{
"url": "https://balochhaarman.wixsite.com/my-site-1/post/8171-bisp",
"score": 4,
"summary": {
"missing": 8,
"warnings": 2,
"notices": 3
},
"caches": [
"Wix",
"Google Cloud",
"Browser"
],
"headers": {
"date": {
"value": "tue, 26 may 2026 07:13:19 gmt",
"findings": [
{
"severity": "info",
"message": "The date and time at which the request was made. A browser uses it for age calculations rather than using its own internal date and time; e.g. when comparing against Max-Age or Expires."
}
]
},
"content-type": {
"value": "text/html; charset=utf-8",
"findings": [
{
"severity": "info",
"message": "The type of the message body, specified as a MIME type."
}
]
},
"link": {
"value": "; rel=preconnect; crossorigin;,; rel=preconnect;,; rel=preconnect; crossorigin;,; rel=preconnect;,; rel=preconnect; crossorigin;,",
"findings": [
{
"severity": "info",
"message": "rel=\"preconnect\" tells the browser to open a connection to the specified server ahead of time, including DNS lookup, TCP handshake, and TLS negotiation. This is useful when you know you will need resources from a host but don't yet know the exact URLs."
}
]
},
"x-wix-request-id": {
"value": "1779779597.3162986441331327",
"findings": [
{
"severity": "info",
"message": "A unique request identifier generated by Wix."
}
]
},
"etag": {
"value": "w/\"d273395904a19c427f77667f9aeb8aea\"",
"findings": [
{
"severity": "info",
"message": "A unique identifier that changes every time a page at a given URL changes. It acts as a fingerprint. A cache can compare ETag values to see if the page has changed and has become stale. For example, a browser will send the ETag value of a cached page in an If-None-Match header. The web server compares the ETag value sent by the browser with the ETag value of the current version of the page. If both values are the same, the web server sends back a 304 Not Modified status and no body. This particular ETag value starts with W/ which means that it is a weak identifier; while unlikely, multiple pages might have the same identifier. Weak identifiers are used because strong identifiers can be difficult and costly to generate."
}
]
},
"x-meta-site-id": {
"value": "6294aaea-70ef-4861-b0e9-3548a9524b18",
"findings": []
},
"content-language": {
"value": "en",
"findings": [
{
"severity": "info",
"message": "Specifies the page's intended audience. For example, en-US means that the document is intended for English language speakers in the United States. The language tags are defined in RFC 5646."
}
]
},
"strict-transport-security": {
"value": "max-age=31556952",
"findings": [
{
"severity": "info",
"message": "The Strict-Transport-Security header (HSTS) instructs browsers to only use HTTPS for future connections to this domain, enhancing security by preventing downgrade attacks and cookie hijacking."
},
{
"severity": "info",
"message": "max-age specifies the time, in seconds, that the browser should remember to use HTTPS only for this domain."
}
]
},
"age": {
"value": "0",
"findings": [
{
"severity": "info",
"message": "The time in seconds that the page has been in the shared proxy cache. The maximum age is set by max-age or s-maxage in the Cache-Control header."
}
]
},
"x-cache-status": {
"value": "miss",
"findings": [
{
"severity": "info",
"message": "Indicates how the caching system processed this request."
},
{
"severity": "info",
"message": "The response was not found in cache and was fetched from the origin server."
