HTTP Headers Checker
Inspect HTTP response headers, status codes, redirect chains, and security header configuration for any URL.
About HTTP Headers Checker
HTTP headers are metadata sent between a client and server during HTTP communication. They control caching, authentication, content type, security policies, and more. This tool lets you:
- Inspect headers - View all response headers a server sends
- Check security - Verify important security headers are configured
- Trace redirects - See the full redirect chain from the original URL to the final destination
- Debug issues - Diagnose caching, CORS, and content-type problems
Why Check HTTP Headers?
HTTP response headers provide critical information about how a web server is configured. Security headers like Content-Security-Policy and Strict-Transport-Security protect visitors from attacks. Caching headers like Cache-Control and ETag affect site performance. Server headers can reveal software versions that might have known vulnerabilities. Regularly auditing your HTTP headers is an essential part of web security and performance optimization.
Our tool checks for the most important security headers recommended by OWASP and security best practices. A missing security header does not necessarily mean a site is vulnerable, but implementing these headers adds layers of defense against common web attacks including cross-site scripting (XSS), clickjacking, and man-in-the-middle attacks.
Important Security Headers
- Strict-Transport-Security (HSTS) - Forces browsers to use HTTPS, preventing downgrade attacks
- Content-Security-Policy (CSP) - Controls which resources the browser can load, mitigating XSS
- X-Frame-Options - Prevents clickjacking by controlling iframe embedding
- X-Content-Type-Options - Prevents MIME type sniffing attacks
- Referrer-Policy - Controls how much referrer information is shared
- Permissions-Policy - Controls which browser features the site can use
Frequently Asked Questions
What are HTTP response headers?
HTTP response headers are key-value pairs sent by a web server along with the response body. They provide instructions to the browser about how to handle the content, including caching rules, security policies, content encoding, and server information.
What security headers should every website have?
At minimum, websites should implement Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Content-Type-Options, X-Frame-Options, and Referrer-Policy. These headers protect against the most common web attacks with minimal configuration effort.
How do HTTP redirects work?
When a server responds with a 3xx status code and a Location header, the browser automatically follows the redirect to the new URL. Common codes are 301 (permanent), 302 (temporary), and 307 (temporary, preserves method). Redirect chains occur when one redirect leads to another.