HTTP Headers
Show the HTTP headers for a URL, with a full break-down of details. Will follow redirects.
Summary
- Response
- Total Requests
- 1
- Total Time
- 877 ms
https://www.youtube.com/shorts/A8iWrIkSdIQ- Status
- 200
- Message
- OK
- Time
- 877 ms
- IP
- 142.250.188.14
Timing
Wait
0 ms
DNS
3 ms
TCP
2 ms
Request
0 ms
First Byte
861 ms
Download
1 ms
Total
877 ms
HTTP Headers
- Content-Type
text/html; charset=utf-8
The MIME type of this content.
Type
text/html
Description
HTML file
Charset
utf-8
- X-Content-Type-Options
nosniff
Prevents Internet Explorer from MIME-sniffing a response away from the declared content-type.
nosniff - Block requests if type 'style' or 'script'.
- Content-Security-Policy
script-src 'unsafe-eval' 'self' 'unsafe-inline' https://www.google.com https://apis.google.com https://ssl.gstatic.com https://www.gstatic.com https://www.googletagmanager.com https://www.google-analytics.com https://*.youtube.com https://*.google.com https://*.gstatic.com https://youtube.com https://www.youtube.com https://google.com https://*.doubleclick.net https://*.googleapis.com https://www.googleadservices.com https://tpc.googlesyndication.com https://www.youtubekids.com https://www.youtube-nocookie.com https://www.youtubeeducation.com https://www-onepick-opensocial.googleusercontent.com;report-uri https://csp.withgoogle.com/csp/youtube_main/allowlist
The content security policy allows the server to determine what resources the user is allowed to load.
Script-Src
Define sources for JavaScript.
- 'unsafe-eval'
- 'self'
- 'unsafe-inline'
- https://www.google.com
- https://apis.google.com
- https://ssl.gstatic.com
- https://www.gstatic.com
- https://www.googletagmanager.com
- https://www.google-analytics.com
- https://*.youtube.com
- https://*.google.com
- https://*.gstatic.com
- https://youtube.com
- https://www.youtube.com
- https://google.com
- https://*.doubleclick.net
- https://*.googleapis.com
- https://www.googleadservices.com
- https://tpc.googlesyndication.com
- https://www.youtubekids.com
- https://www.youtube-nocookie.com
- https://www.youtubeeducation.com
- https://www-onepick-opensocial.googleusercontent.com
Report-URI
https://csp.withgoogle.com/csp/youtube_main/allowlist
URI for violation reports.
- Content-Security-Policy
require-trusted-types-for 'script'
The content security policy allows the server to determine what resources the user is allowed to load.
Require-Trusted-Types-For
Enforce trusted types for DOM XSS.
- 'script'
Problems were detected with this header
- Duplicate header. There is another header with this name and this may cause problems.
- Cache-Control
no-cache, no-store, max-age=0, must-revalidate
Inform all caching mechanisms from server to client whether they may cache this object.
no-cache
May be stored by any cache but must be validated by the server.
no-store
May not be stored by any cache.
Max-Age
0
The time a browser should remember a site can only be accessed with https (seconds).
must-revalidate
Stale caches must not be used.
- Pragma
no-cache
HTTP/1.0 backwards compatible cache handling.
no-cache - Force requests to the origin server before releasing a cache.
- Expires
Mon, 01 Jan 1990 00:00:00 GMT
The time at which the response is considered stale.
- Date
Sun, 11 Jan 2026 07:16:07 GMT
The date and time that the message was sent.
- Content-Length
0
The length of the response body in octets (8-bit bytes).
- Strict-Transport-Security
max-age=31536000
A HSTS Policy informing the HTTP client how long to cache the HTTPS only policy and whether this applies to subdomains.
Max-Age
31536000 (1 year)
The time a browser should remember a site can only be accessed with https (seconds).
- X-Frame-Options
SAMEORIGIN
Clickjacking protection.
