The type of the message body, specified as a MIME type.

The Vary header specifies a list of headers that must be considered when caching responses. For a cached response to be used, these headers must match between the cached response and the new request. This ensures that the appropriate version of a resource is served based on factors like language, encoding, or device type.

Instructs Internet Explorer what compatibility mode to use to render this page. For example, ie=9 specifies that the page should be rendered as if the user was using Internet Explorer 9, even if they use Internet Explorer 11 or later. It's basically a hack for working around compatibility issues between different versions of Internet Explorer.

no-cache means the response can be stored by any cache, but the stored response must be validated with the origin server before each reuse. If the origin confirms that the response hasn't changed, downloading of the full response body can be skipped.
Warning no-cache will cause a revalidation request to the origin server for every use of the cached response. Consider using public with appropriate max-age to improve caching efficiency.
Warning no-store means the response may not be stored in any cache, including the browser's cache. Every request will hit the origin server. If this page can be cached, consider using public with an appropriate max-age.
max-age=0 with must-revalidate means caching is disabled and all requests must be validated with the origin server.
Notice must-revalidate has no effect with no-store since nothing is cached. Remove must-revalidate.
Notice must-revalidate is redundant with no-cache since no-cache already requires revalidation. Remove must-revalidate.
Notice no-cache is redundant when no-store is set, though some sites keep both for compatibility with older caches.

Notice Pragma: no-cache forces revalidation with the origin server on every request. Pragma is a legacy HTTP/1.0 directive, superseded by Cache-Control. Remove Pragma to save bandwidth and processing power.

This Expires date is in the past: the page is considered stale and will be removed from all caches.
Notice Because there is a Cache-Control header with a max-age and/or s-maxage directive, the Expires header will be ignored. Consider removing Expires to save bandwidth and processing power.

The date and time at which the request was made. A browser uses it for age calculations rather than using its own internal date and time; e.g. when comparing against Max-Age or Expires.

Notice P3P stands for Platform for Privacy Preferences. P3P was abandoned by the W3C in 2018 and was never supported by any browser other than Internet Explorer. This header can be safely removed.

Controls which origins are allowed to load this resource (e.g. embed this image, load this script). This prevents other sites from hotlinking your resources and is how a resource signals its consent to be loaded by pages that use Cross-Origin-Embedder-Policy.
same-site means the resource can only be loaded by documents from the same site.

The Content Security Policy (CSP) header helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks by specifying which dynamic resources are allowed to load.
report-uri defines the URL that violations will be reported to. While report-uri is officially deprecated in favor of report-to, limited browser support for the latter means report-uri remains a viable option for now.
Notice Consider adding the upgrade-insecure-requests directive to automatically upgrade HTTP requests to HTTPS, helping to prevent mixed content issues.
Notice No default-src directive is set. Without it, directives that are not explicitly defined have no fallback restriction.
Notice Consider adding base-uri 'self' or base-uri 'none' to prevent base tag injection, which can redirect relative URLs to an attacker-controlled domain.

The Content Security Policy (CSP) header helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks by specifying which dynamic resources are allowed to load.
script-src specifies valid sources for JavaScript. This includes not only URLs loaded directly into <script> elements, but also things like inline script event handlers (onclick) and XSLT stylesheets which can trigger script execution.
base-uri defines what URLs can be used in the <base> element.
object-src defines what <object>, <embed> and <applet> elements are allowed to be loaded and executed.
worker-src defines what worker scripts (e.g. Worker, ServiceWorker or SharedWorker) can be loaded and executed.
report-uri defines the URL that violations will be reported to. While report-uri is officially deprecated in favor of report-to, limited browser support for the latter means report-uri remains a viable option for now.
Notice Consider adding the upgrade-insecure-requests directive to automatically upgrade HTTP requests to HTTPS, helping to prevent mixed content issues.
Warning unsafe-inline in script-src allows execution of inline scripts, which effectively disables CSP's XSS protection. Consider using nonces or hashes instead.
Notice No default-src directive is set. Without it, directives that are not explicitly defined have no fallback restriction.

Controls which browser features and APIs (camera, microphone, geolocation, payment, USB, etc.) this page and its embedded iframes are allowed to use. Each feature is set to an allowlist of origins; an empty list () disables the feature entirely. This is a defense-in-depth measure: even if an attacker injects script via XSS, they cannot access the restricted APIs.

