HTTP Headers Analyzer

6 / 10
https://www.wikipedia.org
Website โ†’ Browser
11 missing headers, 0 warnings, 1 notices
JSON API
Header Value Explanation
content-length 126 The size of the message body, in bytes.
content-type text/plain The type of the message body, specified as a MIME type.
x-request-id 88d7cce1-7850-474d-9b55-d27c5f593755 A unique identifier for the HTTP request. This can be useful for tracking a request through complex systems or for debugging purposes.
server haproxy Identifies the software used by the origin server to handle the request (e.g. Apache, Nginx, Cloudflare).
Notice Consider removing or minimizing the Server header. Even without a version number, it reveals the server software, which aids reconnaissance.
x-cache cp1106 int Indicates whether the page was served from a cache. Common values: HIT (served from cache), MISS (fetched from origin).
x-cache-status int-tls Indicates how the caching system processed this request.
x-analytics A custom header used to pass analytics metadata, often seen on Wikimedia sites.
strict-transport-security missing Add a Strict-Transport-Security header. The Strict-Transport-Security header or HSTS header is used to instruct browsers to only use HTTPS, instead of using HTTP. It helps enforce secure communication.
content-security-policy missing Add a Content-Security-Policy header. The Content-Security-Policy header helps browsers prevent cross site scripting (XSS) and data injection attacks.
referrer-policy missing Add a Referrer-Policy header. When a visitor navigates from one page to another, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important to configure when private information is embedded in the path or query string and passed onto an external destination.
permissions-policy missing Add a Permissions-Policy header. Restrict access to device features like the camera, microphone, location, accelerometer and much more.
cross-origin-embedder-policy missing Add a Cross-Origin-Embedder-Policy header. It requires cross-origin resources to explicitly consent before this page can load them, protecting those resources from being exposed to Spectre-style timing attacks. Together with Cross-Origin-Opener-Policy, it enables cross-origin isolation and access to SharedArrayBuffer.
cross-origin-opener-policy missing Add a Cross-Origin-Opener-Policy header. It prevents other sites from retaining a window reference to this page when opened via window.open() or navigation, blocking script-based attacks through shared browsing contexts.
cross-origin-resource-policy missing Add a Cross-Origin-Resource-Policy header. It controls which origins can embed or load this page's resources (images, scripts, etc.), preventing hotlinking and cross-origin data leaks.
x-frame-options missing Add a X-Frame-Options header. The X-Frame-Options header prevents this URL from being embedded in an iframe. This protects against clickjacking attacks. Alternatively, set a Content-Security-Policy header with a frame-ancestors directive.
x-content-type-options missing Add an X-Content-Type-Options: nosniff header to prevent browsers from MIME type sniffing. Without it, browsers may interpret files as a different content type than intended, which can lead to security vulnerabilities.
x-permitted-cross-domain-policies missing Add a X-Permitted-Cross-Domain-Policies header to prevent Flash, Adobe Reader and other clients from sharing data across domains.
content-encoding missing No Content-Encoding header found. Enable compression such as gzip or br (Brotli) to reduce transfer sizes. Brotli typically achieves 15โ€“20% better compression than gzip and is supported by all modern browsers.