}
]
},
"x-seen-by": {
"value": "pmhzlb45npy7b1vbaukqrewfbs+7quvaqsix00yi78k=,ua1isbctq7qsxjmrcge1n/w3r/xpspqbpozyk31llylw+x3e6taxryqj11khyi54epzruii78vdyxnnkzueyuyhiydfycelfdfkrvutey3g+39vvmdvgyo7u27qjiduj,2d58ifebgbosy5xc+fralnrhcgr1mulvrx1cd+rthqv1c+ikciiu+lgefvtghiimqdb/muy8w4xvdzykl0m+vjzr0bgfxrm7cimfzjnxzts=,2unv7koq4ogja5+pksx47ftsalg8iyz7twb3e4ms5qwfvd1lr1l8/yroc88kq/ej,2unv7koq4ogja5+pksx47bf7kcd8qxjsmuhfvzfmjzqfvd1lr1l8/yroc88kq/ej,/b3vgdticcndwqoewfzmmuk4a/luln3w6zzc8l4qzh4=,4emzkgkkpfffqffwzrpy8brjjkaedojyjabz2fojawgj6r0azamucqm4c7kwbeyaxgfegud85inojislxblrkg==,/b3vgdticcndwqoewfzmmregmumkkg95phondlqm94a=,louk8/sagamoxzwtpubo2qu6w1cnocr8ylz3qorngjzao9n5s+anzokzentt00mlcgmau/9ivfjtxu5t9yx6lspd66c2q7itewaj69idm2g=,/b3vgdticcndwqoewfzmmpzrsfswjq0vjbonu6odktg=,rypgolshde7v/gtf4wbguv9zmshyivb/onqwi5aeupw22emu8ljbn5wvy1j152ksi+q9agqdlnkpuau5marmmkkpe40b9t1/jomibqjxh9w=",
"findings": [
{
"severity": "info",
"message": "An internal WordPress.com/Automattic header tracking which servers processed the request."
}
]
},
"vary": {
"value": "accept-encoding",
"findings": [
{
"severity": "info",
"message": "The Vary header specifies a list of headers that must be considered when caching responses. For a cached response to be used, these headers must match between the cached response and the new request. This ensures that the appropriate version of a resource is served based on factors like language, encoding, or device type."
}
]
},
"set-cookie": {
"value": "_wixab3=4996967#2; max-age=15724800; expires=tue, 24 nov 2026 07:13:18 gmt; path=/my-site-1/post/8171-bisp; domain=.wix.com, sec-fetch-unsupported=1; path=/; secure; samesite=lax, ssr-caching=cache#desc=miss#varnish=miss#dc#desc=virginia-phy_g; max-age=20; expires=tue, 26 may 2026 07:13:39 gmt, xsrf-token=1779779599|pos-fqqwetnf; path=/; domain=balochhaarman.wixsite.com; secure; samesite=none",
"findings": [
{
"severity": "info",
"message": "A cookie that was sent from the server to the browser."
},
{
"severity": "info",
"message": "expires= sets the maximum lifetime of the cookie using a specific date."
},
{
"severity": "info",
"message": "max-age= sets the maximum lifetime of the cookie in seconds."
},
{
"severity": "info",
"message": "domain= sets the domain to which the cookie will be sent."
},
{
"severity": "info",
"message": "path= indicates the path that must exist in the requested URL for the browser to send the cookie."
},
{
"severity": "notice",
"message": "samesite=lax instructs the browser not to share the cookie with third-party sites (e.g. when loading images, videos or frames from other sites), with one exception. The cookie will be sent when a user is navigating to the origin site from an external site (for example, when following a link). To improve protection against cross-site request forgery attacks, set to samesite=strict."
},
{
"severity": "warning",
"message": "samesite=none instructs the browser to send the cookie to all cross-site requests, such as on requests to load images or frames from other sites. This enables third-party sites to log cookie data. This could lead to data leaks and cross-site request forgery attacks. To improve security, set to samesite=strict or samesite=lax."
},
{
"severity": "info",
"message": "secure instructs the browser to only send the cookie back when HTTPS requests are used, making it more resistant to man-in-the-middle attacks."
},
{
"severity": "notice",
"message": "This cookie is missing the httponly flag. Without it, JavaScript can access the cookie, increasing the risk of cross-site scripting (XSS) attacks."
}
]
},
"server-timing": {
"value": "cache;desc=miss, varnish;desc=miss, dc;desc=virginia-phy_g",
"findings": [
{
"severity": "info",
"message": "Exposes server-side performance metrics (e.g. database query time, cache lookups, total processing time) to the browser. These metrics appear in the browser's DevTools Network tab, making it easier to diagnose slow responses without needing server-side log access."
}
]
},
"cache-control": {
"value": "private,max-age=0,must-revalidate",
"findings": [
{
"severity": "info",
"message": "private means the response can only be stored by the browser's cache, but not by CDNs, proxies, or any other shared caches."
},
{
"severity": "info",
"message": "max-age=0 with must-revalidate means caching is disabled and all requests must be validated with the origin server."
