HTTP Headers
Show the HTTP headers for a URL, with a full break-down of details. Will follow redirects.
Summary
- Response
- Total Requests
- 1
- Total Time
- 1367 ms
https://www.youtube.com/shorts/A8iWrIkSdIQ- Status
- 200
- Message
- OK
- Time
- 1367 ms
- IP
- 142.251.211.142
Timing
Wait
4 ms
DNS
2 ms
TCP
3 ms
Request
0 ms
First Byte
1341 ms
Download
1 ms
Total
1367 ms
HTTP Headers
- Content-Type
text/html; charset=utf-8
The MIME type of this content.
Type
text/html
Description
HTML file
Charset
utf-8
- X-Content-Type-Options
nosniff
Prevents Internet Explorer from MIME-sniffing a response away from the declared content-type.
nosniff - Block requests if type 'style' or 'script'.
- Content-Security-Policy
script-src 'unsafe-eval' 'self' 'unsafe-inline' https://www.google.com https://apis.google.com https://ssl.gstatic.com https://www.gstatic.com https://www.googletagmanager.com https://www.google-analytics.com https://*.youtube.com https://*.google.com https://*.gstatic.com https://youtube.com https://www.youtube.com https://google.com https://*.doubleclick.net https://*.googleapis.com https://www.googleadservices.com https://tpc.googlesyndication.com https://www.youtubekids.com https://www.youtube-nocookie.com https://www.youtubeeducation.com https://www-onepick-opensocial.googleusercontent.com;report-uri https://csp.withgoogle.com/csp/youtube_main/allowlist
The content security policy allows the server to determine what resources the user is allowed to load.
Script-Src
Define sources for JavaScript.
- 'unsafe-eval'
- 'self'
- 'unsafe-inline'
- https://www.google.com
- https://apis.google.com
- https://ssl.gstatic.com
- https://www.gstatic.com
- https://www.googletagmanager.com
- https://www.google-analytics.com
- https://*.youtube.com
- https://*.google.com
- https://*.gstatic.com
- https://youtube.com
- https://www.youtube.com
- https://google.com
- https://*.doubleclick.net
- https://*.googleapis.com
- https://www.googleadservices.com
- https://tpc.googlesyndication.com
- https://www.youtubekids.com
- https://www.youtube-nocookie.com
- https://www.youtubeeducation.com
- https://www-onepick-opensocial.googleusercontent.com
Report-URI
https://csp.withgoogle.com/csp/youtube_main/allowlist
URI for violation reports.
- Content-Security-Policy
require-trusted-types-for 'script'
The content security policy allows the server to determine what resources the user is allowed to load.
Require-Trusted-Types-For
Enforce trusted types for DOM XSS.
- 'script'
Problems were detected with this header
- Duplicate header. There is another header with this name and this may cause problems.
- Cache-Control
no-cache, no-store, max-age=0, must-revalidate
Inform all caching mechanisms from server to client whether they may cache this object.
no-cache
May be stored by any cache but must be validated by the server.
no-store
May not be stored by any cache.
Max-Age
0
The time a browser should remember a site can only be accessed with https (seconds).
must-revalidate
Stale caches must not be used.
- Pragma
no-cache
HTTP/1.0 backwards compatible cache handling.
no-cache - Force requests to the origin server before releasing a cache.
- Expires
Mon, 01 Jan 1990 00:00:00 GMT
The time at which the response is considered stale.
- Date
Wed, 25 Feb 2026 09:48:52 GMT
The date and time that the message was sent.
- Content-Length
0
The length of the response body in octets (8-bit bytes).
- Strict-Transport-Security
max-age=31536000
A HSTS Policy informing the HTTP client how long to cache the HTTPS only policy and whether this applies to subdomains.
Max-Age
31536000 (1 year)
The time a browser should remember a site can only be accessed with https (seconds).
- X-Frame-Options
SAMEORIGIN
Clickjacking protection.
SAMEORIGIN - No rendering if origin mismatch.