SAMEORIGIN - No rendering if origin mismatch.
- Origin-Trial
ApTXX1w2dkJZuuxlV9csQYg+9ZVXekg+mOu8mS9vb7/V2oeMLKqGC8blgR6ech+eqbhGAgLKPthyai7z89MdTAgAAACLeyJvcmlnaW4iOiJodHRwczovL3d3dy55b3V0dWJlLmNvbTo0NDMiLCJmZWF0dXJlIjoiRG9jdW1lbnRQb2xpY3lJbmNsdWRlSlNDYWxsU3RhY2tzSW5DcmFzaFJlcG9ydHMiLCJleHBpcnkiOjE3NDk1MTM2MDAsImlzU3ViZG9tYWluIjp0cnVlfQ==
- Origin-Trial
AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9
- Origin-Trial
AiDEBptUfVeO93q48VdVMe/ubupazdAl8AaHP+NBzdnW8quUcHdzJUyGSfrmtpKJu7EOvwRp9ug2rEo3XU+WMAMAAAB2eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJEZXZpY2VCb3VuZFNlc3Npb25DcmVkZW50aWFsczIiLCJleHBpcnkiOjE3NzQzMTA0MDAsImlzU3ViZG9tYWluIjp0cnVlfQ==
- Cross-Origin-Opener-Policy
same-origin-allow-popups; report-to="youtube_main"
Isolate the document from cross-origin windows.
same-origin-allow-popups; report-to="youtube_main"
Problems were found.
- Option is not one of known values.
- Accept-Ch
Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-Viewport-Width, Sec-CH-DPR, Device-Memory
Specify what client hints should be included in subsequent requests.
sec-ch-ua-arch
Problems were found.
- Option is not one of known values.
sec-ch-ua-bitness
Problems were found.
- Option is not one of known values.
sec-ch-ua-full-version
Problems were found.
- Option is not one of known values.
sec-ch-ua-full-version-list
Problems were found.
- Option is not one of known values.
sec-ch-ua-model
Problems were found.
- Option is not one of known values.
sec-ch-ua-wow64
Problems were found.
- Option is not one of known values.
sec-ch-ua-form-factors
Problems were found.
- Option is not one of known values.
sec-ch-ua-platform
Problems were found.
- Option is not one of known values.
sec-ch-ua-platform-version
Problems were found.
- Option is not one of known values.
sec-ch-viewport-width
Problems were found.
- Option is not one of known values.
sec-ch-dpr
Problems were found.
- Option is not one of known values.
device-memory
Indicate approximate amount of RAM.
- Vary
Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-Viewport-Width, Sec-CH-DPR, Device-Memory
Indicates that different content may be provided to different clients, depending on the vary header.
Headers
- Sec-CH-UA-Arch
- Sec-CH-UA-Bitness
- Sec-CH-UA-Full-Version
- Sec-CH-UA-Full-Version-List
- Sec-CH-UA-Model
- Sec-CH-UA-WoW64
- Sec-CH-UA-Form-Factors
- Sec-CH-UA-Platform
- Sec-CH-UA-Platform-Version
- Sec-CH-Viewport-Width
- Sec-CH-DPR
- Device-Memory
- Report-To
{"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]}
Report to.
Group
youtube_main
Max_age
2592000
Endpoints
- {"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}
- Permissions-Policy
ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Enable and disable browser features.
ch-ua-arch
Control access to the user agent architecture.
- * - Allowed on this page and all nested contexts of any origin.
ch-ua-bitness
Control access to the user agent bitness.
- * - Allowed on this page and all nested contexts of any origin.
ch-ua-full-version
Control access to the user agent full version.
- * - Allowed on this page and all nested contexts of any origin.
ch-ua-full-version-list
Problems were found.
- Unknown option
- * - Allowed on this page and all nested contexts of any origin.
ch-ua-model
Control access about the user agent device.
- * - Allowed on this page and all nested contexts of any origin.
ch-ua-wow64
Problems were found.
