Inspect HTTP response headers for any URL. Check security headers, caching rules, server info, and get a security score.
HTTP Header Checker
HTTP response headers are metadata sent by a web server alongside the page content. They control security policies, caching behaviour, content encoding, redirect rules, and more. Inspecting headers is essential for debugging and hardening any website.
Key security headers explained
- Strict-Transport-Security (HSTS) — Forces HTTPS, prevents SSL stripping attacks
- Content-Security-Policy (CSP) — Controls which resources the browser can load
- X-Frame-Options — Prevents clickjacking by blocking iframe embedding
- X-Content-Type-Options — Prevents MIME-type sniffing attacks
- Referrer-Policy — Controls what referrer info is sent with requests
- Permissions-Policy — Disables browser features like camera, microphone
Cache-Control headers
Cache-Control tells browsers and CDNs how long to cache a response. Common directives include max-age=31536000 (cache for 1 year), no-cache (revalidate before use), and no-store (never cache, for sensitive pages).
Frequently Asked Questions
Why can't I see headers for some sites? +
Due to browser CORS restrictions, this tool uses a public CORS proxy to fetch headers. Some sites with strict firewall rules may block proxy requests. For those, use curl in your terminal: curl -I https:/yoursite.com
What is HSTS and should I enable it? +
HSTS (HTTP Strict Transport Security) tells browsers to always use HTTPS for your domain. Yes, you should enable it. Add Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" to your .htaccess or server config.
What is Content-Security-Policy? +
CSP is a powerful security header that tells the browser which sources are allowed to load scripts, styles, images etc. It prevents XSS attacks. A basic policy: Content-Security-Policy: default-src 'self'. Start with report-only mode to avoid breaking your site.
How do I add security headers in WordPress? +
You can add headers via .htaccess (use our .htaccess Generator), via a plugin like Headers & Footers or WP-Headers and Footers, or via your server's nginx.conf / Apache config. The .htaccess method works on shared hosting without server access.