Dries Buytaert

Explanation

The date and time at which the request was made. A browser uses it for age calculations rather than using its own internal date and time; e.g. when compairing against Max-Age or Expires.

The type of the message body, specified as a MIME type.

Specifies whether the network connection stays open after the current request. keep-alive specifies that the browser would like to keep the connection open, while close indicates that the browser wants to close the connection.

A unique request ID generated by Cloudflare. Cloudflare's customer support can use this identifier to trace a request through its network.

Warning The dynamic status indicates that Cloudflare did not cache the requested HTML page, similar to a "cache miss". By default, Cloudflare caches static assets such as images, CSS, and JavaScript but excludes HTML due to its dynamic nature. To cache HTML content, change the 'Cache Level' setting from dynamic to cache everything in Cloudflare. This adjustment allows HTML pages to be cached, leveraging Cloudflare's global network for faster and more efficient content delivery.

public means the response may be stored by all caches, including browser caches.
max-age specifies the maximum amount of seconds a page is considered valid. The higher max-age, the longer a page can be cached.
s-maxage overrides max-age header, but only for shared caches (e.g. CDN, Varnsh) and not for browser caches.
stale-while-revalidate instructs the browser to accept a stale response, while asynchronously checking in the background for a fresh one. The value is the number of seconds the client will accept a stale response for.
stale-if-error instructs the browser to accept a stale response if the check for a fresh one fails. The value is the number of seconds the browser will accept a stale response for. This is good for reliability; e.g. when the origin goes down.
Notice A max-age of 60 seconds is short, especially if your content doesn't change frequently. Consider increasing max-age unless the URL has live updates.

The Strict-Transport-Security header or HSTS header is used to instruct browsers to only use HTTPS, instead of using HTTP.
max-age is the time, in seconds, that the browser should remember to use HTTPS only.

A list of request headers that need to be taken into account to determine whether a cached response can be used rather than making a new request with the origin server. The headers specified by Vary must match with those of the cached response.
Notice This request has a lot of Vary headers. The more headers, the less likely the page is to be cached.

Specifies a security policy to help browsers detect and block cross-site scripting (XSS) and data injection attacks.
default-src defines the loading policy for all resource types. It acts as the fallback in absence of a more specific resource type being specified.
base-uri defines what URLs can be used in the <base> URL.
script-src defines what JavaScript is allowed to be loaded and executed.
object-src defines what <object>, <embed> and <applet> elements are allowed to be loaded and executed.
style-src defines what CSS stylesheets are allowed to be loaded.
img-src defines what images and favicons can be loaded.
font-src defines what fonts can be loaded using CSS's font-face.
frame-src defines what <frame> and <iframe> elements can be loaded.
frame-ancestors defines what parents may embed a page using <frame>, <iframe>, <object>, <embed> or <applet>.
form-action defines what URLs can be used for form submissions.

The "Network Error Logging" (NEL) header is used to configure network request logging; enables websites and applications to receive reports about failed network fetches from supporting browsers.
report_to defines the reporting group that reports for this NEL policy will be sent to. The reporting group details are specified in the Report-To header.
max_age defines the number of seconds the browser should remember these settings. Prevents the browser from having to parse the JSON on each request.
success_fraction defines the sampling rate that should be applied to reports about successful network requests. Its value must be a number between 0.0 and 1.0: 0 means no successful requests should be reported, and 1 means that every successful request should be reported.

When a visitor navigates from one page to another page, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important because private information can be embedded in the path or query string.
no-referrer-when-downgrade means that the protocol, host, port, path and query string are shared. It is only shared when the protocol security level remains the same (HTTP → HTTP, HTTPS → HTTPS) or improves (HTTP → HTTPS). When the protocol becomes less secure (HTTPS → HTTP), nothing is shared.

The Report-To header instructs the browser where to send "Network Error Logging" (NEL) reports to.
group defines the reporting group. Groups allow reports to be grouped logically; e.g. there could be a group for network errors and a second group for browser feature deprecation reports.
max_age defines the number of seconds the browser should remember these settings. Prevents the browser from having to parse the JSON on each request.
endpoints defines one or more URLs where the reports need to be send to. Multiple URLs can be specified for failover and load-balancing. Endpoints can be assigned a weight to distribute load, with each endpoint receiving a specified fraction of the reporting traffic. Endpoints can also be assigned a priority to set up fallback collectors.

Instructs the browser not to change the MIME type of the request. Browsers sometimes sniff or inspect the document to determine if the specified MIME type is correct. A browser changing the MIME type of a document can introduce security vulnerabilities. These vulnerabilities can occur when a website allows users to upload content and the user disguises a particular file type as something else. For example, a JavaScript file is uploaded as a JPEG file. When the browser changes the MIME type from image/jpeg to test/javascript, it gives attackers an opportunity to perform a cross-site scripting attack.

Some of the software used to generate or serve this page.

Some of the software used to generate or serve this page.

The alt-svc header advertises alternative services for accessing the same resource, enabling protocol negotiation and potential performance improvements.
h3 indicates that HTTP/3 is supported. Variants like h3-29 refer to specific drafts of the HTTP/3 protocol.
ma=86400 specifies that the alternative service information is fresh for 86400 seconds.

missing Add a Permissions-Policy header. Restrict access to device features like the camera, microphone, location, accelerometer and much more.

missing Add a Cross-Origin-Embedder-Policy to specify how this page can be loaded by cross-origin resources.

missing Add a Cross-Origin-Opener-Policy header to opt-in into better browser isolation.

missing Add a Cross-Origin-Resource-Policy header to specify who can load this page.

missing Add a X-Permitted-Cross-Domain-Policies header to prevent Flash, Adobe Reader and other clients from sharing data across domains.