- Unknown option
- * - Allowed on this page and all nested contexts of any origin.
ch-ua-form-factors
Problems were found.
- Unknown option
- * - Allowed on this page and all nested contexts of any origin.
ch-ua-platform
Control access to the user agent platform.
- * - Allowed on this page and all nested contexts of any origin.
ch-ua-platform-version
Control access to the user agent platform version.
- * - Allowed on this page and all nested contexts of any origin.
- Reporting-Endpoints
default="/web-reports?context=eJwNzXtozXEcxnG_vRtzztk55_f7fr5uUxhribPOZCOay3BIjeUSNtrNmRY25uwYLaUIhZLrzDVCrkWEGXOd67BZJJcSaVmuueX6_eP1x1PP0-O6Gbv5RIlV8G--1WdcqTUzudwac3-RtTYUsb4diFjHaiNWW8-olZsYtba1RK15LyutXf7pMZXdpsfU5rgoLnbxtdrFp2cuKj-4yO3npnm8m7YJbs4cdFN70s3zt24-5ntIq_DQmh1PXXU8Ba_i6T_Fy6FzXrIbvGww3v_xkp7hIxr24Y762L7GR-pWH3F7fXS-7aOuj5-4fD8uo6nGT8cTfp599zNL2axPs9kx1eZ5nk3WHJuqKpsVRuZ6m2FbbC4dtkk4bqMe2XRvtXn1w-Z1L4elQxyehhz-jXc4NMkhK9fhbZnD0CqHP2sdrlxyyGg0uckh6bFD8I1DXAeFEsWEboqsBMWRHiYnKg6mKAJpivAIxY-JipocxahchatMsdF4sVCxslwxcpVixmYFRxW3jAunFPnnFfcaFJfvKEJPFEuMpHeKTZ8VA78ofv8yfY-w3CsEtZDdWeiSLkQGCfUh4a7RZnw2_hqxY4XE2UJNWCiMCL8rhMxVwtRqYZlx0Ti-R2jcJzQZD_YLzcaWo0JOnRCqF75fFpKvCkXGtevCjQbzYYxuFM49EN49NJqF1S3C_KfCmpdC39eC80bI-CLkfRUKjJ3tNENjNcONn27NL48mM17T3a-Z4WiWKc020bQYoztpenfROF01u409xv0ETWGS5nSy5m5AszeouThI0zpWM3mapqFYUzPXbDxxZ3esu9Pe_6R-3fmYxMCSsopIRWE4ZXG4MFBcXlYaCYRLZweKyksiJUUF8_IGBAekB1ODg1OCwbwFqf8B6njabQ"
- Document-Policy
include-js-call-stacks-in-crash-reports
- P3p
CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info."
P3P policy.
- Server
ESF
A name for the server.
ESF - Description of the server software.
- X-Xss-Protection
0
Cross-site scripting (XSS) filter.
0 - Disable XSS filtering.
- Set-Cookie
GPS=1; Domain=.youtube.com; Expires=Sun, 11-Jan-2026 07:46:08 GMT; Path=/; Secure; HttpOnly
A cookie sent from the server to be set on the client
GPS
1
Cookie name and value.
Domain
.youtube.com
The client will only send the cookie when requesting from this domain.
Expires
Sun, 11-Jan-2026 07:46:08 GMT
When the cookie should expire.
Path
/
The client will only send the cookie when requesting this path, or subdirectories, from the server.
Secure
The cookie is only sent when requesting from a https domain.
HttpOnly
Prevents access to the cookie through JavaScript.
- Set-Cookie
YSC=e9OeV8j9WUs; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none; Partitioned
A cookie sent from the server to be set on the client
YSC
e9OeV8j9WUs
Cookie name and value.
Domain
.youtube.com
The client will only send the cookie when requesting from this domain.
Path
/
The client will only send the cookie when requesting this path, or subdirectories, from the server.
