HTTP Headers
Show the HTTP headers for a URL, with a full break-down of details. Will follow redirects.
Summary
- Response
- Total Requests
- 1
- Total Time
- 293 ms
https://notes.medien.rwth-aachen.de/KLb7k8gRRiqNdvhbYQqjDA/- Status
- 200
- Message
- OK
- Time
- 293 ms
- IP
- 137.226.203.20
Timing
Wait
0 ms
DNS
6 ms
TCP
88 ms
Request
1 ms
First Byte
113 ms
Download
0 ms
Total
293 ms
HTTP Headers
- Server
nginx/1.29.6
A name for the server.
Server
nginx
Description of the server software.
Version
1.29.6
Version number.
- Date
Wed, 29 Apr 2026 08:08:42 GMT
The date and time that the message was sent.
- Content-Type
text/html; charset=utf-8
The MIME type of this content.
Type
text/html
Description
HTML file
Charset
utf-8
- Content-Length
42233(42.2 kB)
The length of the response body in octets (8-bit bytes).
- Connection
keep-alive
Control options for the current connection and list of hop-by-hop response fields.
keep-alive - The client would like to keep the connection open.
- X-Powered-By
Express
The software powering this site.
- Strict-Transport-Security
max-age=31536000; includeSubDomains
A HSTS Policy informing the HTTP client how long to cache the HTTPS only policy and whether this applies to subdomains.
Max-Age
31536000 (1 year)
The time a browser should remember a site can only be accessed with https (seconds).
includesubdomains
max-age applies to subdomains as well.
- Strict-Transport-Security
max-age=31536000
A HSTS Policy informing the HTTP client how long to cache the HTTPS only policy and whether this applies to subdomains.
Max-Age
31536000 (1 year)
The time a browser should remember a site can only be accessed with https (seconds).
Problems were detected with this header
- Duplicate header. There is another header with this name and this may cause problems.
- Referrer-Policy
same-origin
Controls what referrer information is sent with requests.
same-origin - Send the full referrer for same origin requests, and nothing for cross-origin.
- Content-Security-Policy
default-src 'none';base-uri 'self';connect-src 'self' wss://notes.medien.rwth-aachen.de https://vimeo.com/api/v2/video/;font-src 'self';manifest-src 'self';frame-src 'self' https://player.vimeo.com https://www.youtube.com https://gist.github.com *;img-src * data:;script-src https://notes.medien.rwth-aachen.de/build/ https://notes.medien.rwth-aachen.de/js/ https://notes.medien.rwth-aachen.de/config 'unsafe-inline' 'nonce-fe111b57-9e90-4f67-8cd4-fe1ac5b061c3' 'sha256-81acLZNZISnyGYZrSuoYhpzwDTTxi7vC1YM4uNxqWaM=';style-src https://notes.medien.rwth-aachen.de/build/ https://notes.medien.rwth-aachen.de/css/ 'unsafe-inline';object-src * *;form-action 'self';media-src *;upgrade-insecure-requests
The content security policy allows the server to determine what resources the user is allowed to load.
Default-Src
Fallback for all fetches.
- 'none'
Base-URI
Define what can be used in the base element.
- 'self'
Connect-Src
Define sources for script interfaces.
- 'self'
- wss://notes.medien.rwth-aachen.de
- https://vimeo.com/api/v2/video/
Font-Src
Define sources for fonts.
- 'self'
Manifest-Src
Define sources for manifest files.
- 'self'
Frame-Src
Define sources for frames.
- 'self'
- https://player.vimeo.com
- https://www.youtube.com
- https://gist.github.com
- *
Img-Src
Define sources for images and favicons.
- *
- data:
Script-Src
Define sources for JavaScript.
- https://notes.medien.rwth-aachen.de/build/
- https://notes.medien.rwth-aachen.de/js/
- https://notes.medien.rwth-aachen.de/config
- 'unsafe-inline'
- 'nonce-fe111b57-9e90-4f67-8cd4-fe1ac5b061c3'
- 'sha256-81acLZNZISnyGYZrSuoYhpzwDTTxi7vC1YM4uNxqWaM='
Style-Src
Define sources for stylesheets.
- https://notes.medien.rwth-aachen.de/build/
- https://notes.medien.rwth-aachen.de/css/
- 'unsafe-inline'
object-src
Define sources for object, embed, and applet elements.
Problems were found.
- Duplicate value detected.
- *
Duplicated value.
- *
Duplicated value.
Form-Action
Define what can be used as the target for forms.
- 'self'
Media-Src
Define sources for audio, video, and track elements.
- *
upgrade-insecure-requests
Treat insecure URLs as though they are secure.
- Hedgedoc-Version
1.10.8
- Cache-Control
private
Inform all caching mechanisms from server to client whether they may cache this object.
private - May only be stored by a browser cache.
- X-Robots-Tag
noindex, nofollow
Specify how the resource is shown in search results.
noindex
Do not show this page in search results.
nofollow
Do not follow links on this page.
- Etag
W/"a4f9-2JUz9j07fS4PwsJLWRlbZH48kAs"
An identifier for a specific version of a resource.
Validator
weak
A weak tag is easier to generate and prevents byte range caching.
Tag
a4f9-2JUz9j07fS4PwsJLWRlbZH48kAs
- Set-Cookie
connect.sid=s%3A8x-wnO8yZP9gCcJsOE-XN2uCnrFZQaGT.vv7G%2BSyTWf1TA3whYK3YJcPRDT8BdR41lxjcaQFrBgA; Path=/; Expires=Wed, 13 May 2026 08:08:42 GMT; HttpOnly; Secure; SameSite=Lax
A cookie sent from the server to be set on the client
connect.sid
s%3A8x-wnO8yZP9gCcJsOE-XN2uCnrFZQaGT.vv7G%2BSyTWf1TA3whYK3YJcPRDT8BdR41lxjcaQFrBgA
Cookie name and value.
Path
/
The client will only send the cookie when requesting this path, or subdirectories, from the server.
Expires
Wed, 13 May 2026 08:08:42 GMT
When the cookie should expire.
HttpOnly
Prevents access to the cookie through JavaScript.
Secure
The cookie is only sent when requesting from a https domain.
Samesite
Lax
Cookie is not sent on cross-site requests but is when following a link to the origin.
- Vary
Accept-Encoding
Indicates that different content may be provided to different clients, depending on the vary header.
Headers
- Accept-Encoding