Raw Response Headers Input
Headers Security Audit
Parsed Headers Directory
Not set
Missing. Permissions policy helps enforce feature isolation.
Not set
Missing. Risk of SSL stripping / connection hijack.
Not set
Missing. Risk of script execution from sniffed resources.
public, max-age=3600
Specifies caching mechanisms for requests and responses.
gzip
Specifies the compression algorithm used on the body (gzip, br, etc.).
default-src 'self' https:;
Prevents XSS, clickjacking, and code injection by controlling approved sources.
text/html; charset=UTF-8
Indicates the media type of the resource (MIME type).
Wed, 08 Jul 2026 22:45:00 GMT
The date and time at which the message was originated.
strict-origin-when-cross-origin
Controls how much referrer info is sent when navigating away from the page.
cloudflare
Identifies the software used by the originating server.
SAMEORIGIN
Prevents clickjacking attacks by blocking the page from loading in frames or iframes.