}
]
},
"server": {
"value": "pepyaka",
"findings": [
{
"severity": "info",
"message": "Identifies the software used by the origin server to handle the request (e.g. Apache, Nginx, Cloudflare)."
},
{
"severity": "notice",
"message": "Consider removing or minimizing the Server header. Even without a version number, it reveals the server software, which aids reconnaissance."
}
]
},
"x-content-type-options": {
"value": "nosniff",
"findings": [
{
"severity": "info",
"message": "The X-Content-Type-Options header prevents browsers from guessing a response's content type. Without it, browsers may interpret files differently than intended, which can lead to security vulnerabilities."
},
{
"severity": "info",
"message": "The value nosniff is correctly set."
}
]
},
"content-encoding": {
"value": "br",
"findings": [
{
"severity": "info",
"message": "Specifies how the resource is compressed. Not to be confused with Transfer-Encoding which specifies how the data is transferred."
},
{
"severity": "info",
"message": "br means that the data is compressed with brotli."
},
{
"severity": "warning",
"message": "Add a Content-Length header. The Content-Length header is required, unless the message is transported using chunked encoding. Without a Content-Length header some servers will respond with 400 (bad request) or terminate connections early."
}
]
},
"via": {
"value": "1.1 google",
"findings": [
{
"severity": "info",
"message": "The Via header tracks how a page is forwarded from proxy to proxy. Beware, not all proxies append themselves to the Via header."
}
]
},
"glb-x-seen-by": {
"value": "zj+a2e71qocweet+2koawksdxk9yj1hjlua0mxxzy6e=",
"findings": [
{
"severity": "info",
"message": "An internal WordPress.com/Automattic header tracking which global load balancers processed the request."
}
]
},
"alt-svc": {
"value": "h3=\":443\"; ma=2592000",
"findings": [
{
"severity": "info",
"message": "The alt-svc header tells the browser that the same content is available over a different protocol. This allows the browser to upgrade to a faster protocol (e.g. HTTP/3 over QUIC) on subsequent requests without a separate negotiation step."
},
{
"severity": "info",
"message": "h3 indicates that HTTP/3 is supported. HTTP/3 uses the QUIC protocol (UDP-based) instead of TCP, which eliminates the TCP handshake delay and performs better on lossy networks. Variants like h3-29 refer to specific drafts of the HTTP/3 protocol."
},
{
"severity": "info",
"message": "ma=2592000 specifies that the alternative service information is fresh for 2592000 seconds."
}
]
}
},
"missing": {
"content-security-policy": {
"message": "Add a Content-Security-Policy header. The Content-Security-Policy header helps browsers prevent cross site scripting (XSS) and data injection attacks."
},
"referrer-policy": {
"message": "Add a Referrer-Policy header. When a visitor navigates from one page to another, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important to configure when private information is embedded in the path or query string and passed onto an external destination."
},
"permissions-policy": {
"message": "Add a Permissions-Policy header. Restrict access to device features like the camera, microphone, location, accelerometer and much more."
},
"cross-origin-embedder-policy": {
"message": "Add a Cross-Origin-Embedder-Policy header. It requires cross-origin resources to explicitly consent before this page can load them, protecting those resources from being exposed to Spectre-style timing attacks. Together with Cross-Origin-Opener-Policy, it enables cross-origin isolation and access to SharedArrayBuffer."
},
"cross-origin-opener-policy": {
"message": "Add a Cross-Origin-Opener-Policy header. It prevents other sites from retaining a window reference to this page when opened via window.open() or navigation, blocking script-based attacks through shared browsing contexts."
},
"cross-origin-resource-policy": {
"message": "Add a Cross-Origin-Resource-Policy header. It controls which origins can embed or load this page's resources (images, scripts, etc.), preventing hotlinking and cross-origin data leaks."
},
"x-frame-options": {
"message": "Add a X-Frame-Options header. The X-Frame-Options header prevents this URL from being embedded in an iframe. This protects against clickjacking attacks. Alternatively, set a Content-Security-Policy header with a frame-ancestors directive."
},
"x-permitted-cross-domain-policies": {
"message": "Add a X-Permitted-Cross-Domain-Policies header to prevent Flash, Adobe Reader and other clients from sharing data across domains."
}
}
}