HTTP Headers
Show the HTTP headers for a URL, with a full break-down of details. Will follow redirects.
Summary
- Response
- Total Requests
- 1
- Total Time
- 198 ms
https://vimeo.com/932550067
- Status
- 200
- Message
- OK
- Time
- 198 ms
- IP
- 162.159.128.61
Timing
Wait
0 ms
DNS
2 ms
TCP
3 ms
Request
0 ms
First Byte
191 ms
Download
0 ms
Total
198 ms
HTTP Headers
- Date
Sat, 12 Jul 2025 07:36:32 GMT
The date and time that the message was sent.
- Content-Type
text/html; charset=UTF-8
The MIME type of this content.
Type
text/html
Description
HTML file
Charset
UTF-8
- Connection
close
Control options for the current connection and list of hop-by-hop response fields.
close - The client or server would like to close the connection.
- Cf-Ray
95dedec0ef14436e-EWR
Encoded information about your request from Cloudflare.
- Cf-Cache-Status
DYNAMIC
Encoded information about your request from Cloudflare.
DYNAMIC - This is not cached by default.
- Accept-Ranges
bytes
What partial content range types this server supports via byte serving.
bytes - Byte ranges are supported.
- Age
0
The age the object has been in a proxy cache in seconds.
- Cache-Control
no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Inform all caching mechanisms from server to client whether they may cache this object.
no-store
May not be stored by any cache.
no-cache
May be stored by any cache but must be validated by the server.
must-revalidate
Stale caches must not be used.
post-check
0
Problems were found.
- Option is not one of known values.
pre-check
0
Problems were found.
- Option is not one of known values.
- Expires
Sat, 12 Jul 2025 07:51:32 GMT
The time at which the response is considered stale.
- Strict-Transport-Security
max-age=31536000; includeSubDomains; preload
A HSTS Policy informing the HTTP client how long to cache the HTTPS only policy and whether this applies to subdomains.
Max-Age
31536000 (1 year)
The time a browser should remember a site can only be accessed with https (seconds).
includesubdomains
max-age applies to subdomains as well.
preload
Use Google's preloading strict transport security.
- Vary
User-Agent, X-Geo-Vary-Group, Crossroads-Backend, Accept-Encoding,x-http-method-override
Indicates that different content may be provided to different clients, depending on the vary header.
Headers
- User-Agent
- X-Geo-Vary-Group
- Crossroads-Backend
- Accept-Encoding
- x-http-method-override
- Via
1.1 varnish (Varnish/6.0), 1.1 varnish, 1.1 varnish
Added by proxies to track a request through proxies and to avoid loops.
Version
1.1
Protocol version.
Host
Host name.
Version
1.1
Protocol version.
Host
Host name.
Version
1.1
Protocol version.
Host
Host name.
- Content-Security-Policy-Report-Only
