HTTP Header Checker
Inspect HTTP response headers and review security configurations.
What this tool does
This tool fetches HTTP response headers for a URL and summarizes security-related headers. It helps you confirm status codes, caching directives, and security policies as actually served to clients. Use it during audits, migrations, or troubleshooting to verify the real response from your server or CDN.
Inputs explained
- URL: The full URL you want to test, including http or https.
How it works / Method
The tool makes an HTTP request to the URL and captures the response headers. It flags commonly expected security headers and lists the full header set for inspection. Results reflect a single request from our server and may vary if the site uses redirects or geo-based routing.
Status:
Time: s
Security Headers
| Header | Status |
|---|
All Headers
| Name | Value |
|---|
Example
Input: URL: https://example.com. Expected output: A status code (such as 200), a response time, a security header table showing which headers are present or missing, and a full list of response headers with their values.
Use cases
- Validate security headers after deployment or CDN changes.
- Audit caching behavior for performance and compliance.
- Confirm status codes returned to search engines or clients.
- Detect missing headers that weaken browser protections.
- Compare headers before and after a migration.
Limitations & notes
- Results reflect a single request from our server and may differ by region.
- Redirects can change the final header set; test the final URL.
- Dynamic headers may vary by device, cookies, or authentication state.
- This tool does not execute JavaScript or load subresources.
Accuracy & Disclaimer
Header results are provided as observed at request time. For production assurance, compare against server configuration and CDNs that may inject or modify headers.
Frequently Asked Questions
What are HTTP response headers?
HTTP response headers are metadata sent by a server with each response. They describe the content type, caching behavior, security policies, and other instructions for browsers and clients. Headers can affect how pages are rendered, cached, or embedded. Understanding them helps diagnose performance, security, and compatibility issues. This tool shows the headers exactly as returned by the server for the requested URL.
Which security headers should I look for?
Common security headers include Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, and Referrer-Policy. Each addresses a different class of risk, such as downgrade attacks, script injection, or clickjacking. Missing headers do not always mean a site is insecure, but they are useful signals for hardening. Some headers require careful tuning to avoid breaking functionality. Use this tool to verify what is actually served in production.
Why do headers differ between HTTP and HTTPS?
Many sites redirect from HTTP to HTTPS, and the final HTTPS response may be served by different infrastructure or configuration. As a result, header sets can differ between the initial and final response. Some security headers only make sense on HTTPS and may be absent on HTTP. To get the most accurate view, test the exact URL users access after redirects.
Why is a header marked as missing?
A header is marked missing when it is not present in the response. This can happen because the server or framework does not set it, a proxy strips it, or a CDN overrides it. Some headers are optional and not required for every site. If a header is expected, confirm your server configuration and check whether intermediate services are modifying responses.
Does this tool show request headers?
No. This tool focuses on response headers returned by the server. Request headers are generated by the client and vary by browser, device, and network. If you need to inspect request headers, use browser developer tools or a proxy. The response headers are usually the most important for security and caching configuration checks. Request headers are still valuable when debugging authentication or CORS issues.
How should I interpret Cache-Control?
Cache-Control directives define how browsers and intermediaries store responses. Values like max-age set a freshness lifetime, while no-store prevents caching entirely. For static assets, longer caching can improve performance, while dynamic content may require short or no caching. CDNs can add or override caching behavior, so confirm directives at the edge. Use these directives carefully to balance speed and freshness, and confirm they align with your deployment strategy.
Sources & references
- RFC 9110: HTTP semantics - Defines core header semantics and status codes.
- RFC 9111: HTTP caching - Describes Cache-Control and caching behavior.
- RFC 9112: HTTP/1.1 - Message framing and header field handling.
- RFC 6797: HTTP Strict Transport Security (HSTS) - Defines the HSTS response header.