Warning no-store means the response may not be stored in any cache, including the browser's cache. Every request will hit the origin server. If this page can be cached, consider using public with an appropriate max-age.

The type of the message body, specified as a MIME type.

Specifies how the resource is compressed. Not to be confused with Transfer-Encoding which specifies how the data is transferred.
gzip means that the data is compressed with gzip.

The Vary header specifies a list of headers that must be considered when caching responses. For a cached response to be used, these headers must match between the cached response and the new request. This ensures that the appropriate version of a resource is served based on factors like language, encoding, or device type.

The date and time at which the request was made. A browser uses it for age calculations rather than using its own internal date and time; e.g. when comparing against Max-Age or Expires.

The size of the message body, in bytes.

missing Add a Strict-Transport-Security header. The Strict-Transport-Security header or HSTS header is used to instruct browsers to only use HTTPS, instead of using HTTP. It helps enforce secure communication.

missing Add a Content-Security-Policy header. The Content-Security-Policy header helps browsers prevent cross site scripting (XSS) and data injection attacks.

missing Add a Referrer-Policy header. When a visitor navigates from one page to another, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important to configure when private information is embedded in the path or query string and passed onto an external destination.

missing Add a Permissions-Policy header. Restrict access to device features like the camera, microphone, location, accelerometer and much more.

missing Add a Cross-Origin-Embedder-Policy header. It requires cross-origin resources to explicitly consent before this page can load them, protecting those resources from being exposed to Spectre-style timing attacks. Together with Cross-Origin-Opener-Policy, it enables cross-origin isolation and access to SharedArrayBuffer.

missing Add a Cross-Origin-Opener-Policy header. It prevents other sites from retaining a window reference to this page when opened via window.open() or navigation, blocking script-based attacks through shared browsing contexts.

missing Add a Cross-Origin-Resource-Policy header. It controls which origins can embed or load this page's resources (images, scripts, etc.), preventing hotlinking and cross-origin data leaks.

missing Add a X-Frame-Options header. The X-Frame-Options header prevents this URL from being embedded in an iframe. This protects against clickjacking attacks. Alternatively, set a Content-Security-Policy header with a frame-ancestors directive.

missing Add an X-Content-Type-Options: nosniff header to prevent browsers from MIME type sniffing. Without it, browsers may interpret files as a different content type than intended, which can lead to security vulnerabilities.

missing Add a X-Permitted-Cross-Domain-Policies header to prevent Flash, Adobe Reader and other clients from sharing data across domains.