HTTP Headers Analyzer
6 / 10
| Header | Value | Explanation |
|---|---|---|
| content-length | 126 | The size of the message body, in bytes. |
| content-type | text/plain | The type of the message body, specified as a MIME type. |
| x-request-id | 88d7cce1-7850-474d-9b55-d27c5f593755 | A unique identifier for the HTTP request. This can be useful for tracking a request through complex systems or for debugging purposes. |
| server | haproxy | Identifies the software used by the origin server to handle the request (e.g. Apache, Nginx, Cloudflare). Notice Consider removing or minimizing the Server header. Even without a version number, it reveals the server software, which aids reconnaissance. |
| x-cache | cp1106 int | Indicates whether the page was served from a cache. Common values: HIT (served from cache), MISS (fetched from origin). |
| x-cache-status | int-tls | Indicates how the caching system processed this request. |
| x-analytics | A custom header used to pass analytics metadata, often seen on Wikimedia sites. | |
| strict-transport-security | missing Add a Strict-Transport-Security header. The Strict-Transport-Security header or HSTS header is used to instruct browsers to only use HTTPS, instead of using HTTP. It helps enforce secure communication. |
|
| content-security-policy | missing Add a Content-Security-Policy header. The Content-Security-Policy header helps browsers prevent cross site scripting (XSS) and data injection attacks. |
|
| referrer-policy | missing Add a Referrer-Policy header. When a visitor navigates from one page to another, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important to configure when private information is embedded in the path or query string and passed onto an external destination. |
|
| permissions-policy | missing Add a Permissions-Policy header. Restrict access to device features like the camera, microphone, location, accelerometer and much more. |
|
| cross-origin-embedder-policy | missing Add a Cross-Origin-Embedder-Policy header. It requires cross-origin resources to explicitly consent before this page can load them, protecting those resources from being exposed to Spectre-style timing attacks. Together with Cross-Origin-Opener-Policy, it enables cross-origin isolation and access to SharedArrayBuffer. |
|
| cross-origin-opener-policy | missing Add a Cross-Origin-Opener-Policy header. It prevents other sites from retaining a window reference to this page when opened via window.open() or navigation, blocking script-based attacks through shared browsing contexts. |
|
| cross-origin-resource-policy | missing Add a Cross-Origin-Resource-Policy header. It controls which origins can embed or load this page's resources (images, scripts, etc.), preventing hotlinking and cross-origin data leaks. |
|
| x-frame-options | missing Add a X-Frame-Options header. The X-Frame-Options header prevents this URL from being embedded in an iframe. This protects against clickjacking attacks. Alternatively, set a Content-Security-Policy header with a frame-ancestors directive. |
|
| x-content-type-options | missing Add an X-Content-Type-Options: nosniff header to prevent browsers from MIME type sniffing. Without it, browsers may interpret files as a different content type than intended, which can lead to security vulnerabilities. |
|
| x-permitted-cross-domain-policies | missing Add a X-Permitted-Cross-Domain-Policies header to prevent Flash, Adobe Reader and other clients from sharing data across domains. |
|
| content-encoding | missing No Content-Encoding header found. Enable compression such as gzip or br (Brotli) to reduce transfer sizes. Brotli typically achieves 15โ20% better compression than gzip and is supported by all modern browsers. |