HTTP Headers

Show the HTTP headers for a URL, with a full break-down of details. Will follow redirects.

Summary

Response
200
Total Requests
1
Total Time
320 ms

  • https://pads.jeito.nl/s/phzhTA9wBs

    Status
    200
    Message
    OK
    Time
    320 ms
  • IP
    85.10.129.64
    View Map

  • Timing

    Wait

    0 ms

    DNS

    32 ms

    TCP

    85 ms

    Request

    0 ms

    First Byte

    94 ms

    Download

    0 ms

    Total

    320 ms

  • HTTP Headers

    Date

    Wed, 29 Apr 2026 08:05:52 GMT

    The date and time that the message was sent.

    Content-Type

    text/html; charset=utf-8

    The MIME type of this content.

    • Type

      text/html

    • Description

      HTML file

    • Charset

      utf-8

    Content-Length

    10685(10.7 kB)

    The length of the response body in octets (8-bit bytes).

    Connection

    keep-alive

    Control options for the current connection and list of hop-by-hop response fields.

    keep-alive - The client would like to keep the connection open.

    Strict-Transport-Security

    max-age=31536000; includeSubDomains

    A HSTS Policy informing the HTTP client how long to cache the HTTPS only policy and whether this applies to subdomains.

    • Max-Age

      31536000 (1 year)

      The time a browser should remember a site can only be accessed with https (seconds).

    • includesubdomains

      max-age applies to subdomains as well.

    Strict-Transport-Security

    max-age=63072000;includeSubDomains; preload

    A HSTS Policy informing the HTTP client how long to cache the HTTPS only policy and whether this applies to subdomains.

    • Max-Age

      63072000 (2 years)

      The time a browser should remember a site can only be accessed with https (seconds).

    • includesubdomains

      max-age applies to subdomains as well.

    • preload

      Use Google's preloading strict transport security.

    Problems were detected with this header

    • Duplicate header. There is another header with this name and this may cause problems.
    Referrer-Policy

    same-origin

    Controls what referrer information is sent with requests.

    same-origin - Send the full referrer for same origin requests, and nothing for cross-origin.

    Referrer-Policy

    strict-origin-when-cross-origin

    Controls what referrer information is sent with requests.

    strict-origin-when-cross-origin - Send the full referrer for a same origin request. Send the origin only for cross-domain requests where the protocol level is the same. Otherwise do not send the referrer.

    Problems were detected with this header

    • Duplicate header. There is another header with this name and this may cause problems.
    Content-Security-Policy

    default-src 'none';base-uri 'self';connect-src 'self' wss://pads.jeito.nl https://vimeo.com/api/v2/video/;font-src 'self';manifest-src 'self';frame-src 'self' https://player.vimeo.com https://www.youtube.com https://gist.github.com *;img-src * data:;script-src https://pads.jeito.nl/build/ https://pads.jeito.nl/js/ https://pads.jeito.nl/config 'unsafe-inline' 'nonce-53fb9619-2c46-4949-a89c-505e701f14be' 'sha256-81acLZNZISnyGYZrSuoYhpzwDTTxi7vC1YM4uNxqWaM=';style-src https://pads.jeito.nl/build/ https://pads.jeito.nl/css/ 'unsafe-inline';object-src * *;form-action 'self';media-src *;upgrade-insecure-requests

    The content security policy allows the server to determine what resources the user is allowed to load.

    • Default-Src

      Fallback for all fetches.

      • 'none'

    • Base-URI

      Define what can be used in the base element.

      • 'self'

    • Connect-Src

      Define sources for script interfaces.

      • 'self'
      • wss://pads.jeito.nl
      • https://vimeo.com/api/v2/video/

    • Font-Src

      Define sources for fonts.

      • 'self'

    • Manifest-Src

      Define sources for manifest files.

      • 'self'

    • Frame-Src

      Define sources for frames.

      • 'self'
      • https://player.vimeo.com
      • https://www.youtube.com
      • https://gist.github.com
      • *

    • Img-Src

      Define sources for images and favicons.

      • *
      • data:

    • Script-Src

      Define sources for JavaScript.