default-src 'self' f.vimeocdn.com; connect-src 'self' blob: data: ws: wss: *.6sc.co *.6sense.com *.agora.io *.akamaized.net clientassets.sightera.com.s3.amazonaws.com https://d263mgllkjh2k2.cloudfront.net http://d1ripsxh7es2qp.cloudfront.net https://d3fclmoge30w0w.cloudfront.net cognito-identity.us-east-1.amazonaws.com cognito-identity.us-west-1.amazonaws.com https://s3.amazonaws.com/beast.branding.sightera.com https://s3.amazonaws.com/beast.business.sightera.com https://s3.amazonaws.com/beast.business.sightera.com/ https://s3.amazonaws.com/beast.branding.sightera.com/ https://s3.amazonaws.com/test.sightera.com/ https://s3.amazonaws.com/business.sightera.com/ https://s3.amazonaws.com/sound.sightera.com/ sqs.us-east-1.amazonaws.com sqs.us-west-1.amazonaws.com wirewax.s3.eu-west-1.amazonaws.com *.amplitude.com vimeo.bynder.com bat.bing-int.com bat.bing.com bat.bing.net www.bing.com api.branch.io cdn.builder.io https://d1ripsxh7es2qp.cloudfront.net http://d1oca24q5dwo6d.cloudfront.net d2by6sxflmuwyq.cloudfront.net duysrfiajusdh.cloudfront.net dv7a7fjpjy29e.cloudfront.net cdn.cookielaw.org browser-intake-datadoghq.com ad.doubleclick.net *.g.doubleclick.net *.elfsight.com fp.service.expressplay.com pr.service.expressplay.com wv.service.expressplay.com www.facebook.com s-usc1f-nss-6502.firebaseio.com tracking-api.g2.com *.getsmartling.com *.google.ae *.google.com *.google.ca *.google.ch *.google.es *.google.fr *.google.ge *.google.iq *.google.is *.google.it *.google.pl *.google.se *.google.si *.google.rs *.google.co.jp *.google.co.kr *.google.co.nz *.google.co.th *.google.co.uk *.google.com.ar *.google.com.au *.google.com.br *.google.com.mx *.google.com.pk *.google.com.sa *.google.com.tr *.google.com.uk *.google.de *.analytics.google.com *.google-analytics.com www.googleadservices.com *.googleapis.com csi.gstatic.com pagead2.googlesyndication.com *.googletagmanager.com api.greenhouse.io *.hivestreaming.com 117151225.intellimizeio.com *.intellimize.co *.kollective.app *.kollective.app:31015 *.kollectivecd.com leatherback-dot-vimeo-prod.appspot.com snap.licdn.com px.ads.linkedin.com linkedin.com *.litix.io *.cdn.magisto.com vimeo.magisto.com *.maze.co 582-gou-684.mktoresp.com js-agent.newrelic.com t.paypal.com data.pendo.io *.pndsn.com privacyportal.onetrust.com privacyportal-cdn.onetrust.com app.qualified.com *.qualtrics.com pixel-config.reddit.com www.redditstatic.com *.riskified.com *.statscollector.ap.sd-rtn.com *.ap.sd-rtn.com o209747.ingest.us.sentry.io sierra.chat simonsignal.com static.simonsignal.com sdk-api-v1.singular.net web-sdk-cdn.singular.net telemetry.transcend.io transcend-cdn.com https://drm.vhx.com/v2/fairplay/cert collector.vhx.tv *.cloud.vimeo.com interactive.create.vimeo.com *.vimeo.com vimeo.com *.vimeo.work *.vimeocdn.com cdn.widerfunnel.com appds8093.blob.core.windows.net *.wirewax.com *.wirewax.tv *.zdassets.com vimeosupport.zendesk.com *.zoom.us zoom.us ws.zoominfo.com; font-src 'self' data: d2by6sxflmuwyq.cloudfront.net dv7a7fjpjy29e.cloudfront.net fonts.gstatic.com *.cdn.magisto.com privacyportal-cdn.onetrust.com www.paypalobjects.com cf-st.sc-cdn.net use.typekit.net f.vimeocdn.com edge-assets.wirewax.com; frame-src *; img-src * blob: data:; media-src 'self' blob: data: *.akamaized.net