Check HTTP response headers for any URL. Free header checker that inspects security headers, caching, CORS, content type, and server configuration.
An HTTP header checker is a tool that fetches a URL and inspects the response headers returned by the server. Every time your browser requests a page, the server sends back headers before the actual content. These headers tell the browser how to cache the page, what security policies to enforce, which origins can access the resource, and what type of content the response contains.
The problem is that response headers are invisible during normal browsing. You do not see them unless you open DevTools, switch to the Network tab, find the right request, and scroll through the raw response. For URLs you do not control, like a third-party API or a CDN endpoint, that workflow is even harder. You need to make the request yourself with curl or a script.
This header checker removes that friction. Enter a URL and get a structured breakdown of every response header, a security audit that checks for HSTS, CSP, X-Content-Type-Options, and other critical headers, plus warnings about information disclosure and misconfiguration. You can also paste raw headers from curl output or server logs and parse them locally without sending data anywhere.
The tool has two modes. Pick whichever fits your workflow.
curl -I, headers copied from browser DevTools, or full HTTP responses starting with HTTP/1.1 200 OK.Parse Headers mode runs entirely client-side. Nothing is sent to any server. Use it when you already have header data from curl output, server logs, or load balancer diagnostics.
Not all headers carry equal weight. Some control basic functionality, others are critical for security. Here are the headers every production site should set, grouped by purpose.
| Header | Category | Why it matters |
|---|---|---|
| Strict-Transport-Security | Security | Forces HTTPS. Prevents SSL stripping attacks. |
| Content-Security-Policy | Security | Blocks unauthorized scripts. Primary XSS defense. |
| X-Content-Type-Options | Security | Prevents MIME-type sniffing. Always set to nosniff. |
| X-Frame-Options | Security | Blocks iframe embedding. Prevents clickjacking. |
| Referrer-Policy | Privacy | Controls how much URL info leaks to other sites. |
| Cache-Control | Performance | Tells browsers and CDNs how long to cache the response. |
| Content-Type | Core | Specifies MIME type and encoding. Incorrect values break rendering. |
If your site is missing any of the security headers above, this HTTP header checker will flag them. The tool checks all seven recommended security headers and shows pass, fail, or warning status for each one.
Security headers are response headers that instruct the browser to enable or restrict specific behaviors. They cost nothing to implement, but missing them opens real attack vectors.
HSTS tells browsers to only connect over HTTPS for a specified duration. Once a browser sees this header, it refuses plain HTTP connections to your domain, even if the user types http:// in the address bar. The max-age directive sets how long the policy persists (in seconds), and includeSubDomains extends the policy to all subdomains.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Without HSTS, attackers can intercept the first HTTP request before the redirect to HTTPS happens. Use this header checker to verify your HSTS configuration includes an appropriate max-age value.
CSP is the most powerful security header. It defines which sources of content the browser should trust: scripts, styles, images, fonts, frames, and more. A well-configured CSP blocks inline scripts and unauthorized third-party code, making XSS attacks significantly harder to execute.
Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'
Start with Content-Security-Policy-Report-Only to log violations without breaking your site, then switch to enforcing mode once you have confirmed no legitimate resources are blocked.
Set this to nosniff. It prevents browsers from guessing the MIME type of a response and interpreting a file as something it is not. Without this header, an attacker could trick the browser into executing a text file as JavaScript.
X-Frame-Options controls whether your page can be displayed inside an <iframe>. Set it to DENY (no framing at all) or SAMEORIGIN (only your own domain can frame it). The modern replacement is CSP's frame-ancestors directive, which provides finer control. If you set frame-ancestors in your CSP, it takes precedence over X-Frame-Options.
This header controls how much of the current page's URL is sent as a referrer when navigating to another page. strict-origin-when-cross-origin is a good default: it sends the full URL for same-origin requests and only the origin for cross-origin requests. Without Referrer-Policy, browsers use their default, which may expose full URLs including query parameters to third-party sites.
Permissions-Policy (formerly Feature-Policy) restricts which browser features your page and its embedded content can use. You can disable camera, microphone, geolocation, payment, and other APIs for third-party iframes. This limits what malicious or compromised embedded content can access.
