{
"url": "https://liff.line.me/2007392666-9mdm2ww5",
"score": 6,
"summary": {
"missing": 11,
"warnings": 0,
"notices": 1
},
"caches": [
"Website",
"Nginx",
"Browser"
],
"headers": {
"server": {
"value": "nginx",
"findings": [
{
"severity": "info",
"message": "Identifies the software used by the origin server to handle the request (e.g. Apache, Nginx, Cloudflare)."
},
{
"severity": "notice",
"message": "Consider removing or minimizing the Server header. Even without a version number, it reveals the server software, which aids reconnaissance."
}
]
},
"date": {
"value": "thu, 30 apr 2026 16:04:19 gmt",
"findings": [
{
"severity": "info",
"message": "The date and time at which the request was made. A browser uses it for age calculations rather than using its own internal date and time; e.g. when comparing against Max-Age or Expires."
}
]
},
"content-type": {
"value": "text/html;charset=utf-8",
"findings": [
{
"severity": "info",
"message": "The type of the message body, specified as a MIME type."
}
]
},
"content-length": {
"value": "1751",
"findings": [
{
"severity": "info",
"message": "The size of the message body, in bytes."
}
]
},
"vary": {
"value": "origin, access-control-request-method, access-control-request-headers",
"findings": [
{
"severity": "info",
"message": "The Vary header specifies a list of headers that must be considered when caching responses. For a cached response to be used, these headers must match between the cached response and the new request. This ensures that the appropriate version of a resource is served based on factors like language, encoding, or device type."
}
]
},
"content-language": {
"value": "en-us",
"findings": [
{
"severity": "info",
"message": "Specifies the page's intended audience. For example, en-US means that the document is intended for English language speakers in the United States. The language tags are defined in RFC 5646."
}
]
}
},
"missing": {
"strict-transport-security": {
"message": "Add a Strict-Transport-Security header. The Strict-Transport-Security header or HSTS header is used to instruct browsers to only use HTTPS, instead of using HTTP. It helps enforce secure communication."
},
"content-security-policy": {
"message": "Add a Content-Security-Policy header. The Content-Security-Policy header helps browsers prevent cross site scripting (XSS) and data injection attacks."
},
"referrer-policy": {
"message": "Add a Referrer-Policy header. When a visitor navigates from one page to another, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important to configure when private information is embedded in the path or query string and passed onto an external destination."
},
"permissions-policy": {
"message": "Add a Permissions-Policy header. Restrict access to device features like the camera, microphone, location, accelerometer and much more."
},
"cross-origin-embedder-policy": {
"message": "Add a Cross-Origin-Embedder-Policy header. It requires cross-origin resources to explicitly consent before this page can load them, protecting those resources from being exposed to Spectre-style timing attacks. Together with Cross-Origin-Opener-Policy, it enables cross-origin isolation and access to SharedArrayBuffer."
},
"cross-origin-opener-policy": {
"message": "Add a Cross-Origin-Opener-Policy header. It prevents other sites from retaining a window reference to this page when opened via window.open() or navigation, blocking script-based attacks through shared browsing contexts."
},
"cross-origin-resource-policy": {
"message": "Add a Cross-Origin-Resource-Policy header. It controls which origins can embed or load this page's resources (images, scripts, etc.), preventing hotlinking and cross-origin data leaks."
},
"x-frame-options": {
"message": "Add a X-Frame-Options header. The X-Frame-Options header prevents this URL from being embedded in an iframe. This protects against clickjacking attacks. Alternatively, set a Content-Security-Policy header with a frame-ancestors directive."
},
"x-content-type-options": {
"message": "Add an X-Content-Type-Options: nosniff header to prevent browsers from MIME type sniffing. Without it, browsers may interpret files as a different content type than intended, which can lead to security vulnerabilities."
},
"x-permitted-cross-domain-policies": {
"message": "Add a X-Permitted-Cross-Domain-Policies header to prevent Flash, Adobe Reader and other clients from sharing data across domains."
},
"content-encoding": {
"message": "No Content-Encoding header found. Enable compression such as gzip or br (Brotli) to reduce transfer sizes. Brotli typically achieves 15–20% better compression than gzip and is supported by all modern browsers."
}
}
}