- Origin-Trial
AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9
- Origin-Trial
AiDEBptUfVeO93q48VdVMe/ubupazdAl8AaHP+NBzdnW8quUcHdzJUyGSfrmtpKJu7EOvwRp9ug2rEo3XU+WMAMAAAB2eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJEZXZpY2VCb3VuZFNlc3Npb25DcmVkZW50aWFsczIiLCJleHBpcnkiOjE3NzQzMTA0MDAsImlzU3ViZG9tYWluIjp0cnVlfQ==
- Origin-Trial
ApTXX1w2dkJZuuxlV9csQYg+9ZVXekg+mOu8mS9vb7/V2oeMLKqGC8blgR6ech+eqbhGAgLKPthyai7z89MdTAgAAACLeyJvcmlnaW4iOiJodHRwczovL3d3dy55b3V0dWJlLmNvbTo0NDMiLCJmZWF0dXJlIjoiRG9jdW1lbnRQb2xpY3lJbmNsdWRlSlNDYWxsU3RhY2tzSW5DcmFzaFJlcG9ydHMiLCJleHBpcnkiOjE3NDk1MTM2MDAsImlzU3ViZG9tYWluIjp0cnVlfQ==
- Content-Security-Policy-Report-Only
report-uri https://csp.withgoogle.com/csp/youtube_main/strict;base-uri 'self';object-src 'none';script-src 'report-sample' 'nonce-opa-8BK0QowSmFzGiZIJkA' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval'
The content security policy, reporting only.
Report-URI
https://csp.withgoogle.com/csp/youtube_main/strict
URI for violation reports.
Base-URI
Define what can be used in the base element.
- 'self'
Object-Src
Define sources for object, embed, and applet elements.
- 'none'
Script-Src
Define sources for JavaScript.
- 'report-sample'
- 'nonce-opa-8BK0QowSmFzGiZIJkA'
- 'unsafe-inline'
- 'strict-dynamic'
- https:
- http:
- 'unsafe-eval'
- Accept-Ch
Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-Viewport-Width, Sec-CH-DPR, Device-Memory
Specify what client hints should be included in subsequent requests.
sec-ch-ua-arch
Problems were found.
- Option is not one of known values.
sec-ch-ua-bitness
Problems were found.
- Option is not one of known values.
sec-ch-ua-full-version
Problems were found.
- Option is not one of known values.
sec-ch-ua-full-version-list
Problems were found.
- Option is not one of known values.
sec-ch-ua-model
Problems were found.
- Option is not one of known values.
sec-ch-ua-wow64
Problems were found.
- Option is not one of known values.
sec-ch-ua-form-factors
Problems were found.
- Option is not one of known values.
sec-ch-ua-platform
Problems were found.
- Option is not one of known values.
sec-ch-ua-platform-version
Problems were found.
- Option is not one of known values.
sec-ch-viewport-width
Problems were found.
- Option is not one of known values.
sec-ch-dpr
Problems were found.
- Option is not one of known values.
device-memory
Indicate approximate amount of RAM.
- Vary
Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-Viewport-Width, Sec-CH-DPR, Device-Memory
Indicates that different content may be provided to different clients, depending on the vary header.
Headers
- Sec-CH-UA-Arch
- Sec-CH-UA-Bitness
- Sec-CH-UA-Full-Version
- Sec-CH-UA-Full-Version-List
- Sec-CH-UA-Model
- Sec-CH-UA-WoW64
- Sec-CH-UA-Form-Factors
- Sec-CH-UA-Platform
- Sec-CH-UA-Platform-Version
- Sec-CH-Viewport-Width
- Sec-CH-DPR
- Device-Memory
- Report-To
{"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]}
Report to.
Group
youtube_main
Max_age
2592000
Endpoints
- {"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}
- Permissions-Policy
ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Enable and disable browser features.
ch-ua-arch
Control access to the user agent architecture.
- * - Allowed on this page and all nested contexts of any origin.
ch-ua-bitness
Control access to the user agent bitness.
- * - Allowed on this page and all nested contexts of any origin.
ch-ua-full-version
Control access to the user agent full version.
- * - Allowed on this page and all nested contexts of any origin.
ch-ua-full-version-list
Problems were found.
- Unknown option
- * - Allowed on this page and all nested contexts of any origin.
ch-ua-model
Control access about the user agent device.
