HTTP HEADER
CHECKER
Enter a URL to inspect the HTTP response headers it serves: status code, server software, caching rules and everything else. We also audit the six security headers that browsers care about, HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy, and flag any that are missing.
What is an HTTP Header Checker?
An HTTP header checker is a free tool that shows the response headers a URL serves, including its status code, server software and caching rules. It also audits the six security headers browsers care about (HSTS, Content-Security-Policy, X-Frame-Options and more) and flags any that are missing.
How does an HTTP Header Checker work?
- 01We request the URL and follow redirects to the final response.
- 02Every response header is listed exactly as served.
- 03Six key security headers are audited as present or missing.
Frequently asked questions
Which security headers should every site send?
The core set is Strict-Transport-Security (forces HTTPS), Content-Security-Policy (controls what can load), X-Frame-Options (blocks clickjacking), X-Content-Type-Options (stops MIME sniffing), Referrer-Policy and Permissions-Policy. None of them require code changes, only server or host configuration, and together they close off whole classes of attack.
What do caching headers tell me?
Cache-Control and Age reveal how a page is cached and whether a CDN is serving it. A high Age with a long max-age means the CDN answered without touching your origin, which is what fast hosting looks like. No caching headers on static assets is an easy performance win being left on the table.
The Server header exposes my software version. Is that bad?
Broadcasting an exact server version makes life slightly easier for attackers scanning for known vulnerabilities, so most well-configured hosts strip or genericise it. It is not a critical hole on its own, but a host that leaks detailed versions is often one that skips other hardening too.