HTTP Header Checker

Inspect HTTP response headers, security headers, redirect chain, and caching for any URL

Try:

Frequently Asked Questions

HTTP headers are key-value pairs sent between a client (browser) and server with every HTTP request and response. Response headers tell the browser how to handle the content — what type it is, whether it should be cached, if the page is secure, what scripts are allowed, and more. They are invisible to the user but critical for security, performance, and compatibility.

HSTS (HTTP Strict Transport Security) is a security header that tells browsers to always connect to the site over HTTPS — never HTTP. Once a browser sees this header, it will refuse plain HTTP connections to that domain for the specified duration (max-age). This prevents protocol downgrade attacks and cookie hijacking on insecure networks.

Content-Security-Policy is a powerful security header that controls which sources the browser is allowed to load scripts, styles, images, and other resources from. A properly configured CSP dramatically reduces the risk of Cross-Site Scripting (XSS) attacks. For example, default-src 'self' allows resources only from the same origin.

X-Frame-Options prevents a page from being embedded inside an <iframe> on another site. This protects against clickjacking attacks, where an attacker tricks a user into clicking on an invisible element. Common values are DENY (never allow framing) and SAMEORIGIN (allow only from the same origin). It has been largely superseded by the CSP frame-ancestors directive.

Cache-Control directives tell browsers and intermediate caches how to cache the response. max-age=3600 caches for 1 hour. no-cache means the browser must revalidate before using a cached copy. no-store means never cache (used for sensitive data). public allows CDNs to cache; private means only the browser may cache.

HTTP redirects are responses with status codes 3xx that tell the client to fetch a different URL. Common ones: 301 (Moved Permanently — SEO juice passes), 302 (Found — temporary), 307 (Temporary Redirect — method preserved), 308 (Permanent Redirect — method preserved). This tool shows the full redirect chain from the original URL to the final destination.

The four most critical security headers are: Strict-Transport-Security (HSTS) — forces HTTPS for a specified duration; Content-Security-Policy (CSP) — restricts which resources the browser may load, blocking XSS attacks; X-Frame-Options — prevents clickjacking by blocking your page from being framed; and X-Content-Type-Options: nosniff — stops browsers from MIME-sniffing a response away from the declared Content-Type. Adding all four significantly raises the security posture of any web application. Tools like securityheaders.com can grade your headers.

In Apache, use the Header directive (requires mod_headers): add Header always set X-Content-Type-Options "nosniff" to your .htaccess or virtual host config. In Nginx, use add_header in the server or location block: add_header X-Frame-Options "SAMEORIGIN" always;. The always keyword in both servers ensures the header is sent even on error responses. For PHP applications, you can also set headers in code with header('X-Content-Type-Options: nosniff'); before any output.

The Cache-Control header controls caching for both browsers and intermediate proxies (CDNs, reverse proxies). Key directives: max-age=N — cache the response for N seconds; no-cache — the browser must revalidate with the server before using a cached copy (it does cache it, despite the name); no-store — never cache the response at all (used for sensitive data like bank pages); must-revalidate — once the cache entry expires, do not serve stale; public — allows CDNs to cache; private — only the end-user's browser may cache. A typical static asset uses max-age=31536000, immutable; a sensitive page uses no-store.

The Content-Type header tells the browser exactly what MIME type the response body is. Without it — or with an incorrect value — browsers perform MIME-sniffing: they inspect the content bytes and guess the type. An attacker can exploit this by uploading a file that looks like an image but contains HTML or JavaScript, which the browser then executes. Setting X-Content-Type-Options: nosniff disables MIME-sniffing entirely, forcing the browser to trust only the declared Content-Type. Always set an explicit Content-Type (e.g. application/json, text/html; charset=utf-8) on every response.

About This HTTP Header Checker

This free HTTP Header Checker fetches the HTTP response headers for any public URL. It checks for important security headers, shows the full redirect chain, and highlights caching configuration. Results include a security score based on the presence of recommended headers.

Key Security Headers

Header	Protects Against
HSTS	Protocol downgrade, MITM
CSP	XSS, data injection
X-Frame-Options	Clickjacking
X-Content-Type-Options	MIME sniffing
Referrer-Policy	Referrer leakage
Permissions-Policy	Feature abuse

HTTP Status Codes

Code	Meaning
200	OK — success
301	Moved Permanently
302	Found (temporary redirect)
403	Forbidden
404	Not Found
500	Internal Server Error

Related Internet Tools

View all articles

CORS Explained: Why It's a Server-Side Fix for a Browser-Side Error, and How to Debug It

A CORS error appears in the browser console as if it's a client-side problem — but it's actually caused by missing response headers from the server, which is why "it works in curl/Postman but fails in the browser" is the classic CORS symptom. Here's same-origin policy, the key CORS headers, simple vs preflighted requests, and a systematic debugging approach.

Jun 16, 2026

HTTP Caching Deep Dive: Cache-Control Directives, ETags, and Content Hashing Strategy

Content-hashed filenames with max-age=31536000 can eliminate network requests for returning users. Here's the complete HTTP caching strategy: Cache-Control directives in depth, ETags and conditional requests, the Vary header pitfall, CDN cache busting, and a practical caching strategy by resource type.

Jun 9, 2026

HTTP Security Headers: What Most Sites Are Missing and How to Fix It

Security headers most sites are missing, what HSTS, CSP, and X-Frame-Options actually prevent, how Cache-Control directives work, and which headers reveal server information you should hide in production.

Jun 8, 2026

HTTP Headers Checker — Inspect Response Headers for Any URL Instantly

Learn what HTTP response headers are, what the key headers (Cache-Control, HSTS, CSP, CORS, X-Frame-Options) mean, and how to use a free HTTP headers checker for security audits and debugging.

Jun 6, 2026

HTTP Header Checker

Frequently Asked Questions

What are HTTP headers?

What is HSTS?

What is Content-Security-Policy (CSP)?

What is X-Frame-Options?

What does Cache-Control do?

What is an HTTP redirect?

What are the most important security headers to set?

How do I set HTTP headers in Apache and Nginx?

How does Cache-Control work?

Why does the Content-Type header matter for security?