HTTP Headers
Show the HTTP headers for a URL, with a full break-down of details. Will follow redirects.
Summary
- Response
- Total Requests
- 1
- Total Time
- 1053 ms
https://www.youtube.com/shorts/A8iWrIkSdIQ- Status
- 200
- Message
- OK
- Time
- 1053 ms
- IP
- 142.250.68.206
Timing
Wait
1 ms
DNS
4 ms
TCP
3 ms
Request
0 ms
First Byte
1036 ms
Download
0 ms
Total
1053 ms
HTTP Headers
- Content-Type
text/html; charset=utf-8
The MIME type of this content.
Problems were detected with this header
- Unknown MIME type.
- X-Content-Type-Options
nosniff
Prevents Internet Explorer from MIME-sniffing a response away from the declared content-type.
nosniff - Block requests if type 'style' or 'script'.
- Content-Security-Policy
script-src 'unsafe-eval' 'self' 'unsafe-inline' https://www.google.com https://apis.google.com https://ssl.gstatic.com https://www.gstatic.com https://www.googletagmanager.com https://www.google-analytics.com https://*.youtube.com https://*.google.com https://*.gstatic.com https://youtube.com https://www.youtube.com https://google.com https://*.doubleclick.net https://*.googleapis.com https://www.googleadservices.com https://tpc.googlesyndication.com https://www.youtubekids.com https://www.youtube-nocookie.com https://www.youtubeeducation.com https://www-onepick-opensocial.googleusercontent.com;report-uri https://csp.withgoogle.com/csp/youtube_main/allowlist
The content security policy allows the server to determine what resources the user is allowed to load.
Script-Src
Define sources for JavaScript.
- 'unsafe-eval'
- 'self'
- 'unsafe-inline'
- https://www.google.com
- https://apis.google.com
- https://ssl.gstatic.com
- https://www.gstatic.com
- https://www.googletagmanager.com
- https://www.google-analytics.com
- https://*.youtube.com
- https://*.google.com
- https://*.gstatic.com
- https://youtube.com
- https://www.youtube.com
- https://google.com
- https://*.doubleclick.net
- https://*.googleapis.com
- https://www.googleadservices.com
- https://tpc.googlesyndication.com
- https://www.youtubekids.com
- https://www.youtube-nocookie.com
- https://www.youtubeeducation.com
- https://www-onepick-opensocial.googleusercontent.com
Report-URI
https://csp.withgoogle.com/csp/youtube_main/allowlist
URI for violation reports.
- Content-Security-Policy
require-trusted-types-for 'script'
The content security policy allows the server to determine what resources the user is allowed to load.
Require-Trusted-Types-For
Enforce trusted types for DOM XSS.
- 'script'
Problems were detected with this header
- Duplicate header. There is another header with this name and this may cause problems.
- Content-Security-Policy
base-uri 'self';object-src 'none';script-src 'report-sample' 'nonce-CIrPSUx0Uj_bR3XjWd9nAw' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';report-uri https://csp.withgoogle.com/csp/youtube_main/strict
The content security policy allows the server to determine what resources the user is allowed to load.
Base-URI
Define what can be used in the base element.
- 'self'
Object-Src
Define sources for object, embed, and applet elements.
- 'none'
Script-Src
Define sources for JavaScript.
- 'report-sample'
- 'nonce-CIrPSUx0Uj_bR3XjWd9nAw'
- 'unsafe-inline'
- 'strict-dynamic'
- https:
- http:
- 'unsafe-eval'
Report-URI
https://csp.withgoogle.com/csp/youtube_main/strict
URI for violation reports.
Problems were detected with this header
- Duplicate header. There is another header with this name and this may cause problems.
- Cache-Control
no-cache, no-store, max-age=0, must-revalidate
Inform all caching mechanisms from server to client whether they may cache this object.
no-cache
May be stored by any cache but must be validated by the server.
no-store
May not be stored by any cache.
Max-Age
0
The time a browser should remember a site can only be accessed with https (seconds).
must-revalidate
Stale caches must not be used.
- Pragma
no-cache
HTTP/1.0 backwards compatible cache handling.
no-cache - Force requests to the origin server before releasing a cache.
- Expires
Mon, 01 Jan 1990 00:00:00 GMT
The time at which the response is considered stale.
- Date
Sat, 13 Jun 2026 06:05:58 GMT
The date and time that the message was sent.
- Content-Length
0
The length of the response body in octets (8-bit bytes).
