HTTP Headers

Show the HTTP headers for a URL, with a full break-down of details. Will follow redirects.

Summary

Response
200
Total Requests
1
Total Time
289 ms

  • https://gravatar.com/darinruiz42

    Status
    200
    Message
    OK
    Time
    289 ms
  • IP
    192.0.80.240
    View Map

  • Timing

    Wait

    0 ms

    DNS

    7 ms

    TCP

    44 ms

    Request

    1 ms

    First Byte

    191 ms

    Download

    0 ms

    Total

    289 ms

  • HTTP Headers

    Server

    nginx

    A name for the server.

    nginx - Description of the server software.

    Date

    Wed, 29 Apr 2026 08:46:12 GMT

    The date and time that the message was sent.

    Content-Type

    text/html; charset=utf-8

    The MIME type of this content.

    • Type

      text/html

    • Description

      HTML file

    • Charset

      utf-8

    Connection

    keep-alive

    Control options for the current connection and list of hop-by-hop response fields.

    keep-alive - The client would like to keep the connection open.

    Vary

    Accept-Encoding

    Indicates that different content may be provided to different clients, depending on the vary header.

    • Headers

      • Accept-Encoding
    Content-Language

    en

    The natural language or languages of the intended audience for the enclosed content.

    en - English

    P3p

    CP="CAO PSA"

    P3P policy.

    Expires

    Wed, 11 Jan 1984 05:00:00 GMT

    The time at which the response is considered stale.

    Cache-Control

    no-cache, must-revalidate, max-age=0

    Inform all caching mechanisms from server to client whether they may cache this object.

    • no-cache

      May be stored by any cache but must be validated by the server.

    • must-revalidate

      Stale caches must not be used.

    • Max-Age

      0

      The time a browser should remember a site can only be accessed with https (seconds).

    X-Frame-Options

    SAMEORIGIN

    Clickjacking protection.

    SAMEORIGIN - No rendering if origin mismatch.

    Content-Security-Policy

    default-src gravatar.com *.gravatar.com; script-src gravatar.com *.gravatar.com *.wp.com *.google-analytics.com *.googletagmanager.com *.facebook.net apis.google.com/js/ 'nonce-5ada872098c8' 'nonce-a5cba8671143' telegram.org/js/; style-src 'self' gravatar.com *.gravatar.com *.wp.com fonts.googleapis.com 'nonce-a5cba8671143' 'nonce-b3c4616a1b7d' 'sha256-NE3gBSsVG0IdyINKOXv7oHDjOD1hoJpOCZQDS8LzvUc=' 'sha256-biLFinpqYMtWHmXfkA1BPeCY0/fNt46SAZ+BBk5YUog=' 'sha256-ONA8DqqhBTsIrZzU3/jZyRdkNkkAGEU74EH252dbGS8=' 'sha256-uYx4ryugsGdahnaIId0IhtdPIgBkKBfNZg2/H0eWhqk=' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-xi7Iu5TcqJkb4mlu0FHpAYfWWCETn5kNH3GPA4Coh4M=' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-I2bAuuyP+veMzHANDAkLjot3kEjD5cuLWOznj5UrCYc=' 'sha256-Fw2RK+YpRih15zbXuAaoQAV98ZS+OLAX6wDQ2AkaEho=' 'sha256-t9/679CRyrVA6r3JGaAzcO+diam/7WLn6KXJHJuOzUI=' 'sha256-h0RPO0+/L+WC46JS6RvM6D3KN9C2LfMai6hxwzVFU2k=' 'sha256-YIktaUP7IBRwVksGEOmRykAcO2jHTw97BHns4OnHTIw=' 'sha256-MSTZvl0psO46WYZImeDzGMr7OqGRUy5RPDaeL19QpBk='; font-src data: gravatar.com *.gravatar.com *.wp.com fonts.gstatic.com; img-src data: https: blob:; media-src https://videos.files.wordpress.com/ s.gravatar.com blob:; frame-src gravatar.com *.gravatar.com automattic.crowdsignal.net widgets.wp.com td.doubleclick.net www.googletagmanager.com oauth.telegram.org; connect-src gravatar.com *.gravatar.com *.wp.com data: blob: *.google-analytics.com *.analytics.google.com analytics.google.com googleadservices.com www.googleadservices.com google.com https://public-api.wordpress.com/ *.pexels.com *.giphy.com *.google.com stats.g.doubleclick.net; object-src 'none'; base-uri 'self'; report-uri https://public-api.wordpress.com/csp/; worker-src 'self' blob:;

    The content security policy allows the server to determine what resources the user is allowed to load.