https://d263mgllkjh2k2.cloudfront.net http://d1oca24q5dwo6d.cloudfront.net duysrfiajusdh.cloudfront.net media.gettyimages.com *.gvt1.com *.cdn.magisto.com live-api.cloud.vimeo.com player.vimeo.com *.vimeocdn.com app.qualified.com https://s3.amazonaws.com/sound.sightera.com/ https://s3.amazonaws.com/test.sightera.com/ https://s3.amazonaws.com/beast.business.sightera.com/ https://s3.amazonaws.com/beast.business.sightera.com https://s3.amazonaws.com/beast.branding.sightera.com/ https://s3.amazonaws.com/beast.branding.sightera.co https://storage.googleapis.com/vimeo-create-prod-files/ http://d1ripsxh7es2qp.cloudfront.net https://d3fclmoge30w0w.cloudfront.net; object-src 'self' *.vimeocdn.com *.akamaized.net; script-src 'unsafe-inline' 'unsafe-eval' 'self' data: ws: wss: https://s0.2mdn.net/instream/video/ *.6sc.co wirewax.s3.eu-west-1.amazonaws.com app.link bat.bing-int.com bat.bing.com cdnjs.cloudflare.com challenges.cloudflare.com www.datadoghq-browser-agent.com *.g.doubleclick.net www.dropbox.com static.elfsight.com *.elfsightcdn.com connect.facebook.net s-usc1b-nss-2112.firebaseio.com s-usc1b-nss-2113.firebaseio.com s-usc1f-nss-6502.firebaseio.com s-usc1f-nss-6500.firebaseio.com vimeo-chat.firebaseio.com tracking.g2crowd.com *.google.com www.googleadservices.com www.gstatic.com *.google-analytics.com maps.googleapis.com pendo-io-static.storage.googleapis.com pendo-static-6633483048714240.storage.googleapis.com pagead2.googlesyndication.com www.googletagmanager.com www.googletagservices.com cdn.intellimize.co *.kollective.app snap.licdn.com src.litix.io lp.livestream.com munchkin.marketo.net snippet.maze.co privacyportal-cdn.onetrust.com www.paypalobjects.com cdn.pendo.io js.qualified.com data.pendo.io *.qualtrics.com www.redditstatic.com beacon.riskified.com secured-pixel.com sierra.chat static.simonsignal.com web-sdk-cdn.singular.net transcend-cdn.com vimeo.com *.vimeo.com *.vimeocdn.com cdn.widerfunnel.com edge-assets.wirewax.com embedder-sdk.wirewax.com embedder-sdk.wirewax.tv origin-4.xtlo.net static.zdassets.com *.zoom.us zoom.us ws.zoominfo.com static.zuora.com https://www.dropbox.com/static/api/2/dropins.js; style-src 'self' 'unsafe-inline' *.6sc.co cdn01.boxcdn.net cdnjs.cloudflare.com accounts.google.com fonts.googleapis.com pendo-static-6633483048714240.storage.googleapis.com www.gstatic.com lp.livestream.com privacyportal-cdn.onetrust.com www.paypalobjects.com sierra.chat *.vimeo.com *.vimeocdn.com vimeopro.com transcend-cdn.com cdn.widerfunnel.com edge-assets.wirewax.com edge-player5.wirewax.com origin-4.xtlo.net; worker-src 'self' blob:; report-to csp-endpoint; report-uri https://browser-intake-datadoghq.com/api/v2/logs?dd-api-key=puba92ed04ee7cceea44335c3d8c1ccc173&dd-evp-origin=content-security-policy&ddsource=csp-report&ddtags=service%3Acspreport%2Cenv%3Aproduction
The content security policy, reporting only.
Default-Src
Fallback for all fetches.
- 'self'
- f.vimeocdn.com
Connect-Src
Define sources for script interfaces.
