Some of the software used to generate or serve this page.
Warning Sharing too many details about a server or web application makes it easier for hackers to target a website. Avoid specific version numbers such as 8.3.30, especially when running software that is end-of-life and/or has known security bugs. Consider removing this header. At a minimum, remove any version number.

rel="alternate" specifies an alternate version of the current page, often using a different language (hreflang attribute), a different MIME type (type attribute) or a different media format (media attribute).

When a visitor navigates from one page to another page, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important because private information can be embedded in the path or query string.
strict-origin-when-cross-origin means that the full URL (protocol, host, port, path and query string) is shared for same-origin requests. For cross-origin requests, only the origin (protocol, host, and port) is shared, and only when the protocol security level stays the same or improves (HTTP → HTTP, HTTPS → HTTPS). For cross-origin requests where the protocol downgrades (HTTPS → HTTP), nothing is shared.

A legacy header that enables the browser's built-in cross-site scripting (XSS) filter. Modern browsers ignore it in favor of Content-Security-Policy.
1 enables XSS filtering.
mode=block blocks the response entirely if an attack is detected, instead of sanitizing the page.

The X-Content-Type-Options header prevents browsers from guessing a response's content type. Without it, browsers may interpret files differently than intended, which can lead to security vulnerabilities.
The value nosniff is correctly set.

max-age specifies the maximum amount of seconds a page is considered valid. The higher max-age, the longer a page can be cached.
Warning Because max-age is set to 0 seconds and no s-maxage is set, caching is effectively disabled. Every request will hit the origin server. Consider setting a positive max-age or adding s-maxage for shared caches.

The date and time after which the page should be considered stale and all caches should be refreshed.
Notice Because there is a Cache-Control header with a max-age and/or s-maxage directive, the Expires header will be ignored. Consider removing Expires to save bandwidth and processing power.

The Vary header specifies a list of headers that must be considered when caching responses. For a cached response to be used, these headers must match between the cached response and the new request. This ensures that the appropriate version of a resource is served based on factors like language, encoding, or device type.

Specifies how the resource is compressed. Not to be confused with Transfer-Encoding which specifies how the data is transferred.
gzip means that the data is compressed with gzip.

The Strict-Transport-Security header (HSTS) instructs browsers to only use HTTPS for future connections to this domain, enhancing security by preventing downgrade attacks and cookie hijacking.
max-age specifies the time, in seconds, that the browser should remember to use HTTPS only for this domain.
includesubdomains instructs the browser that all subdomains are HTTPS-only as well.
preload recommends the domain for inclusion in browsers' preload lists. If accepted, the domain would get hardcoded into browsers as HTTPS-only.

The Content Security Policy (CSP) header helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks by specifying which dynamic resources are allowed to load.
frame-ancestors defines what parents may embed a page using <frame>, <iframe>, <object>, <embed> or <applet>.
upgrade-insecure-requests instructs browsers to replace insecure URLs (HTTP) with secure URLs (HTTPS).
Notice No default-src directive is set. Without it, directives that are not explicitly defined have no fallback restriction.
Notice Consider adding base-uri 'self' or base-uri 'none' to prevent base tag injection, which can redirect relative URLs to an attacker-controlled domain.

The size of the message body, in bytes.

The type of the message body, specified as a MIME type.

The date and time at which the request was made. A browser uses it for age calculations rather than using its own internal date and time; e.g. when comparing against Max-Age or Expires.

Identifies the software used by the origin server to handle the request (e.g. Apache, Nginx, Cloudflare).
Notice Consider removing or minimizing the Server header. Even without a version number, it reveals the server software, which aids reconnaissance.

missing Add a Permissions-Policy header. Restrict access to device features like the camera, microphone, location, accelerometer and much more.

missing Add a Cross-Origin-Embedder-Policy header. It requires cross-origin resources to explicitly consent before this page can load them, protecting those resources from being exposed to Spectre-style timing attacks. Together with Cross-Origin-Opener-Policy, it enables cross-origin isolation and access to SharedArrayBuffer.

missing Add a Cross-Origin-Opener-Policy header. It prevents other sites from retaining a window reference to this page when opened via window.open() or navigation, blocking script-based attacks through shared browsing contexts.

missing Add a Cross-Origin-Resource-Policy header. It controls which origins can embed or load this page's resources (images, scripts, etc.), preventing hotlinking and cross-origin data leaks.

missing Add a X-Permitted-Cross-Domain-Policies header to prevent Flash, Adobe Reader and other clients from sharing data across domains.