- P3p
CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info."
P3P policy.
- X-Frame-Options
SAMEORIGIN
Clickjacking protection.
SAMEORIGIN - No rendering if origin mismatch.
- Strict-Transport-Security
max-age=31536000
A HSTS Policy informing the HTTP client how long to cache the HTTPS only policy and whether this applies to subdomains.
Max-Age
31536000 (1 year)
The time a browser should remember a site can only be accessed with https (seconds).
- Permissions-Policy
ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Enable and disable browser features.
ch-ua-arch
Control access to the user agent architecture.
- * - Allowed on this page and all nested contexts of any origin.
ch-ua-bitness
Control access to the user agent bitness.
- * - Allowed on this page and all nested contexts of any origin.
ch-ua-full-version
Control access to the user agent full version.
- * - Allowed on this page and all nested contexts of any origin.
ch-ua-full-version-list
Problems were found.
- Unknown option
- * - Allowed on this page and all nested contexts of any origin.
ch-ua-model
Control access about the user agent device.
- * - Allowed on this page and all nested contexts of any origin.
ch-ua-wow64
Problems were found.
- Unknown option
- * - Allowed on this page and all nested contexts of any origin.
ch-ua-form-factors
Problems were found.
- Unknown option
- * - Allowed on this page and all nested contexts of any origin.
ch-ua-platform
Control access to the user agent platform.
- * - Allowed on this page and all nested contexts of any origin.
ch-ua-platform-version
Control access to the user agent platform version.
- * - Allowed on this page and all nested contexts of any origin.
- Cross-Origin-Opener-Policy
same-origin-allow-popups; report-to="youtube_main"
Isolate the document from cross-origin windows.
same-origin-allow-popups; report-to="youtube_main"
Problems were found.
- Option is not one of known values.
- Origin-Trial
AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9
- Origin-Trial
AiDEBptUfVeO93q48VdVMe/ubupazdAl8AaHP+NBzdnW8quUcHdzJUyGSfrmtpKJu7EOvwRp9ug2rEo3XU+WMAMAAAB2eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJEZXZpY2VCb3VuZFNlc3Npb25DcmVkZW50aWFsczIiLCJleHBpcnkiOjE3NzQzMTA0MDAsImlzU3ViZG9tYWluIjp0cnVlfQ==
- Report-To
{"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]}
Report to.
Group
youtube_main
Max_age
2592000
Endpoints
- {"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}
- Accept-Ch
Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-Viewport-Width, Sec-CH-DPR, Device-Memory
Specify what client hints should be included in subsequent requests.
sec-ch-ua-arch
Problems were found.
- Option is not one of known values.
sec-ch-ua-bitness
Problems were found.
- Option is not one of known values.
sec-ch-ua-full-version
Problems were found.
- Option is not one of known values.
sec-ch-ua-full-version-list
Problems were found.
- Option is not one of known values.
sec-ch-ua-model
Problems were found.
- Option is not one of known values.
sec-ch-ua-wow64
Problems were found.
- Option is not one of known values.
sec-ch-ua-form-factors
Problems were found.
- Option is not one of known values.
sec-ch-ua-platform
Problems were found.
- Option is not one of known values.
sec-ch-ua-platform-version
Problems were found.
- Option is not one of known values.
sec-ch-viewport-width
Problems were found.
- Option is not one of known values.
sec-ch-dpr
Problems were found.
- Option is not one of known values.
device-memory
Indicate approximate amount of RAM.
- Vary
Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-Viewport-Width, Sec-CH-DPR, Device-Memory
Indicates that different content may be provided to different clients, depending on the vary header.