- 'self'
- blob:
- data:
- ws:
- wss:
- *.6sc.co
- *.6sense.com
- *.agora.io
- *.akamaized.net
- clientassets.sightera.com.s3.amazonaws.com
- https://d263mgllkjh2k2.cloudfront.net
- http://d1ripsxh7es2qp.cloudfront.net
- https://d3fclmoge30w0w.cloudfront.net
- cognito-identity.us-east-1.amazonaws.com
- cognito-identity.us-west-1.amazonaws.com
- https://s3.amazonaws.com/beast.branding.sightera.com
- https://s3.amazonaws.com/beast.business.sightera.com
- https://s3.amazonaws.com/beast.business.sightera.com/
- https://s3.amazonaws.com/beast.branding.sightera.com/
- https://s3.amazonaws.com/test.sightera.com/
- https://s3.amazonaws.com/business.sightera.com/
- https://s3.amazonaws.com/sound.sightera.com/
- sqs.us-east-1.amazonaws.com
- sqs.us-west-1.amazonaws.com
- wirewax.s3.eu-west-1.amazonaws.com
- *.amplitude.com
- vimeo.bynder.com
- bat.bing-int.com
- bat.bing.com
- bat.bing.net
- www.bing.com
- api.branch.io
- cdn.builder.io
- https://d1ripsxh7es2qp.cloudfront.net
- http://d1oca24q5dwo6d.cloudfront.net
- d2by6sxflmuwyq.cloudfront.net
- duysrfiajusdh.cloudfront.net
- dv7a7fjpjy29e.cloudfront.net
- cdn.cookielaw.org
- browser-intake-datadoghq.com
- ad.doubleclick.net
- *.g.doubleclick.net
- *.elfsight.com
- fp.service.expressplay.com
- pr.service.expressplay.com
- wv.service.expressplay.com
- www.facebook.com
- s-usc1f-nss-6502.firebaseio.com
- tracking-api.g2.com
- *.getsmartling.com
- *.google.ae
- *.google.com
- *.google.ca
- *.google.ch
- *.google.es
- *.google.fr
- *.google.ge
- *.google.iq
- *.google.is
- *.google.it
- *.google.pl
- *.google.se
- *.google.si
- *.google.rs
- *.google.co.jp
- *.google.co.kr
- *.google.co.nz
- *.google.co.th
- *.google.co.uk
- *.google.com.ar
- *.google.com.au
- *.google.com.br
- *.google.com.mx
- *.google.com.pk
- *.google.com.sa
- *.google.com.tr
- *.google.com.uk
- *.google.de
- *.analytics.google.com
- *.google-analytics.com
- www.googleadservices.com
- *.googleapis.com
- csi.gstatic.com
- pagead2.googlesyndication.com
- *.googletagmanager.com
- api.greenhouse.io
- *.hivestreaming.com
- 117151225.intellimizeio.com
- *.intellimize.co
- *.kollective.app
- *.kollective.app:31015
- *.kollectivecd.com
- leatherback-dot-vimeo-prod.appspot.com
- snap.licdn.com
- px.ads.linkedin.com
- linkedin.com
- *.litix.io
- *.cdn.magisto.com
- vimeo.magisto.com
- *.maze.co
- 582-gou-684.mktoresp.com
- js-agent.newrelic.com
- t.paypal.com
- data.pendo.io
- *.pndsn.com
- privacyportal.onetrust.com
- privacyportal-cdn.onetrust.com
- app.qualified.com
- *.qualtrics.com
- pixel-config.reddit.com
- www.redditstatic.com
- *.riskified.com
- *.statscollector.ap.sd-rtn.com
- *.ap.sd-rtn.com
- o209747.ingest.us.sentry.io
- sierra.chat
- simonsignal.com
- static.simonsignal.com
- sdk-api-v1.singular.net
- web-sdk-cdn.singular.net
- telemetry.transcend.io
- transcend-cdn.com
- https://drm.vhx.com/v2/fairplay/cert
- collector.vhx.tv
- *.cloud.vimeo.com
- interactive.create.vimeo.com
- *.vimeo.com
- vimeo.com
- *.vimeo.work
- *.vimeocdn.com
- cdn.widerfunnel.com
- appds8093.blob.core.windows.net
- *.wirewax.com
- *.wirewax.tv
- *.zdassets.com
- vimeosupport.zendesk.com
- *.zoom.us
- zoom.us
- ws.zoominfo.com
Font-Src
Define sources for fonts.
- 'self'
- data:
- d2by6sxflmuwyq.cloudfront.net
- dv7a7fjpjy29e.cloudfront.net
- fonts.gstatic.com
- *.cdn.magisto.com
- privacyportal-cdn.onetrust.com
- www.paypalobjects.com
- cf-st.sc-cdn.net
- use.typekit.net
- f.vimeocdn.com
- edge-assets.wirewax.com
Frame-Src
Define sources for frames.
- *
Img-Src
Define sources for images and favicons.
- *
- blob:
- data:
Media-Src
Define sources for audio, video, and track elements.
