Inspect response headers & security for any site
Our HTTP Header Checker sends a request to the URL you provide and captures the full set of response headers returned by the server. These headers contain metadata about the response, including caching directives, content type, server software, security policies, and more. The tool parses and displays each header with its value so you can quickly inspect how a server is configured.
HTTP headers play a critical role in web security, performance, and functionality. Security headers like Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), and X-Frame-Options protect users from cross-site scripting, man-in-the-middle attacks, and clickjacking. Caching headers like Cache-Control and ETag determine how browsers and CDNs store and revalidate content. Misconfigured headers can leave sites vulnerable to attacks or cause performance issues.
To use the tool, enter any URL and the checker will display the complete response headers. You can use this to audit security headers on your own sites, debug caching behavior, check whether CORS headers are configured correctly, or see what server information a site exposes. The tool highlights important security headers and flags missing ones that should be present.
HTTP headers are key-value pairs sent between a client (browser) and a server with every HTTP request and response. Request headers tell the server about the client (such as which browser is making the request and what content types it accepts), while response headers tell the client about the server's response (such as content type, caching rules, and security policies). They are invisible to regular users but essential for how the web works.
The User-Agent header is sent with every request from your browser and identifies your browser name, version, operating system, and sometimes device type. For example, it might reveal that you are using Chrome 120 on Windows 11. Websites use this to serve appropriate content, but it also contributes to browser fingerprinting. Some privacy-focused browsers send a generic or randomized User-Agent to reduce tracking.
The Referer header (intentionally misspelled in the HTTP specification) tells the server which page the user came from when following a link or loading a resource. For example, if you click a link on Google search results, the destination site receives a Referer header containing the Google search URL. This is useful for analytics but can leak sensitive information. The Referrer-Policy response header lets sites control how much referrer information is shared.
The most important security headers are: Strict-Transport-Security (HSTS) which forces HTTPS connections, Content-Security-Policy (CSP) which prevents cross-site scripting and data injection, X-Frame-Options which prevents clickjacking, X-Content-Type-Options which prevents MIME-type sniffing, Referrer-Policy which controls information leakage, and Permissions-Policy which restricts browser features like camera and microphone access. Missing these headers can leave your site vulnerable to common attacks.
You can use browser extensions like ModHeader (Chrome) or Header Editor (Firefox) to add, modify, or remove request headers sent by your browser. Developers can also modify headers programmatically using the Fetch API or XMLHttpRequest in JavaScript. For testing, tools like curl and Postman let you send requests with custom headers. Note that some headers (like Host and Connection) are controlled by the browser and cannot be overridden by extensions.
