HTTP Header Checker
Inspect HTTP response headers, security headers, redirect chain, and caching for any URL
Try:
Frequently Asked Questions
HTTP headers are key-value pairs sent between a client (browser) and server with every HTTP request and response. Response headers tell the browser how to handle the content β what type it is, whether it should be cached, if the page is secure, what scripts are allowed, and more. They are invisible to the user but critical for security, performance, and compatibility.
HSTS (HTTP Strict Transport Security) is a security header that tells browsers to always connect to the site over HTTPS β never HTTP. Once a browser sees this header, it will refuse plain HTTP connections to that domain for the specified duration (
max-age). This prevents protocol downgrade attacks and cookie hijacking on insecure networks.Content-Security-Policy is a powerful security header that controls which sources the browser is allowed to load scripts, styles, images, and other resources from. A properly configured CSP dramatically reduces the risk of Cross-Site Scripting (XSS) attacks. For example,
default-src 'self' allows resources only from the same origin.X-Frame-Options prevents a page from being embedded inside an <iframe> on another site. This protects against clickjacking attacks, where an attacker tricks a user into clicking on an invisible element. Common values are DENY (never allow framing) and SAMEORIGIN (allow only from the same origin). It has been largely superseded by the CSP frame-ancestors directive.Cache-Control directives tell browsers and intermediate caches how to cache the response. max-age=3600 caches for 1 hour. no-cache means the browser must revalidate before using a cached copy. no-store means never cache (used for sensitive data). public allows CDNs to cache; private means only the browser may cache.HTTP redirects are responses with status codes 3xx that tell the client to fetch a different URL. Common ones: 301 (Moved Permanently β SEO juice passes), 302 (Found β temporary), 307 (Temporary Redirect β method preserved), 308 (Permanent Redirect β method preserved). This tool shows the full redirect chain from the original URL to the final destination.
About This HTTP Header Checker
This free HTTP Header Checker fetches the HTTP response headers for any public URL. It checks for important security headers, shows the full redirect chain, and highlights caching configuration. Results include a security score based on the presence of recommended headers.
Key Security Headers
| Header | Protects Against |
|---|---|
| HSTS | Protocol downgrade, MITM |
| CSP | XSS, data injection |
| X-Frame-Options | Clickjacking |
| X-Content-Type-Options | MIME sniffing |
| Referrer-Policy | Referrer leakage |
| Permissions-Policy | Feature abuse |
HTTP Status Codes
| Code | Meaning |
|---|---|
| 200 | OK β success |
| 301 | Moved Permanently |
| 302 | Found (temporary redirect) |
| 403 | Forbidden |
| 404 | Not Found |
| 500 | Internal Server Error |
