View all HTTP response headers for any URL. Instantly check status codes, security headers, caching, redirects and more — free, no sign-up needed.
Every time a browser or application requests a web page, the server responds with two parts: the content (HTML, images, data) and a set of HTTP response headers — invisible key-value pairs that control how the content is handled. This tool lets you inspect every header returned by any publicly reachable URL in real time, with zero installation required.
Headers reveal critical information about a server: its software stack, caching strategy, compression method, redirect destination, and — most importantly — its security posture. Missing security headers are one of the most common and easily fixed web vulnerabilities. Our tool grades seven key security headers and explains what each one does and how to add it. Combine this with our SSL Certificate Checker and DNS Lookup for a complete domain health review.
Every HTTP response consists of two parts: the body (the HTML, JSON, image or file the browser requested) and the headers (a set of key-value metadata pairs sent before the body). Headers are invisible to visitors but govern virtually everything about how a page is delivered, cached, secured and displayed. Understanding them is essential for web developers, system administrators, security professionals and anyone conducting a technical site audit.
For example, a Cache-Control: max-age=86400 header tells any browser or CDN to store the response for 24 hours, reducing server load. A Strict-Transport-Security header tells browsers to refuse HTTP connections entirely for that domain. A Location header tells the browser where to redirect. Without inspecting headers directly, you cannot fully understand how a server is behaving. Use this tool alongside our SSL Certificate Checker to verify your full HTTPS configuration in one workflow.
Our tool checks seven security-critical response headers and assigns a grade from A (80% or more present) down to F (fewer than 20% present). Here is what each header does and why its absence is a problem:
Strict-Transport-Security (HSTS) — Forces browsers to use HTTPS even when a user types http://. Without it, users are vulnerable to protocol downgrade attacks on their first visit. Verify your SSL certificate is valid before enabling HSTS using our SSL Checker.
Content-Security-Policy (CSP) — Restricts which scripts, styles and resources can load on a page. A strong CSP is the most effective browser-level defence against cross-site scripting (XSS) attacks.
X-Frame-Options — Prevents your page from being embedded in an iframe on another domain, blocking clickjacking attacks where a visible page is layered over an invisible malicious page.
X-Content-Type-Options: nosniff — Stops browsers from guessing the content type of a response when it differs from the declared Content-Type, preventing MIME confusion attacks.
Referrer-Policy — Controls how much URL information is sent as the Referer header when a user follows a link from your page to another site, preventing sensitive path data from leaking to third parties.
Permissions-Policy — Restricts access to browser APIs like the camera, microphone, geolocation and payment handlers, even for third-party scripts embedded in your page.
X-XSS-Protection — A legacy header that activates the built-in XSS filter in older versions of Internet Explorer and Chrome. Largely superseded by CSP, but still worth setting for older browser coverage.
The first thing any header checker reports is the HTTP status code. 2xx codes mean success — 200 OK is the standard response for a successful page load. 3xx codes are redirects — 301 is a permanent redirect that passes SEO value, while 302 is temporary and does not. 4xx codes are client errors — 404 means not found, 403 means access is forbidden. 5xx codes are server errors — 500 is a generic internal error, 503 means temporarily unavailable. When a redirect is returned, our tool shows the redirect target so you can immediately check the destination with one click. Combine this with our WHOIS Lookup to verify domain ownership of the redirect target.
The method for setting HTTP response headers depends on your server software. In Apache, add them to your .htaccess file using Header always set directives. In Nginx, use add_header directives inside your server or location blocks. On Cloudflare, use Transform Rules to inject headers at the edge without modifying your origin server. After any change, re-run this checker to confirm the headers are being served correctly, then verify your full SSL configuration with our SSL Checker and confirm your domain resolves correctly using our DNS Lookup.
Caching headers are among the most impactful HTTP headers for web performance. Cache-Control is the primary directive: values like max-age=3600 allow caching for one hour, no-cache requires revalidation before use, and no-store prevents caching entirely. ETag provides a fingerprint of the resource version; browsers send it back with If-None-Match and receive a lightweight 304 Not Modified if nothing changed. Last-Modified serves the same purpose using timestamps. To understand which CDN or network is serving a domain, combine this tool with our ASN Lookup to identify the network operator.
X-Powered-By discloses your server-side technology stack — for example, PHP/8.2.10 or ASP.NET. While not a vulnerability itself, advertising your exact software version gives attackers a head start. Best practice is to suppress it in production: in PHP, set expose_php = Off in php.ini; in Express/Node.js, call app.disable('x-powered-by'). You can investigate the hosting provider behind any domain using our ASN Lookup tool.
max-age (e.g. 3600) to test, then increase to 31536000 once you are confident. Add includeSubDomains only after confirming all subdomains have valid certificates — verify this with a DNS Lookup to see all your subdomains.
example.com:8443/health). If a connection fails, use our Port Checker to confirm the port is open, our Ping Test to verify basic reachability, and our DNS Lookup to confirm the domain resolves to the correct IP address.
CF-Ray header to every response. Our tool detects this and displays “Cloudflare” in the CDN field. Other CDNs identify themselves via the Via header. Knowing that a CDN is present helps explain caching behaviour. For deeper network routing analysis, use our ASN Lookup to identify the hosting network, or our Reverse DNS tool to look up the PTR record for any IP address.