      • https://pads.jeito.nl/build/
      • https://pads.jeito.nl/js/
      • https://pads.jeito.nl/config
      • 'unsafe-inline'
      • 'nonce-53fb9619-2c46-4949-a89c-505e701f14be'
      • 'sha256-81acLZNZISnyGYZrSuoYhpzwDTTxi7vC1YM4uNxqWaM='

    • Style-Src

      Define sources for stylesheets.

      • https://pads.jeito.nl/build/
      • https://pads.jeito.nl/css/
      • 'unsafe-inline'

    • object-src

      Define sources for object, embed, and applet elements.

      Problems were found.

      • Duplicate value detected.
      • *

        Duplicated value.

      • *

        Duplicated value.

    • Form-Action

      Define what can be used as the target for forms.

      • 'self'

    • Media-Src

      Define sources for audio, video, and track elements.

      • *

    • upgrade-insecure-requests

      Treat insecure URLs as though they are secure.

    Content-Security-Policy

    upgrade-insecure-requests

    The content security policy allows the server to determine what resources the user is allowed to load.

    upgrade-insecure-requests - Treat insecure URLs as though they are secure.

    Problems were detected with this header

    • Duplicate header. There is another header with this name and this may cause problems.
    Hedgedoc-Version

    1.10.5

    Cache-Control

    private

    Inform all caching mechanisms from server to client whether they may cache this object.

    private - May only be stored by a browser cache.

    Etag

    W/"29bd-xg/TpgHq9Q5GS5eETvC2EZYFJfM"

    An identifier for a specific version of a resource.

    • Validator

      weak

      A weak tag is easier to generate and prevents byte range caching.

    • Tag

      29bd-xg/TpgHq9Q5GS5eETvC2EZYFJfM

    Set-Cookie

    connect.sid=s%3AR_57Siu6ScojF49cHyVCjnsAEYSXUx6T.cXpwAHf52pftqOMqLL%2BblcJ%2BVoFFd0EfKjTQdpmtZrg; Path=/; Expires=Wed, 13 May 2026 08:05:52 GMT; HttpOnly; Secure; SameSite=None

    A cookie sent from the server to be set on the client

    • connect.sid

      s%3AR_57Siu6ScojF49cHyVCjnsAEYSXUx6T.cXpwAHf52pftqOMqLL%2BblcJ%2BVoFFd0EfKjTQdpmtZrg

      Cookie name and value.

    • Path

      /

      The client will only send the cookie when requesting this path, or subdirectories, from the server.

    • Expires

      Wed, 13 May 2026 08:05:52 GMT

      When the cookie should expire.

    • HttpOnly

      Prevents access to the cookie through JavaScript.

    • Secure

      The cookie is only sent when requesting from a https domain.

    • Samesite

      None

      Cookie sent with both cross-site and same-site requests..

    Vary

    Accept-Encoding

    Indicates that different content may be provided to different clients, depending on the vary header.

    • Headers

      • Accept-Encoding
    Server

    Proxy

    A name for the server.

    Proxy - Description of the server software.

    X-Content-Type-Options

    nosniff

    Prevents Internet Explorer from MIME-sniffing a response away from the declared content-type.

    nosniff - Block requests if type 'style' or 'script'.

    X-Xss-Protection

    1; mode=block

    Cross-site scripting (XSS) filter.

    • 1

      Enable XSS filtering.

    • Mode

      Filtering mode.

      • block - Block page if XSS is detected.
    X-Frame-Options

    SAMEORIGIN

    Clickjacking protection.

    SAMEORIGIN - No rendering if origin mismatch.

    Permissions-Policy

    interest-cohort=()

    Enable and disable browser features.

    • interest-cohort

      Control access to Federated Learning of Cohorts.

      • () - Feature is disabled.
    Expect-Ct

    enforce; max-age=604800

    Used by a server to indicate that UAs should evaluate connections to the host emitting the header field for CT compliance.

    • enforce; max-age

      604800

      Problems were found.

      • Option is not one of known values.
    X-Served-By

    pads.jeito.nl