"findings": [
{
"severity": "info",
"message": "The Via header tracks how a page is forwarded from proxy to proxy. Beware, not all proxies append themselves to the Via header."
}
]
},
"x-cache": {
"value": "miss from cloudfront",
"findings": [
{
"severity": "info",
"message": "The page was not served from Amazon CloudFront."
}
]
},
"x-amz-cf-pop": {
"value": "iad61-p10",
"findings": [
{
"severity": "info",
"message": "Amazon CloudFront's edge servers that were queried for the request. The first 3 letters are an IATA location code."
}
]
},
"x-amz-cf-id": {
"value": "5dqpnf97phqtok2jhkvaqgq0guy2y6kp2i32b-hhfm9d8xrvyq9qzq==",
"findings": [
{
"severity": "info",
"message": "A unique request identifier generated by Amazon CloudFront. This ID can be used to troubleshoot the request and trace it through Amazon's network."
}
]
}
},
"missing": {
"strict-transport-security": {
"message": "Add a Strict-Transport-Security header. The Strict-Transport-Security header or HSTS header is used to instruct browsers to only use HTTPS, instead of using HTTP. It helps enforce secure communication."
},
"content-security-policy": {
"message": "Add a Content-Security-Policy header. The Content-Security-Policy header helps browsers prevent cross site scripting (XSS) and data injection attacks."
},
"referrer-policy": {
"message": "Add a Referrer-Policy header. When a visitor navigates from one page to another, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important to configure when private information is embedded in the path or query string and passed onto an external destination."
},
"permissions-policy": {
"message": "Add a Permissions-Policy header. Restrict access to device features like the camera, microphone, location, accelerometer and much more."
},
"cross-origin-embedder-policy": {
"message": "Add a Cross-Origin-Embedder-Policy header. It requires cross-origin resources to explicitly consent before this page can load them, protecting those resources from being exposed to Spectre-style timing attacks. Together with Cross-Origin-Opener-Policy, it enables cross-origin isolation and access to SharedArrayBuffer."
},
"cross-origin-opener-policy": {
"message": "Add a Cross-Origin-Opener-Policy header. It prevents other sites from retaining a window reference to this page when opened via window.open() or navigation, blocking script-based attacks through shared browsing contexts."
},
"cross-origin-resource-policy": {
"message": "Add a Cross-Origin-Resource-Policy header. It controls which origins can embed or load this page's resources (images, scripts, etc.), preventing hotlinking and cross-origin data leaks."
},
"x-frame-options": {
"message": "Add a X-Frame-Options header. The X-Frame-Options header prevents this URL from being embedded in an iframe. This protects against clickjacking attacks. Alternatively, set a Content-Security-Policy header with a frame-ancestors directive."
},
"x-permitted-cross-domain-policies": {
"message": "Add a X-Permitted-Cross-Domain-Policies header to prevent Flash, Adobe Reader and other clients from sharing data across domains."
}
}
}