{
    "url": "https://besrseoskills.odoo.com/blog/our-blog-1/best-8171-51",
    "score": 5,
    "summary": {
        "missing": 7,
        "warnings": 2,
        "notices": 2
    },
    "caches": [
        "Website",
        "Nginx",
        "Browser"
    ],
    "headers": {
        "server": {
            "value": "nginx",
            "findings": [
                {
                    "severity": "info",
                    "message": "Identifies the software used by the origin server to handle the request (e.g. Apache, Nginx, Cloudflare)."
                },
                {
                    "severity": "notice",
                    "message": "Consider removing or minimizing the <code>Server</code> header. Even without a version number, it reveals the server software, which aids reconnaissance."
                }
            ]
        },
        "date": {
            "value": "sat, 27 jun 2026 00:08:39 gmt",
            "findings": [
                {
                    "severity": "info",
                    "message": "The date and time at which the request was made. A browser uses it for age calculations rather than using its own internal date and time; e.g. when comparing against <code>Max-Age</code> or <code>Expires</code>."
                }
            ]
        },
        "content-type": {
            "value": "text/html; charset=utf-8",
            "findings": [
                {
                    "severity": "info",
                    "message": "The type of the message body, specified as a <a href=\"https://en.wikipedia.org/wiki/Media_type\">MIME type</a>."
                }
            ]
        },
        "set-cookie": {
            "value": "frontend_lang=en_us; expires=sun, 27 jun 2027 00:08:39 gmt; path=/, session_id=obuyhm63zang6deh07fjbegkayvkx7cm1fbp25hpu0d3uiaati-9fdoilh0bwq_dluw8kyg2xzihh4tteupo; expires=sun, 27 jun 2027 00:08:39 gmt; max-age=604800; httponly; path=/; secure; samesite=lax",
            "findings": [
                {
                    "severity": "info",
                    "message": "A cookie that was sent from the server to the browser."
                },
                {
                    "severity": "info",
                    "message": "<code>expires=</code> sets the maximum lifetime of the cookie using a specific date."
                },
                {
                    "severity": "info",
                    "message": "<code>max-age=</code> sets the maximum lifetime of the cookie in seconds."
                },
                {
                    "severity": "info",
                    "message": "<code>path=</code> indicates the path that must exist in the requested URL for the browser to send the cookie."
                },
                {
                    "severity": "notice",
                    "message": "<code>samesite=lax</code> instructs the browser <em>not</em> to share the cookie with third-party sites (e.g. when loading images, videos or frames from other sites), with one exception. The cookie will be sent when a user is navigating to the origin site from an external site (for example, when following a link). To improve protection against cross-site request forgery attacks, set to <code>samesite=strict</code>."
                },
                {
                    "severity": "info",
                    "message": "<code>secure</code> instructs the browser to only send the cookie back when HTTPS requests are used, making it more resistant to man-in-the-middle attacks."
                },
                {
                    "severity": "info",
                    "message": "<code>httponly</code> forbids JavaScript from accessing the cookie. Helps mitigate the risk of client side scripts accessing a protected cookie."
                }
            ]
        },
        "x-content-type-options": {
            "value": "nosniff, nosniff",
            "findings": [
                {
                    "severity": "info",
                    "message": "The <code>X-Content-Type-Options</code> header prevents browsers from guessing a response's content type. Without it, browsers may interpret files differently than intended, which can lead to security vulnerabilities."
                },
                {
                    "severity": "warning",
                    "message": "The only valid value for this header is <code>nosniff</code>. Any other value will be ignored by browsers."
                }
            ]
        },
        "referrer-policy": {
            "value": "strict-origin-when-cross-origin",
            "findings": [
                {
                    "severity": "info",
                    "message": "When a visitor navigates from one page to another page, browsers often pass along <em>referrer information</em>. The <code>Referrer-Policy</code> header controls how much referrer information a browser can share. This is important because private information can be embedded in the <i>path</i> or <i>query string</i>."