- 'self'
- blob:
- data:
- *.akamaized.net
- https://d263mgllkjh2k2.cloudfront.net
- http://d1oca24q5dwo6d.cloudfront.net
- duysrfiajusdh.cloudfront.net
- media.gettyimages.com
- *.gvt1.com
- *.cdn.magisto.com
- live-api.cloud.vimeo.com
- player.vimeo.com
- *.vimeocdn.com
- app.qualified.com
- https://s3.amazonaws.com/sound.sightera.com/
- https://s3.amazonaws.com/test.sightera.com/
- https://s3.amazonaws.com/beast.business.sightera.com/
- https://s3.amazonaws.com/beast.business.sightera.com
- https://s3.amazonaws.com/beast.branding.sightera.com/
- https://s3.amazonaws.com/beast.branding.sightera.co
- https://storage.googleapis.com/vimeo-create-prod-files/
- http://d1ripsxh7es2qp.cloudfront.net
- https://d3fclmoge30w0w.cloudfront.net
Object-Src
Define sources for object, embed, and applet elements.
- 'self'
- *.vimeocdn.com
- *.akamaized.net
Script-Src
Define sources for JavaScript.
- 'unsafe-inline'
- 'unsafe-eval'
- 'self'
- data:
- ws:
- wss:
- https://s0.2mdn.net/instream/video/
- *.6sc.co
- wirewax.s3.eu-west-1.amazonaws.com
- app.link
- bat.bing-int.com
- bat.bing.com
- cdnjs.cloudflare.com
- challenges.cloudflare.com
- www.datadoghq-browser-agent.com
- *.g.doubleclick.net
- www.dropbox.com
- static.elfsight.com
- *.elfsightcdn.com
- connect.facebook.net
- s-usc1b-nss-2112.firebaseio.com
- s-usc1b-nss-2113.firebaseio.com
- s-usc1f-nss-6502.firebaseio.com
- s-usc1f-nss-6500.firebaseio.com
- vimeo-chat.firebaseio.com
- tracking.g2crowd.com
- *.google.com
- www.googleadservices.com
- www.gstatic.com
- *.google-analytics.com
- maps.googleapis.com
- pendo-io-static.storage.googleapis.com
- pendo-static-6633483048714240.storage.googleapis.com
- pagead2.googlesyndication.com
- www.googletagmanager.com
- www.googletagservices.com
- cdn.intellimize.co
- *.kollective.app
- snap.licdn.com
- src.litix.io
- lp.livestream.com
- munchkin.marketo.net
- snippet.maze.co
- privacyportal-cdn.onetrust.com
- www.paypalobjects.com
- cdn.pendo.io
- js.qualified.com
- data.pendo.io
- *.qualtrics.com
- www.redditstatic.com
- beacon.riskified.com
- secured-pixel.com
- sierra.chat
- static.simonsignal.com
- web-sdk-cdn.singular.net
- transcend-cdn.com
- vimeo.com
- *.vimeo.com
- *.vimeocdn.com
- cdn.widerfunnel.com
- edge-assets.wirewax.com
- embedder-sdk.wirewax.com
- embedder-sdk.wirewax.tv
- origin-4.xtlo.net
- static.zdassets.com
- *.zoom.us
- zoom.us
- ws.zoominfo.com
- static.zuora.com
- https://www.dropbox.com/static/api/2/dropins.js
Style-Src
Define sources for stylesheets.
- 'self'
- 'unsafe-inline'
- *.6sc.co
- cdn01.boxcdn.net
- cdnjs.cloudflare.com
- accounts.google.com
- fonts.googleapis.com
- pendo-static-6633483048714240.storage.googleapis.com
- www.gstatic.com
- lp.livestream.com
- privacyportal-cdn.onetrust.com
- www.paypalobjects.com
- sierra.chat
- *.vimeo.com
- *.vimeocdn.com
- vimeopro.com
- transcend-cdn.com
- cdn.widerfunnel.com
- edge-assets.wirewax.com
- edge-player5.wirewax.com
- origin-4.xtlo.net
Worker-Src
Define sources for Worker, SharedWork, and ServiceWorker scripts.