Headers
- Sec-CH-UA-Arch
- Sec-CH-UA-Bitness
- Sec-CH-UA-Full-Version
- Sec-CH-UA-Full-Version-List
- Sec-CH-UA-Model
- Sec-CH-UA-WoW64
- Sec-CH-UA-Form-Factors
- Sec-CH-UA-Platform
- Sec-CH-UA-Platform-Version
- Sec-CH-Viewport-Width
- Sec-CH-DPR
- Device-Memory
- Reporting-Endpoints
crash-reporting="/web-reports?context=eJwNzX9M1HUcx3G_PBm73R3cfe_7_X4-n-9o2sStuXZ0sCCxnA6LGQ1i0zYNDA86G-u8C7pDmeScaUUai82WlKm1VqB1Uaw2I5N-6G2FmtTSOX8kmU3DXNTqChl9_njs_d577_f75R0qWLAiYbR7k0bTHR3GrpqU8fc7KeP9kZQxeXun0Ti_04hf2mTsC67O67rppfFOH9_X-pis9_HJuz5GPvJx4Vcfczf4qUj7OdJfSHSikIHDRTRki-jTfp8ponJJgM5YAF9ngNd6ApS9GkB-E6BnIsCRBUHGXw_i-SDI-X-C9FaY7H3E5EKzSd0TJt3dJtu16l6TowdNijMmaw6b3HbNZCJnMlsboq4xxMyuEPeO677Y4tA8i3CFRe5hC2_S4petFp8NW9Sctdg9ZXFr2qLdb7PTtmmQNi0pmy39NpkDNpNZm8SYzYZzNm_McdhjO9wvHEqUw6lih655DtUrHcIdDvWbHAafc4i_4PDhiw7GKw4nTjjkXXbYMevwqSkosQTTdwmiZQJnsaDpIYGnXvCm9nKrYCwuyD0t-CotGNgmWLJdkBkQDB0U7M4K3jsnWPqzoP-a4K88SWGBJKiNLpSMlUqGqyX7ayQfr5BkHpTMqZXs-FziOSpJfCG5-KVkyw-S1BlJ_Lxk8SXJ2p8k1Vd0vS6ZuiEZn5LM_Cl5KSfp04z_JL9NS2bzFc97FMu9igcCirdMRYNSnCxThKoU7n2KrjpFr_bMSsWB1YplaxSjmn-tYmyd4rGY4sf1Ciup77RQSjGeVlzZrNjYo-jT1u1TtL-t5wOKm5p_UFGkfTuk94f1nxHF9a8V5jGdf1JxTLtxWtF0Rmdr-88qxEXFzsuKzKSCPxSrcoq5_yo231KU5Lksx2VPvstogUtDwGWrdirkcrzcJf9ul_oql-hSl3uWubRp6lGXbNRl0ZMuz7a7DHa7HNJCfk_26vDpguB3V7cdN-aHu5LpVLolVrox1hJe35FMpMKxxOPh1o62VFtrNN5cHimvjFRGFpVGqpqfivwPTNf40w"
- Document-Policy
include-js-call-stacks-in-crash-reports
- Server
ESF
A name for the server.
ESF - Description of the server software.
- X-Xss-Protection
0
Cross-site scripting (XSS) filter.
0 - Disable XSS filtering.
- Set-Cookie
__Secure-YNID=19.YT=j0mjZVPWJONAQD_nuJ8byi9eZlAZysAYf1P9NrFMmTiU2e_c7yB66JxZ_K2Emx_LyGNorgQznlWMRX-x3thqdYkWpymufLP0-JJOf5TqLnameWEcCiqHIwGG5tH_BYcg6VlaSTCB-VQxb-FLnO4LiMnJrLhMUSeM5cJfThPHyx7dInUGISJhH4Ltd2x7uYIpzP2JWL6igqT1oZB4Rw51Xvxgnr5oJggCR93l6U6PFi1I5ATzuJiR4s7XlubCmj1DfNylCBFN_A4BLWth1fWiYz-7lWwb8vUynJB-RKnwvw1CoO7sHfkeeePhvC_Wzac8PnCPiyb9Dgr-9XUpQGoQ7g; expires=Thu, 10-Dec-2026 06:05:58 GMT; path=/; domain=.youtube.com; Secure; HttpOnly; SameSite=none; Partitioned
A cookie sent from the server to be set on the client
__Secure-YNID
19.YT
Cookie name and value.
Expires
Thu, 10-Dec-2026 06:05:58 GMT
When the cookie should expire.
Path
/
The client will only send the cookie when requesting this path, or subdirectories, from the server.
Domain
.youtube.com
The client will only send the cookie when requesting from this domain.
Secure
The cookie is only sent when requesting from a https domain.
HttpOnly
Prevents access to the cookie through JavaScript.
Samesite
none
Cookie sent with both cross-site and same-site requests..
Partitioned
- Set-Cookie
GPS=1; Domain=.youtube.com; Expires=Sat, 13-Jun-2026 06:35:59 GMT; Path=/; Secure; HttpOnly
A cookie sent from the server to be set on the client
GPS
1
Cookie name and value.
Domain
.youtube.com
The client will only send the cookie when requesting from this domain.
Expires
Sat, 13-Jun-2026 06:35:59 GMT
When the cookie should expire.