                },
                {
                    "severity": "info",
                    "message": "<code>strict-origin-when-cross-origin</code> means that the full URL (<i>protocol</i>, <i>host</i>, <i>port</i>, <i>path</i> and <i>query string</i>) is shared for same-origin requests. For cross-origin requests, only the origin (<i>protocol</i>, <i>host</i>, and <i>port</i>) is shared, and only when the protocol security level stays the same or improves (HTTP → HTTP, HTTPS → HTTPS). For cross-origin requests where the protocol downgrades (HTTPS → HTTP), nothing is shared."
                }
            ]
        },
        "strict-transport-security": {
            "value": "max-age=31536000; includesubdomains",
            "findings": [
                {
                    "severity": "info",
                    "message": "The <code>Strict-Transport-Security</code> header (HSTS) instructs browsers to only use HTTPS for future connections to this domain, enhancing security by preventing downgrade attacks and cookie hijacking."
                },
                {
                    "severity": "info",
                    "message": "<code>max-age</code> specifies the time, in seconds, that the browser should remember to use HTTPS only for this domain."
                },
                {
                    "severity": "info",
                    "message": "<code>includesubdomains</code> instructs the browser that all subdomains are HTTPS-only as well."
                }
            ]
        },
        "content-encoding": {
            "value": "gzip",
            "findings": [
                {
                    "severity": "info",
                    "message": "Specifies how the resource is <em>compressed</em>. Not to be confused with <code>Transfer-Encoding</code> which specifies how the data is transferred."
                },
                {
                    "severity": "info",
                    "message": "<code>gzip</code> means that the data is compressed with <code>gzip</code>."
                },
                {
                    "severity": "warning",
                    "message": "Add a <code>Content-Length</code> header. The Content-Length header is required, unless the message is transported using chunked encoding. Without a <code>Content-Length</code> header some servers will respond with 400 (bad request) or terminate connections early."
                }
            ]
        }
    },
    "missing": {
        "content-security-policy": {
            "message": "Add a <code>Content-Security-Policy</code> header. The <code>Content-Security-Policy</code> header helps browsers prevent cross site scripting (XSS) and data injection attacks."
        },
        "permissions-policy": {
            "message": "Add a <code>Permissions-Policy</code> header. Restrict access to device features like the camera, microphone, location, accelerometer and much more."
        },
        "cross-origin-embedder-policy": {
            "message": "Add a <code>Cross-Origin-Embedder-Policy</code> header. It requires cross-origin resources to explicitly consent before this page can load them, protecting those resources from being exposed to Spectre-style timing attacks. Together with <code>Cross-Origin-Opener-Policy</code>, it enables cross-origin isolation and access to <code>SharedArrayBuffer</code>."
        },
        "cross-origin-opener-policy": {
            "message": "Add a <code>Cross-Origin-Opener-Policy</code> header. It prevents other sites from retaining a <code>window</code> reference to this page when opened via <code>window.open()</code> or navigation, blocking script-based attacks through shared browsing contexts."
        },
        "cross-origin-resource-policy": {
            "message": "Add a <code>Cross-Origin-Resource-Policy</code> header. It controls which origins can embed or load this page's resources (images, scripts, etc.), preventing hotlinking and cross-origin data leaks."
        },
        "x-frame-options": {
            "message": "Add a <code>X-Frame-Options</code> header. The <code>X-Frame-Options</code> header prevents this URL from being embedded in an <code>iframe</code>. This protects against clickjacking attacks. Alternatively, set a <code>Content-Security-Policy</code> header with a <code>frame-ancestors</code> directive."
        },
        "x-permitted-cross-domain-policies": {
            "message": "Add a <code>X-Permitted-Cross-Domain-Policies</code> header to prevent Flash, Adobe Reader and other clients from sharing data across domains."
        }
    }
}