    • Default-Src

      Fallback for all fetches.

      • gravatar.com
      • *.gravatar.com

    • Script-Src

      Define sources for JavaScript.

      • gravatar.com
      • *.gravatar.com
      • *.wp.com
      • *.google-analytics.com
      • *.googletagmanager.com
      • *.facebook.net
      • apis.google.com/js/
      • 'nonce-5ada872098c8'
      • 'nonce-a5cba8671143'
      • telegram.org/js/

    • style-src

      Define sources for stylesheets.

      Problems were found.

      • Duplicate value detected.
      • 'self'
      • gravatar.com
      • *.gravatar.com
      • *.wp.com
      • fonts.googleapis.com
      • 'nonce-a5cba8671143'
      • 'nonce-b3c4616a1b7d'
      • 'sha256-NE3gBSsVG0IdyINKOXv7oHDjOD1hoJpOCZQDS8LzvUc='
      • 'sha256-biLFinpqYMtWHmXfkA1BPeCY0/fNt46SAZ+BBk5YUog='
      • 'sha256-ONA8DqqhBTsIrZzU3/jZyRdkNkkAGEU74EH252dbGS8='
      • 'sha256-uYx4ryugsGdahnaIId0IhtdPIgBkKBfNZg2/H0eWhqk='
      • 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='

        Duplicated value.

      • 'sha256-xi7Iu5TcqJkb4mlu0FHpAYfWWCETn5kNH3GPA4Coh4M='
      • 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='

        Duplicated value.

      • 'sha256-I2bAuuyP+veMzHANDAkLjot3kEjD5cuLWOznj5UrCYc='
      • 'sha256-Fw2RK+YpRih15zbXuAaoQAV98ZS+OLAX6wDQ2AkaEho='
      • 'sha256-t9/679CRyrVA6r3JGaAzcO+diam/7WLn6KXJHJuOzUI='
      • 'sha256-h0RPO0+/L+WC46JS6RvM6D3KN9C2LfMai6hxwzVFU2k='
      • 'sha256-YIktaUP7IBRwVksGEOmRykAcO2jHTw97BHns4OnHTIw='
      • 'sha256-MSTZvl0psO46WYZImeDzGMr7OqGRUy5RPDaeL19QpBk='

    • Font-Src

      Define sources for fonts.

      • data:
      • gravatar.com
      • *.gravatar.com
      • *.wp.com
      • fonts.gstatic.com

    • Img-Src

      Define sources for images and favicons.

      • data:
      • https:
      • blob:

    • Media-Src

      Define sources for audio, video, and track elements.

      • https://videos.files.wordpress.com/
      • s.gravatar.com
      • blob:

    • Frame-Src

      Define sources for frames.

      • gravatar.com
      • *.gravatar.com
      • automattic.crowdsignal.net
      • widgets.wp.com
      • td.doubleclick.net
      • www.googletagmanager.com
      • oauth.telegram.org

    • Connect-Src

      Define sources for script interfaces.

      • gravatar.com
      • *.gravatar.com
      • *.wp.com
      • data:
      • blob:
      • *.google-analytics.com
      • *.analytics.google.com
      • analytics.google.com
      • googleadservices.com
      • www.googleadservices.com
      • google.com
      • https://public-api.wordpress.com/
      • *.pexels.com
      • *.giphy.com
      • *.google.com
      • stats.g.doubleclick.net

    • Object-Src

      Define sources for object, embed, and applet elements.

      • 'none'

    • Base-URI

      Define what can be used in the base element.

      • 'self'

    • Report-URI

      https://public-api.wordpress.com/csp/

      URI for violation reports.

    • Worker-Src

      Define sources for Worker, SharedWork, and ServiceWorker scripts.

      • 'self'
      • blob:
    Alt-Svc

    h3=":443"; ma=86400

    Indicate a resource should be loaded from a different server while still appearing to be loaded from this server.

    • Service

      • h3 - :443

    • Service

      • ma - 86400 (1 day)

        Max age for the alternative (seconds).

    Strict-Transport-Security

    max-age=31536000; includeSubdomains; preload

    A HSTS Policy informing the HTTP client how long to cache the HTTPS only policy and whether this applies to subdomains.

    • Max-Age

      31536000 (1 year)

      The time a browser should remember a site can only be accessed with https (seconds).

    • includesubdomains

      max-age applies to subdomains as well.

    • preload

      Use Google's preloading strict transport security.