Path
/
The client will only send the cookie when requesting this path, or subdirectories, from the server.
Secure
The cookie is only sent when requesting from a https domain.
HttpOnly
Prevents access to the cookie through JavaScript.
- Set-Cookie
YSC=6sJoXZuCGNI; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none; Partitioned
A cookie sent from the server to be set on the client
YSC
6sJoXZuCGNI
Cookie name and value.
Domain
.youtube.com
The client will only send the cookie when requesting from this domain.
Path
/
The client will only send the cookie when requesting this path, or subdirectories, from the server.
Secure
The cookie is only sent when requesting from a https domain.
HttpOnly
Prevents access to the cookie through JavaScript.
Samesite
none
Cookie sent with both cross-site and same-site requests..
Partitioned
- Set-Cookie
__Secure-ROLLOUT_TOKEN=CMjUpeP1_-GmSRDegdSYxoOVAxjegdSYxoOVAw%3D%3D; Domain=youtube.com; Expires=Thu, 10-Dec-2026 06:05:59 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned
A cookie sent from the server to be set on the client
__Secure-ROLLOUT_TOKEN
CMjUpeP1_-GmSRDegdSYxoOVAxjegdSYxoOVAw%3D%3D
Cookie name and value.
Domain
youtube.com
The client will only send the cookie when requesting from this domain.
Expires
Thu, 10-Dec-2026 06:05:59 GMT
When the cookie should expire.
Path
/
The client will only send the cookie when requesting this path, or subdirectories, from the server.
Secure
The cookie is only sent when requesting from a https domain.
HttpOnly
Prevents access to the cookie through JavaScript.
Samesite
none
Cookie sent with both cross-site and same-site requests..
Partitioned
- Set-Cookie
__Secure-YEC=; Domain=.youtube.com; Expires=Sun, 17-Sep-2023 06:05:59 GMT; Path=/; Secure; HttpOnly; SameSite=lax
A cookie sent from the server to be set on the client
__Secure-YEC
Cookie name and value.
Domain
.youtube.com
The client will only send the cookie when requesting from this domain.
Expires
Sun, 17-Sep-2023 06:05:59 GMT
When the cookie should expire.
Path
/
The client will only send the cookie when requesting this path, or subdirectories, from the server.
Secure
The cookie is only sent when requesting from a https domain.
HttpOnly
Prevents access to the cookie through JavaScript.
Samesite
lax
Cookie is not sent on cross-site requests but is when following a link to the origin.
- Set-Cookie
VISITOR_INFO1_LIVE=1XaH6_xjXmA; Domain=.youtube.com; Expires=Thu, 10-Dec-2026 06:05:59 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned
A cookie sent from the server to be set on the client
VISITOR_INFO1_LIVE
1XaH6_xjXmA
Cookie name and value.
Domain
.youtube.com
The client will only send the cookie when requesting from this domain.
Expires
Thu, 10-Dec-2026 06:05:59 GMT
When the cookie should expire.
Path
/
The client will only send the cookie when requesting this path, or subdirectories, from the server.
Secure
The cookie is only sent when requesting from a https domain.
HttpOnly
Prevents access to the cookie through JavaScript.
Samesite
none
Cookie sent with both cross-site and same-site requests..
Partitioned
- Set-Cookie
VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgWg%3D%3D; Domain=.youtube.com; Expires=Thu, 10-Dec-2026 06:05:59 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned
A cookie sent from the server to be set on the client
VISITOR_PRIVACY_METADATA
CgJVUxIEGgAgWg%3D%3D
Cookie name and value.
Domain
.youtube.com
The client will only send the cookie when requesting from this domain.
Expires
Thu, 10-Dec-2026 06:05:59 GMT
When the cookie should expire.
Path
/
The client will only send the cookie when requesting this path, or subdirectories, from the server.
Secure
The cookie is only sent when requesting from a https domain.
HttpOnly
Prevents access to the cookie through JavaScript.
Samesite
none
Cookie sent with both cross-site and same-site requests..
Partitioned
- Alt-Svc
h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Indicate a resource should be loaded from a different server while still appearing to be loaded from this server.
Service
- h3 - :443
Service
- ma - 2592000 (30 days)
Max age for the alternative (seconds).
- h3-29 - :443
HTTP/3 (draft 29)
- ma - 2592000 (30 days)
Service
- ma - 2592000 (30 days)
Max age for the alternative (seconds).
- ma - 2592000 (30 days)