HTTP Headers Analyzer
6 / 10
https://liff.line.me/2007348473-DApdgAg6
Website → Nginx → Browser11 missing headers, 0 warnings, 1 notices
JSON API
| Header | Value | Explanation |
|---|---|---|
| server | nginx | Identifies the software used by the origin server to handle the request (e.g. Apache, Nginx, Cloudflare). Notice Consider removing or minimizing the Server header. Even without a version number, it reveals the server software, which aids reconnaissance. |
| date | wed, 24 jun 2026 06:51:17 gmt | The date and time at which the request was made. A browser uses it for age calculations rather than using its own internal date and time; e.g. when comparing against Max-Age or Expires. |
| content-type | text/html;charset=utf-8 | The type of the message body, specified as a MIME type. |
| content-length | 1728 | The size of the message body, in bytes. |
| vary | origin | The Vary header specifies a list of headers that must be considered when caching responses. For a cached response to be used, these headers must match between the cached response and the new request. This ensures that the appropriate version of a resource is served based on factors like language, encoding, or device type. |
| vary | access-control-request-method | The Vary header specifies a list of headers that must be considered when caching responses. For a cached response to be used, these headers must match between the cached response and the new request. This ensures that the appropriate version of a resource is served based on factors like language, encoding, or device type. |
| vary | access-control-request-headers | The Vary header specifies a list of headers that must be considered when caching responses. For a cached response to be used, these headers must match between the cached response and the new request. This ensures that the appropriate version of a resource is served based on factors like language, encoding, or device type. |
| content-language | en-us | Specifies the page's intended audience. For example, en-US means that the document is intended for English language speakers in the United States. The language tags are defined in RFC 5646. |
| strict-transport-security | missing Add a Strict-Transport-Security header. The Strict-Transport-Security header or HSTS header is used to instruct browsers to only use HTTPS, instead of using HTTP. It helps enforce secure communication. |
|
| content-security-policy | missing Add a Content-Security-Policy header. The Content-Security-Policy header helps browsers prevent cross site scripting (XSS) and data injection attacks. |
|
| referrer-policy | missing Add a Referrer-Policy header. When a visitor navigates from one page to another, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important to configure when private information is embedded in the path or query string and passed onto an external destination. |
|
| permissions-policy | missing Add a Permissions-Policy header. Restrict access to device features like the camera, microphone, location, accelerometer and much more. |
|
| cross-origin-embedder-policy | missing Add a Cross-Origin-Embedder-Policy header. It requires cross-origin resources to explicitly consent before this page can load them, protecting those resources from being exposed to Spectre-style timing attacks. Together with Cross-Origin-Opener-Policy, it enables cross-origin isolation and access to SharedArrayBuffer. |
|
| cross-origin-opener-policy | missing Add a Cross-Origin-Opener-Policy header. It prevents other sites from retaining a window reference to this page when opened via window.open() or navigation, blocking script-based attacks through shared browsing contexts. |
|
| cross-origin-resource-policy | missing Add a Cross-Origin-Resource-Policy header. It controls which origins can embed or load this page's resources (images, scripts, etc.), preventing hotlinking and cross-origin data leaks. |
|
| x-frame-options | missing Add a X-Frame-Options header. The X-Frame-Options header prevents this URL from being embedded in an iframe. This protects against clickjacking attacks. Alternatively, set a Content-Security-Policy header with a frame-ancestors directive. |
|
| x-content-type-options | missing Add an X-Content-Type-Options: nosniff header to prevent browsers from MIME type sniffing. Without it, browsers may interpret files as a different content type than intended, which can lead to security vulnerabilities. |
|
| x-permitted-cross-domain-policies | missing Add a X-Permitted-Cross-Domain-Policies header to prevent Flash, Adobe Reader and other clients from sharing data across domains. |
|
| content-encoding | missing No Content-Encoding header found. Enable compression such as gzip or br (Brotli) to reduce transfer sizes. Brotli typically achieves 15–20% better compression than gzip and is supported by all modern browsers. |