Controls whether other pages can access this page's window object (and vice versa) when opened via window.open() or by navigating to a new page. Without this header, a malicious page could open your site and retain a reference to its window, enabling script-based attacks through the shared browsing context. Setting this to same-origin severs that link for cross-origin pages. Note: COOP governs top-level documents and popups, not iframes. Use X-Frame-Options or CSP frame-ancestors to control iframe embedding.
Notice unsafe-none means protection is disabled. Other pages that open this page (or are opened by it) can access its window object, regardless of origin. Use same-origin to isolate the browsing context.

The Accept-CH header asks the browser to include extra device and browser metadata on future requests. Client Hints are the structured, opt-in successor to the User-Agent string. Instead of one large string, the server explicitly requests the individual pieces it needs (CPU architecture, platform, browser version, etc.). The browser sends these as separate Sec-CH-* headers on subsequent requests.

• sec-ch-ua-arch: Requests the client's device CPU architecture, such as ARM or x86.
• sec-ch-ua-bitness: Requests the bit architecture of the client's operating system, such as 32-bit or 64-bit.
• sec-ch-ua-full-version: Requests the complete version number of the client's browser.
• sec-ch-ua-full-version-list: Requests a detailed list of version numbers for the client's browser and its significant components.
• sec-ch-ua-model: Requests the model of the client's device.
• sec-ch-ua-platform: Requests the operating system platform of the client's device, such as Windows or MacOS.
• sec-ch-ua-platform-version: Requests the version of the operating system the client is running.

Defines named endpoints where the browser should send reports about security violations, deprecations, and other issues. This is the modern replacement for the Report-To header, using a simpler key-value syntax.

Specifies how the resource is compressed. Not to be confused with Transfer-Encoding which specifies how the data is transferred.
gzip means that the data is compressed with gzip.
Warning Add a Content-Length header. The Content-Length header is required, unless the message is transported using chunked encoding. Without a Content-Length header some servers will respond with 400 (bad request) or terminate connections early.

Identifies the software used by the origin server to handle the request (e.g. Apache, Nginx, Cloudflare).
Notice Consider removing or minimizing the Server header. Even without a version number, it reveals the server software, which aids reconnaissance.

A legacy header that enables the browser's built-in cross-site scripting (XSS) filter. Modern browsers ignore it in favor of Content-Security-Policy.
Warning 0 disables XSS filtering. Remove this header or set the value to 1.

X-Frame-Options prevents this URL from being embedded in an iframe. This protects against clickjacking attacks.
sameorigin allows this page to be displayed in an iframe on the same origin. This is the recommended setting.

The X-Content-Type-Options header prevents browsers from guessing a response's content type. Without it, browsers may interpret files differently than intended, which can lead to security vulnerabilities.
The value nosniff is correctly set.

A cookie that was sent from the server to the browser.
expires= sets the maximum lifetime of the cookie using a specific date.
domain= sets the domain to which the cookie will be sent.
path= indicates the path that must exist in the requested URL for the browser to send the cookie.
httponly forbids JavaScript from accessing the cookie. Helps mitigate the risk of client side scripts accessing a protected cookie.
Warning This cookie is missing the secure flag. Without it, the cookie can be sent over unencrypted HTTP connections, making it vulnerable to interception.
Notice This cookie does not set an explicit samesite attribute. Browsers default to lax, but setting it explicitly is recommended for clarity and cross-browser consistency.

The alt-svc header tells the browser that the same content is available over a different protocol. This allows the browser to upgrade to a faster protocol (e.g. HTTP/3 over QUIC) on subsequent requests without a separate negotiation step.
h3 indicates that HTTP/3 is supported. HTTP/3 uses the QUIC protocol (UDP-based) instead of TCP, which eliminates the TCP handshake delay and performs better on lossy networks. Variants like h3-29 refer to specific drafts of the HTTP/3 protocol.
ma=2592000 specifies that the alternative service information is fresh for 2592000 seconds.
ma=2592000 specifies that the alternative service information is fresh for 2592000 seconds.

missing Add a Strict-Transport-Security header. The Strict-Transport-Security header or HSTS header is used to instruct browsers to only use HTTPS, instead of using HTTP. It helps enforce secure communication.

missing Add a Referrer-Policy header. When a visitor navigates from one page to another, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important to configure when private information is embedded in the path or query string and passed onto an external destination.

missing Add a Cross-Origin-Embedder-Policy header. It requires cross-origin resources to explicitly consent before this page can load them, protecting those resources from being exposed to Spectre-style timing attacks. Together with Cross-Origin-Opener-Policy, it enables cross-origin isolation and access to SharedArrayBuffer.

missing Add a X-Permitted-Cross-Domain-Policies header to prevent Flash, Adobe Reader and other clients from sharing data across domains.