The date and time at which the request was made. A browser uses it for age calculations rather than using its own internal date and time; e.g. when comparing against Max-Age or Expires.

The type of the message body, specified as a MIME type.

The Strict-Transport-Security header (HSTS) instructs browsers to only use HTTPS for future connections to this domain, enhancing security by preventing downgrade attacks and cookie hijacking.
max-age specifies the time, in seconds, that the browser should remember to use HTTPS only for this domain.
Notice For optimal security, consider increasing max-age to at least 31,536,000 seconds (1 year), especially if you're considering preloading.

The time in seconds that the page has been in the shared proxy cache. The maximum age is set by max-age or s-maxage in the Cache-Control header.

public means the response may be stored by all caches, including browser caches, CDNs, and shared caches.
max-age specifies the maximum amount of seconds a page is considered valid. The higher max-age, the longer a page can be cached.
must-revalidate indicates that once a page becomes stale, both shared caches and browser caches must not use their stale copy without validating it with the origin server first.

A standardized header (RFC 9211) for reporting cache status. Unlike vendor-specific headers like X-Cache or CF-Cache-Status, this is a structured header that can represent multiple cache layers (e.g. CDN and origin cache) in a single value.

The Report-To header defines where browsers should send error reports. It sets up named reporting endpoints that other headers (like NEL and Content-Security-Policy) reference when they need to send violation or failure data.
group defines the reporting group. Groups allow reports to be grouped logically; e.g. there could be a group for network errors and a second group for browser feature deprecation reports.
max_age defines the number of seconds the browser should remember these settings. Prevents the browser from having to parse the JSON on each request.
endpoints defines one or more URLs where the reports need to be sent to. Multiple URLs can be specified for failover and load-balancing. Endpoints can be assigned a weight to distribute load, with each endpoint receiving a specified fraction of the reporting traffic. Endpoints can also be assigned a priority to set up fallback collectors.

The Content Security Policy (CSP) header helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks by specifying which dynamic resources are allowed to load.
default-src sets the default policy for fetching resources like JavaScript, images, CSS, fonts, AJAX requests, frames, HTML5 media.
script-src specifies valid sources for JavaScript. This includes not only URLs loaded directly into <script> elements, but also things like inline script event handlers (onclick) and XSLT stylesheets which can trigger script execution.
object-src defines what <object>, <embed> and <applet> elements are allowed to be loaded and executed.
style-src defines what CSS stylesheets are allowed to be loaded.
frame-src defines what <frame> and <iframe> elements can be loaded.
frame-ancestors defines what parents may embed a page using <frame>, <iframe>, <object>, <embed> or <applet>.
Notice Consider adding the upgrade-insecure-requests directive to automatically upgrade HTTP requests to HTTPS, helping to prevent mixed content issues.
Notice unsafe-inline in style-src allows inline styles. This is common and lower risk than inline scripts, but nonces or hashes provide stronger protection.
Notice Consider adding base-uri 'self' or base-uri 'none' to prevent base tag injection, which can redirect relative URLs to an attacker-controlled domain.

Controls whether this page can load resources (images, scripts, iframes) from other origins. When set, every cross-origin resource must explicitly opt in (via a Cross-Origin-Resource-Policy header or CORS) before this page can load it. This protects those other origins: by requiring their consent, the browser ensures their resources aren't exposed to Spectre-style timing attacks from this page. Setting this header (together with Cross-Origin-Opener-Policy: same-origin) is also required to enable powerful features like SharedArrayBuffer and high-resolution timers.
credentialless strips credentials (cookies, client certificates) from cross-origin requests, so the responses contain only public data. This achieves a similar level of isolation as require-corp but is much easier to deploy: you don't need every third-party resource to add a Cross-Origin-Resource-Policy header. The tradeoff is that cross-origin resources won't receive credentials, which may break some authenticated embeds.