- * - Allowed on this page and all nested contexts of any origin.
ch-ua-wow64
Problems were found.
- Unknown option
- * - Allowed on this page and all nested contexts of any origin.
ch-ua-form-factors
Problems were found.
- Unknown option
- * - Allowed on this page and all nested contexts of any origin.
ch-ua-platform
Control access to the user agent platform.
- * - Allowed on this page and all nested contexts of any origin.
ch-ua-platform-version
Control access to the user agent platform version.
- * - Allowed on this page and all nested contexts of any origin.
- Cross-Origin-Opener-Policy
same-origin-allow-popups; report-to="youtube_main"
Isolate the document from cross-origin windows.
same-origin-allow-popups; report-to="youtube_main"
Problems were found.
- Option is not one of known values.
- Reporting-Endpoints
default="/web-reports?context=eJwVzH9o1HUcx_G-Ptk67-t29_1-Pu-P5YzJWi1aN86TSRDCNDdC3BzIQJw13a-y1m3cbtcGJgZraYr9UnSlyyS0PDchIRpjSWROa3XOmdjSAkmGOIxZqWWrPv3xgNf7zfv1Dv6SVfhU3FlXlHDKM-3Ojoqk88rKpHPrUNLpH0o6UwtSTm1Bytn7fcpp-bnT6QuvmdU5b82sobVBmpuD_NEbZPpSkM5fg9QWu4yvcJmqcvn0sMvQJy6XJ11KO-ZwrTqH4d4cNlzJ4aPBXKpHcnnLujGTy-IlIVJNIdxUiHe3hVi4J8Tcr0MMF4YJrA9z7r0ws4-FuXQ7zNPKY2epx74aj8t1HpXPemza5NFtLdvpceKIR37aI2_AQ533mH_N48odj4kKn39X-FTW-ky2-szs8FnynU9ZxueJcz6BexWVeYp0vkIVKJ4sVERKFXdWKYKtinesVxOKq1sUS19T1O5WcFQxfFzR8Jli0UnFF98oKi4qdt1U_H1XUT1XM69MU5_U1Lyp2dyr-dya3ac5bw0c0Jz9UDNudR3VNHypGRnRTFnpM5r4qGbwrOb6mJ0val6c0Ez_qGmb1Oya1uy_R5gfFvZoYbkRHrxPOHC_kMkTbuYL7Q8LsUeFU8XCb48JoxHhg6iwbLXQ84xw63mhJCHMaReGu4R1Lwsf9wgtW4Wx14XyNwRnt9C4Vzh5UDiWFkaswQHh6nFh4VfCjVPCc6eF7DPWt7afEf4ZE94eF05by38Q2qzB_03Y25-EF64L224L3X8JF2bsb8dQk2V43zpojWbb7Boe8Q2_W1vF0JhnKHrAkJVvqLKWLjD0W5uLDNuLDRfKDH9aq8rtfqUhUGV4qNrQvdqQiRt8N9Cz_e5odnhLuj9QEOlq7Uh21DeVvNRUH2lOtMaTkaZ4Y6QhsTG5sWFDS10sGlscjcUWlUQfr2uL_gcLh-Yx"
- Document-Policy
include-js-call-stacks-in-crash-reports
- P3p
CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info."
P3P policy.
- Server
ESF
A name for the server.
ESF - Description of the server software.
- X-Xss-Protection
0
Cross-site scripting (XSS) filter.
0 - Disable XSS filtering.
- Set-Cookie
GPS=1; Domain=.youtube.com; Expires=Wed, 25-Feb-2026 10:18:54 GMT; Path=/; Secure; HttpOnly
A cookie sent from the server to be set on the client
GPS
1
Cookie name and value.
Domain
.youtube.com
The client will only send the cookie when requesting from this domain.
Expires
Wed, 25-Feb-2026 10:18:54 GMT
When the cookie should expire.
Path
/
The client will only send the cookie when requesting this path, or subdirectories, from the server.
Secure
The cookie is only sent when requesting from a https domain.
HttpOnly
Prevents access to the cookie through JavaScript.