Secure
The cookie is only sent when requesting from a https domain.
HttpOnly
Prevents access to the cookie through JavaScript.
Samesite
none
Cookie sent with both cross-site and same-site requests..
Partitioned
- Set-Cookie
__Secure-ROLLOUT_TOKEN=CMm_wKzR-Z7ZggEQhu-MwviCkgMYhu-MwviCkgM%3D; Domain=youtube.com; Expires=Fri, 10-Jul-2026 07:16:08 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned
A cookie sent from the server to be set on the client
__Secure-ROLLOUT_TOKEN
CMm_wKzR-Z7ZggEQhu-MwviCkgMYhu-MwviCkgM%3D
Cookie name and value.
Domain
youtube.com
The client will only send the cookie when requesting from this domain.
Expires
Fri, 10-Jul-2026 07:16:08 GMT
When the cookie should expire.
Path
/
The client will only send the cookie when requesting this path, or subdirectories, from the server.
Secure
The cookie is only sent when requesting from a https domain.
HttpOnly
Prevents access to the cookie through JavaScript.
Samesite
none
Cookie sent with both cross-site and same-site requests..
Partitioned
- Set-Cookie
__Secure-YEC=; Domain=.youtube.com; Expires=Mon, 17-Apr-2023 07:16:08 GMT; Path=/; Secure; HttpOnly; SameSite=lax
A cookie sent from the server to be set on the client
__Secure-YEC
Cookie name and value.
Domain
.youtube.com
The client will only send the cookie when requesting from this domain.
Expires
Mon, 17-Apr-2023 07:16:08 GMT
When the cookie should expire.
Path
/
The client will only send the cookie when requesting this path, or subdirectories, from the server.
Secure
The cookie is only sent when requesting from a https domain.
HttpOnly
Prevents access to the cookie through JavaScript.
Samesite
lax
Cookie is not sent on cross-site requests but is when following a link to the origin.
- Set-Cookie
VISITOR_INFO1_LIVE=wKsQo6IxG-Y; Domain=.youtube.com; Expires=Fri, 10-Jul-2026 07:16:08 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned
A cookie sent from the server to be set on the client
VISITOR_INFO1_LIVE
wKsQo6IxG-Y
Cookie name and value.
Domain
.youtube.com
The client will only send the cookie when requesting from this domain.
Expires
Fri, 10-Jul-2026 07:16:08 GMT
When the cookie should expire.
Path
/
The client will only send the cookie when requesting this path, or subdirectories, from the server.
Secure
The cookie is only sent when requesting from a https domain.
HttpOnly
Prevents access to the cookie through JavaScript.
Samesite
none
Cookie sent with both cross-site and same-site requests..
Partitioned
- Set-Cookie
VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgCQ%3D%3D; Domain=.youtube.com; Expires=Fri, 10-Jul-2026 07:16:08 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned
A cookie sent from the server to be set on the client
VISITOR_PRIVACY_METADATA
CgJVUxIEGgAgCQ%3D%3D
Cookie name and value.
Domain
.youtube.com
The client will only send the cookie when requesting from this domain.
Expires
Fri, 10-Jul-2026 07:16:08 GMT
When the cookie should expire.
Path
/
The client will only send the cookie when requesting this path, or subdirectories, from the server.
Secure
The cookie is only sent when requesting from a https domain.
HttpOnly
Prevents access to the cookie through JavaScript.
Samesite
none
Cookie sent with both cross-site and same-site requests..
Partitioned
- Alt-Svc
h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Indicate a resource should be loaded from a different server while still appearing to be loaded from this server.
Service
- h3 - :443
Service
- ma - 2592000 (30 days)
Max age for the alternative (seconds).
- h3-29 - :443
HTTP/3 (draft 29)
- ma - 2592000 (30 days)
Service
- ma - 2592000 (30 days)
Max age for the alternative (seconds).
- ma - 2592000 (30 days)