HTTP Headers Analyzer
4 / 10
https://balochhaarman.wixsite.com/my-site-1/post/8171-bisp
Wix โ Google Cloud โ Browser8 missing headers, 2 warnings, 3 notices
JSON API
Header
Value
Explanation
date
sat, 09 may 2026 16:25:50 gmt
The date and time at which the request was made. A browser uses it for age calculations rather than using its own internal date and time; e.g. when comparing against
Max-Age or Expires.link
<https://static.parastorage.com/>; rel=preconnect; crossorigin;,<https://static.parastorage.com/>; rel=preconnect;,<https://static.wixstatic.com/>; rel=preconnect; crossorigin;,<https://static.wixstatic.com/>; rel=preconnect;,<https://siteassets.parastorage.com>; rel=preconnect; crossorigin;,
rel="preconnect" tells the browser to open a connection to the specified server ahead of time, including DNS lookup, TCP handshake, and TLS negotiation. This is useful when you know you will need resources from a host but don't yet know the exact URLs.x-wix-request-id
1778343948.299754550371302
A unique request identifier generated by Wix.
etag
w/"f60f86ceb43aa356c599f9480270012a"
A unique identifier that changes every time a page at a given URL changes. It acts as a fingerprint. A cache can compare
ETag values to see if the page has changed and has become stale. For example, a browser will send the ETag value of a cached page in an If-None-Match header. The web server compares the ETag value sent by the browser with the ETag value of the current version of the page. If both values are the same, the web server sends back a 304 Not Modified status and no body. This particular ETag value starts with W/ which means that it is a weak identifier; while unlikely, multiple pages might have the same identifier. Weak identifiers are used because strong identifiers can be difficult and costly to generate.x-meta-site-id
6294aaea-70ef-4861-b0e9-3548a9524b18
content-language
en
Specifies the page's intended audience. For example,
en-US means that the document is intended for English language speakers in the United States. The language tags are defined in RFC 5646.strict-transport-security
max-age=31556952
The
Strict-Transport-Security header (HSTS) instructs browsers to only use HTTPS for future connections to this domain, enhancing security by preventing downgrade attacks and cookie hijacking.max-age specifies the time, in seconds, that the browser should remember to use HTTPS only for this domain.age
0
The time in seconds that the page has been in the shared proxy cache. The maximum age is set by
max-age or s-maxage in the Cache-Control header.x-cache-status
miss
Indicates how the caching system processed this request.
The response was not found in cache and was fetched from the origin server.
The response was not found in cache and was fetched from the origin server.
x-seen-by
odbbmvfdxcdtsgjd2kgam8ihe4dbw+wewoj5nvkoyje=,ua1isbctq7qsxjmrcge1n6hbhvazvo/uyi2wxmiwiaaarqulxkfzg1aydv3a/ljoepzruii78vdyxnnkzueyuyhiydfycelfdfkrvutey3impaj4lzmbfpzqoq17pkqt,2d58ifebgbosy5xc+fralq+uamvetj7m+aazuilnd1te5cmahva68ec0d7qbtavvfyuowd11kqrylhv9nyrffa==,2unv7koq4ogja5+pksx47ftsalg8iyz7twb3e4ms5qwfvd1lr1l8/yroc88kq/ej,2unv7koq4ogja5+pksx47bf7kcd8qxjsmuhfvzfmjzqfvd1lr1l8/yroc88kq/ej,/b3vgdticcndwqoewfzmmkbpmyfddb9ajh6wb6vj1i8=,uccefuqci27dxmjsd6vpi6xub4zyegjlppm6xtdhioej6r0azamucqm4c7kwbeya8zyxhg+elq5gxcp4ttl/tw==,/b3vgdticcndwqoewfzmmtcuqdy/+qrvbpbdvffe3k0=,louk8/sagamoxzwtpubo2vyeqomli/gyf9gu3c3wkpqdymr7yojttdikc5o5j313pfnohz4tdd738c+vv5tlcwsd7q4bfrxkkyxss8skzce=,/b3vgdticcndwqoewfzmmvoltnwx0pjyrsgpycpesis=,bambrvwsln/v1ztiwxgeokkjgsmuavrqotdnlzt+kn43bsqqcynszaardg+twyc4n0gen+jfkoiiod3+jzrxeq==
An internal WordPress.com/Automattic header tracking which servers processed the request.