- Set-Cookie
YSC=oOM8rky_AOI; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none; Partitioned
A cookie sent from the server to be set on the client
YSC
oOM8rky_AOI
Cookie name and value.
Domain
.youtube.com
The client will only send the cookie when requesting from this domain.
Path
/
The client will only send the cookie when requesting this path, or subdirectories, from the server.
Secure
The cookie is only sent when requesting from a https domain.
HttpOnly
Prevents access to the cookie through JavaScript.
Samesite
none
Cookie sent with both cross-site and same-site requests..
Partitioned
- Set-Cookie
__Secure-YEC=; Domain=.youtube.com; Expires=Thu, 01-Jun-2023 09:48:54 GMT; Path=/; Secure; HttpOnly; SameSite=lax
A cookie sent from the server to be set on the client
__Secure-YEC
Cookie name and value.
Domain
.youtube.com
The client will only send the cookie when requesting from this domain.
Expires
Thu, 01-Jun-2023 09:48:54 GMT
When the cookie should expire.
Path
/
The client will only send the cookie when requesting this path, or subdirectories, from the server.
Secure
The cookie is only sent when requesting from a https domain.
HttpOnly
Prevents access to the cookie through JavaScript.
Samesite
lax
Cookie is not sent on cross-site requests but is when following a link to the origin.
- Set-Cookie
VISITOR_INFO1_LIVE=hFDbBYjaYHg; Domain=.youtube.com; Expires=Mon, 24-Aug-2026 09:48:54 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned
A cookie sent from the server to be set on the client
VISITOR_INFO1_LIVE
hFDbBYjaYHg
Cookie name and value.
Domain
.youtube.com
The client will only send the cookie when requesting from this domain.
Expires
Mon, 24-Aug-2026 09:48:54 GMT
When the cookie should expire.
Path
/
The client will only send the cookie when requesting this path, or subdirectories, from the server.
Secure
The cookie is only sent when requesting from a https domain.
HttpOnly
Prevents access to the cookie through JavaScript.
Samesite
none
Cookie sent with both cross-site and same-site requests..
Partitioned
- Set-Cookie
VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgSA%3D%3D; Domain=.youtube.com; Expires=Mon, 24-Aug-2026 09:48:54 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned
A cookie sent from the server to be set on the client
VISITOR_PRIVACY_METADATA
CgJVUxIEGgAgSA%3D%3D
Cookie name and value.
Domain
.youtube.com
The client will only send the cookie when requesting from this domain.
Expires
Mon, 24-Aug-2026 09:48:54 GMT
When the cookie should expire.
Path
/
The client will only send the cookie when requesting this path, or subdirectories, from the server.
Secure
The cookie is only sent when requesting from a https domain.
HttpOnly
Prevents access to the cookie through JavaScript.
Samesite
none
Cookie sent with both cross-site and same-site requests..
Partitioned
- Set-Cookie
__Secure-ROLLOUT_TOKEN=CNqZrOucybHgGRCql5DLrvSSAxiql5DLrvSSAw%3D%3D; Domain=youtube.com; Expires=Mon, 24-Aug-2026 09:48:54 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned
A cookie sent from the server to be set on the client
__Secure-ROLLOUT_TOKEN
CNqZrOucybHgGRCql5DLrvSSAxiql5DLrvSSAw%3D%3D
Cookie name and value.
Domain
youtube.com
The client will only send the cookie when requesting from this domain.
Expires
Mon, 24-Aug-2026 09:48:54 GMT
When the cookie should expire.
Path
/
The client will only send the cookie when requesting this path, or subdirectories, from the server.
Secure
The cookie is only sent when requesting from a https domain.
HttpOnly
Prevents access to the cookie through JavaScript.
Samesite
none
Cookie sent with both cross-site and same-site requests..
Partitioned
- Alt-Svc
h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Indicate a resource should be loaded from a different server while still appearing to be loaded from this server.
Service
- h3 - :443
Service
- ma - 2592000 (30 days)
Max age for the alternative (seconds).
- h3-29 - :443
HTTP/3 (draft 29)
- ma - 2592000 (30 days)
Service
- ma - 2592000 (30 days)
Max age for the alternative (seconds).
- ma - 2592000 (30 days)