{
"url": "https://liff.line.me/2006764136-15GRqjpg",
"score": 2,
"summary": {
"missing": 8,
"warnings": 3,
"notices": 7
},
"caches": [
"Website",
"Nginx",
"Browser"
],
"headers": {
"server": {
"value": "nginx",
"findings": [
{
"severity": "info",
"message": "Identifies the software used by the origin server to handle the request (e.g. Apache, Nginx, Cloudflare)."
},
{
"severity": "notice",
"message": "Consider removing or minimizing the Server header. Even without a version number, it reveals the server software, which aids reconnaissance."
}
]
},
"date": {
"value": "thu, 25 jun 2026 03:52:20 gmt",
"findings": [
{
"severity": "info",
"message": "The date and time at which the request was made. A browser uses it for age calculations rather than using its own internal date and time; e.g. when comparing against Max-Age or Expires."
}
]
},
"content-type": {
"value": "text/html;charset=utf-8",
"findings": [
{
"severity": "info",
"message": "The type of the message body, specified as a MIME type."
}
]
},
"content-length": {
"value": "1735",
"findings": [
{
"severity": "info",
"message": "The size of the message body, in bytes."
}
]
},
"vary": {
"value": "origin, access-control-request-method, access-control-request-headers",
"findings": [
{
"severity": "info",
"message": "The Vary header specifies a list of headers that must be considered when caching responses. For a cached response to be used, these headers must match between the cached response and the new request. This ensures that the appropriate version of a resource is served based on factors like language, encoding, or device type."
}
]
},
"x-content-type-options": {
"value": "nosniff",
"findings": [
{
"severity": "info",
"message": "The X-Content-Type-Options header prevents browsers from guessing a response's content type. Without it, browsers may interpret files differently than intended, which can lead to security vulnerabilities."
},
{
"severity": "info",
"message": "The value nosniff is correctly set."
}
]
},
"x-xss-protection": {
"value": "0",
"findings": [
{
"severity": "info",
"message": "A legacy header that enables the browser's built-in cross-site scripting (XSS) filter. Modern browsers ignore it in favor of Content-Security-Policy."
},
{
"severity": "warning",
"message": "0 disables XSS filtering. Remove this header or set the value to 1."
},
{
"severity": "notice",
"message": "Add a Content-Security-Policy header for more comprehensive protection."
}
]
},
"cache-control": {
"value": "no-cache, no-store, max-age=0, must-revalidate",
"findings": [
{
"severity": "info",
"message": "no-cache means the response can be stored by any cache, but the stored response must be validated with the origin server before each reuse. If the origin confirms that the response hasn't changed, downloading of the full response body can be skipped."
},
{
"severity": "warning",
"message": "no-cache will cause a revalidation request to the origin server for every use of the cached response. Consider using public with appropriate max-age to improve caching efficiency."
},
{
"severity": "warning",
"message": "no-store means the response may not be stored in any cache, including the browser's cache. Every request will hit the origin server. If this page can be cached, consider using public with an appropriate max-age."
},
{
"severity": "info",
"message": "max-age=0 with must-revalidate means caching is disabled and all requests must be validated with the origin server."
},
{
"severity": "notice",
"message": "must-revalidate has no effect with no-store since nothing is cached. Remove must-revalidate."
},
{
"severity": "notice",
"message": "must-revalidate is redundant with no-cache since no-cache already requires revalidation. Remove must-revalidate."
},
{
"severity": "notice",
"message": "no-cache is redundant when no-store is set, though some sites keep both for compatibility with older caches."
}
]
},
"pragma": {
"value": "no-cache",
"findings": [
{
"severity": "notice",
"message": "Pragma: no-cache forces revalidation with the origin server on every request. Pragma is a legacy HTTP/1.0 directive, superseded by Cache-Control. Remove Pragma to save bandwidth and processing power."
}
]
},
"expires": {
"value": "0",
"findings": [
{
"severity": "info",
"message": "This Expires date is in the past: the page is considered stale and will be removed from all caches."
},
{
"severity": "notice",
"message": "Because there is a Cache-Control header with a max-age and/or s-maxage directive, the Expires header will be ignored. Consider removing Expires to save bandwidth and processing power."
}
]
},
"strict-transport-security": {
"value": "max-age=31536000 ; includesubdomains",
"findings": [
{
"severity": "info",
"message": "The Strict-Transport-Security header (HSTS) instructs browsers to only use HTTPS for future connections to this domain, enhancing security by preventing downgrade attacks and cookie hijacking."
},
{
"severity": "info",
"message": "max-age specifies the time, in seconds, that the browser should remember to use HTTPS only for this domain."
},
{
"severity": "info",
"message": "includesubdomains instructs the browser that all subdomains are HTTPS-only as well."
}
]
},
"x-frame-options": {
"value": "deny",
"findings": [
{
"severity": "info",
"message": "X-Frame-Options prevents this URL from being embedded in an iframe. This protects against clickjacking attacks."
},
{
"severity": "info",
"message": "deny means that this page can never be displayed in an iframe. It's the most secure option."
}
]
},
"content-language": {
"value": "en-us",
"findings": [
{
"severity": "info",
"message": "Specifies the page's intended audience. For example, en-US means that the document is intended for English language speakers in the United States. The language tags are defined in RFC 5646."
}
]
}
},
"missing": {
"content-security-policy": {
"message": "Add a Content-Security-Policy header. The Content-Security-Policy header helps browsers prevent cross site scripting (XSS) and data injection attacks."
},
"referrer-policy": {
"message": "Add a Referrer-Policy header. When a visitor navigates from one page to another, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important to configure when private information is embedded in the path or query string and passed onto an external destination."
},
"permissions-policy": {
"message": "Add a Permissions-Policy header. Restrict access to device features like the camera, microphone, location, accelerometer and much more."
},
"cross-origin-embedder-policy": {
"message": "Add a Cross-Origin-Embedder-Policy header. It requires cross-origin resources to explicitly consent before this page can load them, protecting those resources from being exposed to Spectre-style timing attacks. Together with Cross-Origin-Opener-Policy, it enables cross-origin isolation and access to SharedArrayBuffer."
},
"cross-origin-opener-policy": {
"message": "Add a Cross-Origin-Opener-Policy header. It prevents other sites from retaining a window reference to this page when opened via window.open() or navigation, blocking script-based attacks through shared browsing contexts."
},
"cross-origin-resource-policy": {
"message": "Add a Cross-Origin-Resource-Policy header. It controls which origins can embed or load this page's resources (images, scripts, etc.), preventing hotlinking and cross-origin data leaks."
},
"x-permitted-cross-domain-policies": {
"message": "Add a X-Permitted-Cross-Domain-Policies header to prevent Flash, Adobe Reader and other clients from sharing data across domains."
},
"content-encoding": {
"message": "No Content-Encoding header found. Enable compression such as gzip or br (Brotli) to reduce transfer sizes. Brotli typically achieves 15–20% better compression than gzip and is supported by all modern browsers."
}
}
}