Caching headers determine how browsers and CDNs store and reuse responses. Correct caching reduces server load, speeds up page loads, and lowers bandwidth costs. Incorrect caching serves stale content or bypasses the cache entirely.
| Header | Purpose | Common values |
|---|---|---|
| Cache-Control | Primary cache directive | max-age=3600, no-cache, no-store, public, private |
| ETag | Version identifier for conditional requests | "33a64df551425fcc55e4d42a148795d9f25f89d4" |
| Last-Modified | Date the resource last changed | Wed, 01 Jan 2026 00:00:00 GMT |
| Expires | Legacy expiry date (superseded by Cache-Control) | Thu, 01 Jan 2027 00:00:00 GMT |
| Vary | Tells caches which request headers affect the response | Accept-Encoding, Accept-Language |
Cache-Control: no-store means the response must never be cached. no-cache means the browser must revalidate with the server before using a cached copy. max-age=3600 means the response is fresh for 3600 seconds. public allows shared caches (CDNs) to store the response; private restricts caching to the end user's browser only.
Use this header checker to verify that your caching strategy is working as intended. Missing Cache-Control on static assets means browsers re-download resources on every visit. Conversely, aggressive caching on dynamic content can serve stale data to users.
CORS (Cross-Origin Resource Sharing) headers control which external domains can access your API or resources via JavaScript. Without CORS headers, browsers block cross-origin requests by default. With overly permissive CORS, any website can read your API responses.
| Header | What it controls |
|---|---|
| Access-Control-Allow-Origin | Which origins can access the resource. * means any origin. |
| Access-Control-Allow-Methods | HTTP methods (GET, POST, PUT) allowed in preflight. |
| Access-Control-Allow-Headers | Which request headers are allowed in the actual request. |
| Access-Control-Allow-Credentials | Whether cookies and auth headers can be included. Cannot be true with Allow-Origin: *. |
| Access-Control-Max-Age | How long (seconds) the preflight response can be cached. |
A common mistake is setting Access-Control-Allow-Origin: * alongside Access-Control-Allow-Credentials: true. Browsers reject this combination. If you need credentials, specify the exact origin instead of the wildcard. This header checker shows how many CORS headers your site returns so you can quickly tell if CORS is configured or missing entirely.
These are the issues this tool catches most often. Each one is fixable with a single configuration change.
Strict-Transport-Security: max-age=31536000; includeSubDomains to your server config. In Nginx: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;default-src 'self' is better than nothing.app.disable('x-powered-by'). In PHP: set expose_php = Off in php.ini.Server: nginx/1.18.0 tells attackers exactly which vulnerabilities to look for. Strip the version. In Nginx: server_tokens off;max-age values (e.g., 1 year) with cache-busting filenames. Without caching headers, browsers download these files on every page load.Access-Control-Allow-Origin: * with Allow-Credentials: true is rejected by browsers. Use a specific origin or dynamically set the header based on the request origin.X-Content-Type-Options: nosniff. It is a one-line fix in any web server and prevents MIME-type confusion attacks.
Enter the URL into this HTTP header checker and click Check Headers. The tool fetches the page and displays every response header with security validation. You can also run curl -I https://example.com in your terminal for a quick check, but you will not get the security audit or structured breakdown.
The six most critical security headers are Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Content-Type-Options, X-Frame-Options (or CSP frame-ancestors), Referrer-Policy, and Permissions-Policy. This checker validates all of them and shows which ones your site is missing.
Most web frameworks add this header by default. Express adds X-Powered-By: Express, PHP adds X-Powered-By: PHP/8.x. Remove it in your server or application config. It gives attackers information about your stack without providing any benefit.
no-cache does not mean "do not cache." It means the browser must revalidate the cached copy with the server before using it. If the server confirms the content has not changed (304 response), the browser uses the cached version. If you truly want to prevent caching, use no-store.
Use the Check URL mode in this tool. Enter your site's URL and review the Security Checklist section. It shows pass or fail for each recommended security header and explains what to fix. Run it after every deployment to catch regressions.
HSTS (HTTP Strict Transport Security) tells browsers to always use HTTPS when connecting to your domain. Once the browser sees the header, it refuses plain HTTP connections for the duration specified by max-age. This prevents SSL stripping attacks where an attacker downgrades the connection to HTTP. Enable it by adding the Strict-Transport-Security header with a max-age of at least one year (31536000 seconds).
Yes. Switch to Parse Headers mode and paste your raw header data. All parsing and analysis happens in your browser. Nothing is sent anywhere. This is useful for headers from internal services, staging environments, or sensitive APIs.
At minimum, set Access-Control-Allow-Origin to the specific origins that need access. If your API accepts custom headers, add Access-Control-Allow-Headers. If it uses methods beyond GET and POST, add Access-Control-Allow-Methods. Avoid using the wildcard (*) if your API sends or receives credentials.
Structured page data instead of raw HTML. Your agent processes less, decides faster, and costs less to run.