HTTP Headers

Show the HTTP headers for a URL, with a full break-down of details. Will follow redirects.

Summary

Response
200
Total Requests
1
Total Time
316 ms

  • https://controlc.com/63136186

    Status
    200
    Message
    OK
    Time
    316 ms
  • IP
    104.21.24.150
    View Map

  • Timing

    Wait

    0 ms

    DNS

    7 ms

    TCP

    4 ms

    Request

    0 ms

    First Byte

    298 ms

    Download

    0 ms

    Total

    316 ms

  • HTTP Headers

    Date

    Sat, 16 May 2026 11:57:38 GMT

    The date and time that the message was sent.

    Content-Type

    text/html; charset=UTF-8

    The MIME type of this content.

    • Type

      text/html

    • Description

      HTML file

    • Charset

      UTF-8

    Connection

    keep-alive

    Control options for the current connection and list of hop-by-hop response fields.

    keep-alive - The client would like to keep the connection open.

    Server-Timing

    cfEdge;dur=17,cfOrigin;dur=0,cfWorker;dur=277

    Server metrics for the request.

    • Cfedge

      • dur - 17

    • Cforigin

      • dur - 0

    • Cfworker

      • dur - 277
    Strict-Transport-Security

    max-age=31536000; includeSubDomains

    A HSTS Policy informing the HTTP client how long to cache the HTTPS only policy and whether this applies to subdomains.

    • Max-Age

      31536000 (1 year)

      The time a browser should remember a site can only be accessed with https (seconds).

    • includesubdomains

      max-age applies to subdomains as well.

    Content-Security-Policy

    default-src 'self'; script-src 'self' 'unsafe-inline' https://challenges.cloudflare.com https://*.googletagmanager.com https://*.google-analytics.com https://static.cloudflareinsights.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; frame-src https://challenges.cloudflare.com https://www.youtube-nocookie.com; connect-src 'self' https://challenges.cloudflare.com https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://cloudflareinsights.com; form-action 'self'; frame-ancestors 'none'; base-uri 'self'; object-src 'none'

    The content security policy allows the server to determine what resources the user is allowed to load.

    • Default-Src

      Fallback for all fetches.

      • 'self'

    • Script-Src

      Define sources for JavaScript.

      • 'self'
      • 'unsafe-inline'
      • https://challenges.cloudflare.com
      • https://*.googletagmanager.com
      • https://*.google-analytics.com
      • https://static.cloudflareinsights.com

    • Style-Src

      Define sources for stylesheets.

      • 'self'
      • 'unsafe-inline'
      • https://fonts.googleapis.com

    • Img-Src

      Define sources for images and favicons.

      • 'self'
      • data:
      • https:

    • Font-Src

      Define sources for fonts.

      • 'self'
      • data:
      • https://fonts.gstatic.com

    • Frame-Src

      Define sources for frames.

      • https://challenges.cloudflare.com
      • https://www.youtube-nocookie.com

    • Connect-Src

      Define sources for script interfaces.

      • 'self'
      • https://challenges.cloudflare.com
      • https://*.google-analytics.com
      • https://*.analytics.google.com
      • https://*.googletagmanager.com
      • https://cloudflareinsights.com

    • Form-Action

      Define what can be used as the target for forms.

      • 'self'

    • Frame-Ancestors

      Define valid parents for frame, iframe, embed, object, and applet.

      • 'none'

    • Base-URI

      Define what can be used in the base element.

      • 'self'

    • Object-Src

      Define sources for object, embed, and applet elements.

      • 'none'
    Permissions-Policy

    geolocation=(), microphone=(), camera=(), payment=()

    Enable and disable browser features.

    • geolocation

      Control access to geo location API.

      • () - Feature is disabled.

    • microphone

      Control access to microphone device.

      • () - Feature is disabled.

    • camera

      Control access to camera.

      • () - Feature is disabled.

    • payment

      Control access to payment request API.

      • () - Feature is disabled.
    Referrer-Policy

    strict-origin-when-cross-origin

    Controls what referrer information is sent with requests.

    strict-origin-when-cross-origin - Send the full referrer for a same origin request. Send the origin only for cross-domain requests where the protocol level is the same. Otherwise do not send the referrer.

    X-Content-Type-Options

    nosniff

    Prevents Internet Explorer from MIME-sniffing a response away from the declared content-type.

    nosniff - Block requests if type 'style' or 'script'.

    X-Frame-Options

    DENY

    Clickjacking protection.

    DENY - No rendering within frame.

    Report-To

    {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=smZHWzo7lhojPvHTkNpKkyxzUyT0aUkPz6l2kz%2BuvitJ6AObBZtaw4B%2FMMblQZUdyYUYz8sbQkR7PInGgH7zJLUGVItMpyPIPD0CtU1l2SElCSsDSYEBmMBgbesfkKg%3D"}]}

    Report to.

    • Group

      cf-nel

    • Max_age

      604800

    • Endpoints

      • {"url":"https://a.nel.cloudflare.com/report/v4?s=smZHWzo7lhojPvHTkNpKkyxzUyT0aUkPz6l2kz%2BuvitJ6AObBZtaw4B%2FMMblQZUdyYUYz8sbQkR7PInGgH7zJLUGVItMpyPIPD0CtU1l2SElCSsDSYEBmMBgbesfkKg%3D"}
    Nel

    {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800}

    Configure network request logging.

    • Report_to

      cf-nel

    • Success_fraction

      0

    • Max_age

      604800

    Server

    cloudflare

    A name for the server.

    cloudflare - Description of the server software.

    Cf-Ray

    9fca34b8dfa18815-EWR

    Encoded information about your request from Cloudflare.

    Alt-Svc

    h3=":443"; ma=86400

    Indicate a resource should be loaded from a different server while still appearing to be loaded from this server.

    • Service

      • h3 - :443

    • Service

      • ma - 86400 (1 day)

        Max age for the alternative (seconds).