Controls whether other pages can access this page's window object (and vice versa) when opened via window.open() or by navigating to a new page. Without this header, a malicious page could open your site and retain a reference to its window, enabling script-based attacks through the shared browsing context. Setting this to same-origin severs that link for cross-origin pages. Note: COOP governs top-level documents and popups, not iframes. Use X-Frame-Options or CSP frame-ancestors to control iframe embedding.
same-origin isolates this page completely. Cross-origin pages that open this page (or are opened by it) will get window.opener set to null and cannot script each other. This is the strictest and most secure option.

Controls which origins are allowed to load this resource (e.g. embed this image, load this script). This prevents other sites from hotlinking your resources and is how a resource signals its consent to be loaded by pages that use Cross-Origin-Embedder-Policy.
same-origin means the resource can only be loaded by documents from the same origin.

The NEL (Network Error Logging) header tells browsers to report network-level failures (DNS errors, TCP timeouts, TLS problems) back to the server. This means you can detect when real users fail to reach your site, even though the failure happens before your server sees a request.
report_to defines the reporting group that reports for this NEL policy will be sent to. The reporting group details are specified in the Report-To header.
max_age defines the number of seconds the browser should remember these settings. Prevents the browser from having to parse the JSON on each request.
success_fraction defines the sampling rate that should be applied to reports about successful network requests. Its value must be a number between 0.0 and 1.0: 0 means no successful requests should be reported, and 1 means that every successful request should be reported.

Controls which browser features and APIs (camera, microphone, geolocation, payment, USB, etc.) this page and its embedded iframes are allowed to use. Each feature is set to an allowlist of origins; an empty list () disables the feature entirely. This is a defense-in-depth measure: even if an attacker injects script via XSS, they cannot access the restricted APIs.

When a visitor navigates from one page to another page, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important because private information can be embedded in the path or query string.
strict-origin-when-cross-origin means that the full URL (protocol, host, port, path and query string) is shared for same-origin requests. For cross-origin requests, only the origin (protocol, host, and port) is shared, and only when the protocol security level stays the same or improves (HTTP → HTTP, HTTPS → HTTPS). For cross-origin requests where the protocol downgrades (HTTPS → HTTP), nothing is shared.

Identifies the software used by the origin server to handle the request (e.g. Apache, Nginx, Cloudflare).
Notice Consider removing or minimizing the Server header. Even without a version number, it reveals the server software, which aids reconnaissance.

The Vary header specifies a list of headers that must be considered when caching responses. For a cached response to be used, these headers must match between the cached response and the new request. This ensures that the appropriate version of a resource is served based on factors like language, encoding, or device type.

X-Frame-Options prevents this URL from being embedded in an iframe. This protects against clickjacking attacks.
sameorigin allows this page to be displayed in an iframe on the same origin. This is the recommended setting.

A unique request identifier generated by Netlify. Netlify's customer support can use this ID to trace a request through its network.

Instructs clients like Flash and Acrobat Reader what cross-domain policy they have to use. none is the most secure setting. Data can't be shared across domains.

The page was served from Cloudflare's cache.

Specifies how the resource is compressed. Not to be confused with Transfer-Encoding which specifies how the data is transferred.
Warning Add a Content-Length header. The Content-Length header is required, unless the message is transported using chunked encoding. Without a Content-Length header some servers will respond with 400 (bad request) or terminate connections early.

The cf-ray header provides a unique identifier for each request through Cloudflare. It's useful for troubleshooting and tracking requests in Cloudflare logs.

The alt-svc header tells the browser that the same content is available over a different protocol. This allows the browser to upgrade to a faster protocol (e.g. HTTP/3 over QUIC) on subsequent requests without a separate negotiation step.
h3 indicates that HTTP/3 is supported. HTTP/3 uses the QUIC protocol (UDP-based) instead of TCP, which eliminates the TCP handshake delay and performs better on lossy networks. Variants like h3-29 refer to specific drafts of the HTTP/3 protocol.
ma=86400 specifies that the alternative service information is fresh for 86400 seconds.

missing Add an X-Content-Type-Options: nosniff header to prevent browsers from MIME type sniffing. Without it, browsers may interpret files as a different content type than intended, which can lead to security vulnerabilities.