- 'self'
- blob:
Report-To
Fire a SecurityPolicyViolationEvent.
- csp-endpoint
- Reporting-Endpoints
csp-endpoint="https://browser-intake-datadoghq.com/api/v2/logs?dd-api-key=puba92ed04ee7cceea44335c3d8c1ccc173&dd-evp-origin=content-security-policy&ddsource=csp-report&ddtags=service%3Acspreport%2Cenv%3Aproduction"
- X-Backend-Proxy
web-varnish-7b67c4657-sqt2m
- X-Bapp-Server
pweb-679f8776bf-8pxwn
- X-Cache
MISS, MISS
Indicates whether a cache was used to server this response.
- X-Cache-Hits
0, 0
- X-Content-Type-Options
nosniff
Prevents Internet Explorer from MIME-sniffing a response away from the declared content-type.
nosniff - Block requests if type 'style' or 'script'.
- X-Frame-Options
sameorigin
Clickjacking protection.
sameorigin - No rendering if origin mismatch.
- X-Link-Match
9
- X-Served-By
cache-iad-kjyo7100113-IAD, cache-lga21924-LGA
- X-Timer
S1752305792.165855,VS0,VE166
- X-Turnstile-Exception
0
- X-Ua-Compatible
IE=edge
Recommends the preferred rendering engine (often a backward-compatibility mode) to use to display the content.
IE=edge - Use highest level rendering.
- X-Varnish-Cache
0
- X-Vimeo-Device
d
- X-Vserver
web-varnish-7b67c4657-sqt2m
- X-Xss-Protection
1; mode=block
Cross-site scripting (XSS) filter.
1
Enable XSS filtering.
Mode
Filtering mode.
- block - Block page if XSS is detected.
- Set-Cookie
__cf_bm=xMoOeJwzL9WwMEmA_XPzzMBoj5_1QUkR2OXBZ5yXuaA-1752305792-1.0.1.1-7EtptwMHODWXdJ9sxdFZghNZ7TB3qKfzzlSnazvVyyCnPGd3tCvyacQAwdgN81z7; path=/; expires=Sat, 12-Jul-25 08:06:32 GMT; domain=.vimeo.com; HttpOnly; Secure; SameSite=None
A cookie sent from the server to be set on the client
__cf_bm
xMoOeJwzL9WwMEmA_XPzzMBoj5_1QUkR2OXBZ5yXuaA-1752305792-1.0.1.1-7EtptwMHODWXdJ9sxdFZghNZ7TB3qKfzzlSnazvVyyCnPGd3tCvyacQAwdgN81z7
Cookie name and value.
Path
/
The client will only send the cookie when requesting this path, or subdirectories, from the server.
Expires
Sat, 12-Jul-25 08:06:32 GMT
When the cookie should expire.
Domain
.vimeo.com
The client will only send the cookie when requesting from this domain.
HttpOnly
Prevents access to the cookie through JavaScript.
Secure
The cookie is only sent when requesting from a https domain.
Samesite
None
Cookie sent with both cross-site and same-site requests..
- Set-Cookie
_cfuvid=Zcovr3b2YGJPctvDJUAUGJKhiZPnjn31ITAWC0C_er0-1752305792335-0.0.1.1-604800000; path=/; domain=.vimeo.com; HttpOnly; Secure; SameSite=None
A cookie sent from the server to be set on the client
_cfuvid
Zcovr3b2YGJPctvDJUAUGJKhiZPnjn31ITAWC0C_er0-1752305792335-0.0.1.1-604800000
Cookie name and value.
Path
/
The client will only send the cookie when requesting this path, or subdirectories, from the server.
Domain
.vimeo.com
The client will only send the cookie when requesting from this domain.
HttpOnly
Prevents access to the cookie through JavaScript.
Secure
The cookie is only sent when requesting from a https domain.
Samesite
None
Cookie sent with both cross-site and same-site requests..
- Server
cloudflare
A name for the server.
cloudflare - Description of the server software.