HTTP Headers Checker
Inspect the HTTP response headers for any URL including security headers, caching and content type.
About HTTP Headers
HTTP headers are key-value pairs transmitted at the start of every HTTP request and response. They carry metadata about the request or response — things like the content type, caching policy, security controls, server software, and authentication tokens. Inspecting response headers is a fundamental technique for understanding how a web server is configured.
Important response headers to check
- Content-Type — The MIME type of the response body (e.g.
text/html; charset=utf-8). Missing or incorrect values can cause browsers to misrender content or trigger security issues. - Strict-Transport-Security (HSTS) — Instructs browsers to only connect via HTTPS.
max-agedefines how long this policy is remembered. Essential for HTTPS security. - Content-Security-Policy (CSP) — Restricts which resources (scripts, styles, images) the page can load. A well-configured CSP significantly reduces XSS risk.
- X-Frame-Options — Controls whether the page can be embedded in an iframe.
DENYorSAMEORIGINprevents clickjacking attacks. - Cache-Control — Directives for caching behaviour:
max-age,no-cache,no-store,private,public. - Server — The web server software version. Many security-conscious sites suppress or obscure this header to avoid revealing the server stack.
- Set-Cookie — Cookie definitions include important security flags:
HttpOnly(prevents JavaScript access),Secure(HTTPS only),SameSite(CSRF protection).
Security header scoring
Services like securityheaders.com score websites on the presence and configuration of security-related headers. Key headers for a good score include: Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.
Frequently asked questions
What security headers should I look for?
Key security headers: Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy. Missing headers leave your site vulnerable to various attacks.
What does Cache-Control mean?
Cache-Control tells browsers and CDNs how long to cache a resource. max-age=3600 means cache for 1 hour. no-cache means revalidate before using. no-store means never cache.