Free HTTP Header Checker | Code Analysis Tool

Paste raw response headers. Browser CORS rules prevent reliable cross-origin header probing from client-side tools.

Raw HTTP Response Headers

Present (4)

strict-transport-security x-content-type-options x-frame-options referrer-policy

Missing (2)

content-security-policy permissions-policy

Check Result

PASS  strict-transport-security: max-age=31536000; includeSubDomains
WARN  content-security-policy: missing
PASS  x-content-type-options: nosniff
PASS  x-frame-options: DENY
PASS  referrer-policy: strict-origin-when-cross-origin
WARN  permissions-policy: missing

🔒 Privacy Protected

Your data is processed locally and never sent to any server.

FAQ

Keywords

http header checkersecurity headerscsphstsbrowser tool

How it works

The HTTP Header Checker fetches the HTTP response headers for any URL and displays them in a readable table — showing status code, cache directives, security headers, content type, CORS headers, and all other response metadata.

HTTP response headers carry critical information about how a server handles content delivery, caching, security, and cross-origin access. Many common issues — slow page loads, broken CORS requests, insecure cookies, missing security policies — are diagnosed by reading the response headers. Browser DevTools show headers for the current page; this tool checks any URL.

How to use it: enter any URL. The tool makes a request through a proxy (because direct cross-origin requests are blocked by browsers) and displays all response headers. Security headers are flagged with pass/fail indicators.

Security header analysis: - Strict-Transport-Security (HSTS): forces HTTPS - Content-Security-Policy (CSP): prevents XSS - X-Frame-Options: prevents clickjacking - X-Content-Type-Options: prevents MIME sniffing - Referrer-Policy: controls referrer header - Permissions-Policy: controls browser features (camera, geolocation)

Cache header analysis: - Cache-Control: max-age, no-cache, no-store, public/private - ETag and Last-Modified: conditional request validators - Vary: indicates which request headers affect caching

Note: some URLs may not be accessible due to firewall rules, authentication requirements, or CORS restrictions that prevent the proxy from fetching them.

Frequently Asked Questions

Can it check headers for any URL?

The tool can fetch headers for publicly accessible URLs. URLs behind authentication, on private networks, or blocked by firewall rules cannot be fetched. HTTPS URLs are supported; the tool follows up to 3 redirects.

What is the most important security header to add?

Content-Security-Policy (CSP) has the highest security impact — it prevents XSS by whitelisting allowed content sources. However, it's also the most complex to configure correctly. For a quick win, add Strict-Transport-Security (HSTS) and X-Content-Type-Options: nosniff first.

Why doesn't my Cache-Control header appear?

Some servers only send Cache-Control on second requests (when the resource is cached). Make sure you're checking the resource URL directly, not a CDN edge URL that may strip headers.

What does 'CORS header missing' mean?

Cross-Origin Resource Sharing (CORS) headers (Access-Control-Allow-Origin) are required when a web page on domain A makes an API request to domain B. Missing CORS headers cause browser errors for API consumers. Server-rendered pages don't need CORS headers.