Identifies the software used by the origin server to handle the request (e.g. Apache, Nginx, Cloudflare).
Notice Consider removing or minimizing the Server header. Even without a version number, it reveals the server software, which aids reconnaissance.

The date and time at which the request was made. A browser uses it for age calculations rather than using its own internal date and time; e.g. when comparing against Max-Age or Expires.

The type of the message body, specified as a MIME type.

A cookie that was sent from the server to the browser.
expires= sets the maximum lifetime of the cookie using a specific date.
path= indicates the path that must exist in the requested URL for the browser to send the cookie.
Warning This cookie is missing the secure flag. Without it, the cookie can be sent over unencrypted HTTP connections, making it vulnerable to interception.
Notice This cookie is missing the httponly flag. Without it, JavaScript can access the cookie, increasing the risk of cross-site scripting (XSS) attacks.
Notice This cookie does not set an explicit samesite attribute. Browsers default to lax, but setting it explicitly is recommended for clarity and cross-browser consistency.

A cookie that was sent from the server to the browser.
expires= sets the maximum lifetime of the cookie using a specific date.
max-age= sets the maximum lifetime of the cookie in seconds.
path= indicates the path that must exist in the requested URL for the browser to send the cookie.
Notice samesite=lax instructs the browser not to share the cookie with third-party sites (e.g. when loading images, videos or frames from other sites), with one exception. The cookie will be sent when a user is navigating to the origin site from an external site (for example, when following a link). To improve protection against cross-site request forgery attacks, set to samesite=strict.
secure instructs the browser to only send the cookie back when HTTPS requests are used, making it more resistant to man-in-the-middle attacks.
httponly forbids JavaScript from accessing the cookie. Helps mitigate the risk of client side scripts accessing a protected cookie.

The X-Content-Type-Options header prevents browsers from guessing a response's content type. Without it, browsers may interpret files differently than intended, which can lead to security vulnerabilities.
The value nosniff is correctly set.

The X-Content-Type-Options header prevents browsers from guessing a response's content type. Without it, browsers may interpret files differently than intended, which can lead to security vulnerabilities.
The value nosniff is correctly set.

When a visitor navigates from one page to another page, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important because private information can be embedded in the path or query string.
strict-origin-when-cross-origin means that the full URL (protocol, host, port, path and query string) is shared for same-origin requests. For cross-origin requests, only the origin (protocol, host, and port) is shared, and only when the protocol security level stays the same or improves (HTTP → HTTP, HTTPS → HTTPS). For cross-origin requests where the protocol downgrades (HTTPS → HTTP), nothing is shared.

The Strict-Transport-Security header (HSTS) instructs browsers to only use HTTPS for future connections to this domain, enhancing security by preventing downgrade attacks and cookie hijacking.
max-age specifies the time, in seconds, that the browser should remember to use HTTPS only for this domain.
includesubdomains instructs the browser that all subdomains are HTTPS-only as well.

Specifies how the resource is compressed. Not to be confused with Transfer-Encoding which specifies how the data is transferred.
gzip means that the data is compressed with gzip.
Warning Add a Content-Length header. The Content-Length header is required, unless the message is transported using chunked encoding. Without a Content-Length header some servers will respond with 400 (bad request) or terminate connections early.

missing Add a Content-Security-Policy header. The Content-Security-Policy header helps browsers prevent cross site scripting (XSS) and data injection attacks.

missing Add a Permissions-Policy header. Restrict access to device features like the camera, microphone, location, accelerometer and much more.

missing Add a Cross-Origin-Embedder-Policy header. It requires cross-origin resources to explicitly consent before this page can load them, protecting those resources from being exposed to Spectre-style timing attacks. Together with Cross-Origin-Opener-Policy, it enables cross-origin isolation and access to SharedArrayBuffer.

missing Add a Cross-Origin-Opener-Policy header. It prevents other sites from retaining a window reference to this page when opened via window.open() or navigation, blocking script-based attacks through shared browsing contexts.

missing Add a Cross-Origin-Resource-Policy header. It controls which origins can embed or load this page's resources (images, scripts, etc.), preventing hotlinking and cross-origin data leaks.

missing Add a X-Frame-Options header. The X-Frame-Options header prevents this URL from being embedded in an iframe. This protects against clickjacking attacks. Alternatively, set a Content-Security-Policy header with a frame-ancestors directive.

missing Add a X-Permitted-Cross-Domain-Policies header to prevent Flash, Adobe Reader and other clients from sharing data across domains.