HTTP Headers Checker

HTTP Headers Checker

View HTTP response headers for any URL — Content-Type, caching, security headers, server info. Diagnose web issues fast.

What are HTTP Headers?

HTTP Headers are metadata sent with every HTTP request and response, carrying critical information about content type, caching, security, authentication, redirects, and more. When you visit a webpage, your browser sends request headers (Accept, User-Agent) and receives response headers (Content-Type, Cache-Control, X-Frame-Options) from the server. HTTP Headers Checker lets you inspect what a server returns — essential for: debugging caching issues, verifying security headers (HSTS, CSP, X-Frame-Options), checking compression (GZIP, Brotli), monitoring CDN routing, validating CORS configuration, troubleshooting why pages render incorrectly, security audits before going live.

How to use this tool

  1. Enter the URL — Full URL with https:// or http://. Tool adds https:// if missing.
  2. Click Check Headers — Tool fetches response and extracts status + headers.
  3. Review response code — 200 = OK, 301/302 = redirect, 404 = not found, 500 = server error.
  4. Check content-type and length — Verify expected MIME type. Length helps estimate bandwidth.
  5. For full headers — Use browser DevTools (F12 → Network tab) on the target URL.

Critical HTTP headers explained

Security headers:

  • Strict-Transport-Security (HSTS): Forces HTTPS-only access — e.g., max-age=31536000; includeSubDomains
  • Content-Security-Policy (CSP): Prevents XSS attacks by restricting allowed sources
  • X-Frame-Options: Prevents clickjacking via iframe embedding — DENY or SAMEORIGIN
  • X-Content-Type-Options: Prevents MIME sniffing — nosniff
  • Referrer-Policy: Controls what referrer info is sent

Performance headers:

  • Cache-Control: Cache directives (max-age, no-cache, public/private)
  • ETag: Resource version identifier for cache validation
  • Content-Encoding: Compression (gzip, br for Brotli)
  • Vary: Tells caches which request headers affect response

Identity headers:

  • Server: Web server software (Apache, nginx, Cloudflare, AWS)
  • X-Powered-By: Backend framework (PHP, Express)

Examples

  • Status 200 + Cache-Control: public, max-age=3600 — properly cached for 1 hour
  • Status 301: Permanent redirect — follow Location header to new URL
  • Missing HSTS: Site allows HTTP — security weakness for HTTPS site
  • Content-Encoding: gzip: Page compressed — good for performance
  • X-Frame-Options: DENY: Site can't be iframed — protects against clickjacking
  • Server: cloudflare: Site uses Cloudflare CDN — benefits from edge caching

Tips & best practices

  • Use browser DevTools (F12 → Network) for full header inspection — tool shows summary only
  • Check security headers via securityheaders.com for grade
  • Ensure HSTS is enabled with long max-age (1+ year recommended)
  • Cache-Control with max-age=0 means no caching — bad for static assets
  • If Content-Encoding missing, your site isn't compressed — enable GZIP/Brotli for speed boost
  • Server header exposes software — some hide it for security (security through obscurity)
  • Check headers BEFORE going live to catch missing security configurations

Limitations & notes

Tool uses CORS proxy (allorigins.win) for cross-origin fetching — some headers may be filtered by proxy. For complete header inspection including request headers, use browser DevTools or command-line tools (curl -I). Custom security tools (securityheaders.com, observatory.mozilla.org) provide deeper analysis with security grades.

Frequently Asked Questions

What's the difference between request and response headers?

Request headers (sent by browser): Accept, User-Agent, Cookie, Authorization. Response headers (sent by server): Content-Type, Set-Cookie, Cache-Control, Server. This tool shows RESPONSE headers.

Why are some headers missing?

CORS proxy may filter sensitive headers. Or server doesn't set them (some sites don't configure HSTS, CSP). Use browser DevTools for unfiltered view.

What's HSTS and why is it important?

HTTP Strict Transport Security forces browsers to always use HTTPS for the domain, even if user types http://. Prevents downgrade attacks. Set with Strict-Transport-Security: max-age=31536000.

How do I add security headers?

Configure in your web server (.htaccess for Apache, server block for nginx, web.config for IIS). Or via CDN (Cloudflare let you set headers via dashboard). For WordPress, plugins like ‘HTTP Headers’ help.

What's a good Cache-Control for static images?

Cache-Control: public, max-age=31536000, immutable — cache for 1 year, file is immutable (won't change), browsers don't need to revalidate.

Does this tool work for localhost?

No — localhost (127.0.0.1) isn't accessible from the public internet. The proxy can't reach your local server. Use browser DevTools or curl on your machine.

Can I test API endpoints with this?

Yes if the API returns publicly — you'll see content-type, cache headers, CORS settings. For private APIs requiring auth, use Postman or curl instead.

Related tools

Domain Age Checker · SSL Certificate Checker · Redirect Checker

Copied