vary
accept-encoding
The
Vary header specifies a list of headers that must be considered when caching responses. For a cached response to be used, these headers must match between the cached response and the new request. This ensures that the appropriate version of a resource is served based on factors like language, encoding, or device type.set-cookie
_wixab3=4996967#2; max-age=15724800; expires=sat, 07 nov 2026 16:25:50 gmt; path=/my-site-1/post/8171-bisp; domain=.wix.com
A cookie that was sent from the server to the browser.
Warning This cookie is missing the
Notice This cookie is missing the
Notice This cookie does not set an explicit
expires= sets the maximum lifetime of the cookie using a specific date.max-age= sets the maximum lifetime of the cookie in seconds.domain= sets the domain to which the cookie will be sent.path= indicates the path that must exist in the requested URL for the browser to send the cookie.Warning This cookie is missing the
secure flag. Without it, the cookie can be sent over unencrypted HTTP connections, making it vulnerable to interception.Notice This cookie is missing the
httponly flag. Without it, JavaScript can access the cookie, increasing the risk of cross-site scripting (XSS) attacks.Notice This cookie does not set an explicit
samesite attribute. Browsers default to lax, but setting it explicitly is recommended for clarity and cross-browser consistency.set-cookie
sec-fetch-unsupported=1; path=/; secure; samesite=lax
A cookie that was sent from the server to the browser.
Notice
Notice This cookie is missing the
path= indicates the path that must exist in the requested URL for the browser to send the cookie.Notice
samesite=lax instructs the browser not to share the cookie with third-party sites (e.g. when loading images, videos or frames from other sites), with one exception. The cookie will be sent when a user is navigating to the origin site from an external site (for example, when following a link). To improve protection against cross-site request forgery attacks, set to samesite=strict.secure instructs the browser to only send the cookie back when HTTPS requests are used, making it more resistant to man-in-the-middle attacks.Notice This cookie is missing the
httponly flag. Without it, JavaScript can access the cookie, increasing the risk of cross-site scripting (XSS) attacks.set-cookie
ssr-caching=cache#desc=miss#varnish=miss#dc#desc=virginia-phy_g; max-age=20; expires=sat, 09 may 2026 16:26:10 gmt
A cookie that was sent from the server to the browser.
Warning This cookie is missing the
Notice This cookie is missing the
Notice This cookie does not set an explicit
expires= sets the maximum lifetime of the cookie using a specific date.max-age= sets the maximum lifetime of the cookie in seconds.Warning This cookie is missing the
secure flag. Without it, the cookie can be sent over unencrypted HTTP connections, making it vulnerable to interception.Notice This cookie is missing the
httponly flag. Without it, JavaScript can access the cookie, increasing the risk of cross-site scripting (XSS) attacks.Notice This cookie does not set an explicit
samesite attribute. Browsers default to lax, but setting it explicitly is recommended for clarity and cross-browser consistency.set-cookie
xsrf-token=1778343950|juo27a5ycybi; path=/; domain=balochhaarman.wixsite.com; secure; samesite=none
A cookie that was sent from the server to the browser.
Warning
Notice This cookie is missing the
domain= sets the domain to which the cookie will be sent.path= indicates the path that must exist in the requested URL for the browser to send the cookie.Warning
samesite=none instructs the browser to send the cookie to all cross-site requests, such as on requests to load images or frames from other sites. This enables third-party sites to log cookie data. This could lead to data leaks and cross-site request forgery attacks. To improve security, set to samesite=strict or samesite=lax.secure instructs the browser to only send the cookie back when HTTPS requests are used, making it more resistant to man-in-the-middle attacks.Notice This cookie is missing the
httponly flag. Without it, JavaScript can access the cookie, increasing the risk of cross-site scripting (XSS) attacks.server-timing
cache;desc=miss, varnish;desc=miss, dc;desc=virginia-phy_g
Exposes server-side performance metrics (e.g. database query time, cache lookups, total processing time) to the browser. These metrics appear in the browser's DevTools Network tab, making it easier to diagnose slow responses without needing server-side log access.
cache-control
private,max-age=0,must-revalidate
private means the response can only be stored by the browser's cache, but not by CDNs, proxies, or any other shared caches.max-age=0 with must-revalidate means caching is disabled and all requests must be validated with the origin server.server
pepyaka
Identifies the software used by the origin server to handle the request (e.g. Apache, Nginx, Cloudflare).
Notice Consider removing or minimizing the
Notice Consider removing or minimizing the
Server header. Even without a version number, it reveals the server software, which aids reconnaissance.x-content-type-options
nosniff
The
The value
X-Content-Type-Options header prevents browsers from guessing a response's content type. Without it, browsers may interpret files differently than intended, which can lead to security vulnerabilities.The value
nosniff is correctly set.content-encoding
br
Specifies how the resource is compressed. Not to be confused with
Warning Add a
Transfer-Encoding which specifies how the data is transferred.br means that the data is compressed with brotli.Warning Add a
Content-Length header. The Content-Length header is required, unless the message is transported using chunked encoding. Without a Content-Length header some servers will respond with 400 (bad request) or terminate connections early.via
1.1 google
The
Via header tracks how a page is forwarded from proxy to proxy. Beware, not all proxies append themselves to the Via header.glb-x-seen-by
zj+a2e71qocweet+2koawksdxk9yj1hjlua0mxxzy6e=
An internal WordPress.com/Automattic header tracking which global load balancers processed the request.
alt-svc
h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
The
alt-svc header tells the browser that the same content is available over a different protocol. This allows the browser to upgrade to a faster protocol (e.g. HTTP/3 over QUIC) on subsequent requests without a separate negotiation step.h3 indicates that HTTP/3 is supported. HTTP/3 uses the QUIC protocol (UDP-based) instead of TCP, which eliminates the TCP handshake delay and performs better on lossy networks. Variants like h3-29 refer to specific drafts of the HTTP/3 protocol.ma=2592000 specifies that the alternative service information is fresh for 2592000 seconds.ma=2592000 specifies that the alternative service information is fresh for 2592000 seconds.content-security-policy
missing Add a
Content-Security-Policy header. The Content-Security-Policy header helps browsers prevent cross site scripting (XSS) and data injection attacks.referrer-policy
missing Add a
Referrer-Policy header. When a visitor navigates from one page to another, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important to configure when private information is embedded in the path or query string and passed onto an external destination.permissions-policy
missing Add a
Permissions-Policy header. Restrict access to device features like the camera, microphone, location, accelerometer and much more.cross-origin-embedder-policy
missing Add a
Cross-Origin-Embedder-Policy header. It requires cross-origin resources to explicitly consent before this page can load them, protecting those resources from being exposed to Spectre-style timing attacks. Together with Cross-Origin-Opener-Policy, it enables cross-origin isolation and access to SharedArrayBuffer.cross-origin-opener-policy
missing Add a
Cross-Origin-Opener-Policy header. It prevents other sites from retaining a window reference to this page when opened via window.open() or navigation, blocking script-based attacks through shared browsing contexts.cross-origin-resource-policy
missing Add a
Cross-Origin-Resource-Policy header. It controls which origins can embed or load this page's resources (images, scripts, etc.), preventing hotlinking and cross-origin data leaks.x-frame-options
missing Add a
X-Frame-Options header. The X-Frame-Options header prevents this URL from being embedded in an iframe. This protects against clickjacking attacks. Alternatively, set a Content-Security-Policy header with a frame-ancestors directive.x-permitted-cross-domain-policies
missing Add a
X-Permitted-Cross-Domain-Policies header to prevent Flash, Adobe Reader and other clients from sharing data across domains.