HTTP Header Checker
Last updated: February 22, 2026
HTTP Header Checker
HTTP Status
Security Grade
of security headers present
Security Headers
Missing
Response Headers
HTTP Header Checker
Enter a URL to inspect its HTTP response headers and check for security headers like HSTS, CSP, X-Frame-Options, and more.
Our free HTTP header checker inspects the response headers returned by any URL and grades its security posture. Enter a URL to see every response header the server sends — including Content-Type, Cache-Control, security headers, and custom headers — along with a security analysis scoring 7 critical headers. This HTTP header checker helps web developers, sysadmins, and security professionals audit websites for proper header configuration.
What Are HTTP Headers?
HTTP headers are metadata sent between your browser and a web server with every request and response. They contain information about content type, caching policies, security settings, server software, and more. Using an HTTP header checker to inspect these headers helps diagnose issues and assess a website’s security posture. Headers are invisible to most users but play a critical role in how browsers handle content, cache resources, and enforce security policies. The full list of standard headers is maintained in the MDN HTTP Headers reference.
What Does This Tool Check?
Our HTTP header checker fetches the response headers from any URL and analyzes them in two ways:
- All response headers — Every header returned by the server, including Content-Type, Cache-Control, Server, X-Powered-By, and any custom headers
- Security header analysis — A focused review of 7 critical security headers with an overall letter grade (A through F)
Security Headers Explained
The HTTP header checker evaluates these important security headers that protect against common web attacks. The OWASP Secure Headers Project provides detailed guidance on each of these:
- Strict-Transport-Security (HSTS) — Forces browsers to use HTTPS for all future visits, preventing protocol downgrade attacks and cookie hijacking. A strong policy includes
max-age=31536000; includeSubDomains. - Content-Security-Policy (CSP) — Controls which resources the browser can load (scripts, styles, images, fonts), mitigating cross-site scripting (XSS) and data injection attacks. This is the most impactful security header.
- X-Content-Type-Options — Prevents MIME-type sniffing. Should always be set to
nosniffto stop browsers from interpreting files as a different content type. - X-Frame-Options — Prevents clickjacking attacks by controlling whether the page can be embedded in iframes. Common values are
DENYorSAMEORIGIN. - X-XSS-Protection — Legacy XSS filter for older browsers. Modern browsers rely on CSP instead, but this header provides defense-in-depth for older clients.
- Referrer-Policy — Controls how much URL information is sent in the Referer header when navigating away.
strict-origin-when-cross-originis a good default. - Permissions-Policy — Controls which browser features (camera, microphone, geolocation, payment) the site can access. Restricting unused features reduces the attack surface.
Understanding the Security Grade
The security grade reflects how many of the 7 security headers are properly configured: A (6–7 headers present), B (4–5), C (3), D (1–2), F (0). While achieving an A grade is ideal, the importance of each header varies. HSTS and CSP provide the most significant security benefits, while X-XSS-Protection is considered legacy. Focus on implementing the high-impact headers first, then run the HTTP header checker again to confirm your improvements.
Common Response Headers
Beyond security, response headers control many aspects of web behavior:
- Content-Type — Specifies the media type of the response (e.g.,
text/html; charset=utf-8) - Cache-Control — Directs how browsers and CDNs should cache the response
- Server — Identifies the web server software (e.g., nginx, Apache). Consider hiding this for security.
- Set-Cookie — Sets cookies with attributes like HttpOnly, Secure, and SameSite
- X-Powered-By — Reveals the backend technology. Should be removed to avoid information leakage.
How to Improve Your Security Grade
Most web servers and frameworks make it easy to add security headers. In Nginx, add headers in the server block. In Apache, use the Header set directive. For application frameworks like Laravel, Express, or Django, middleware can add headers globally. Start with HSTS and X-Content-Type-Options (both easy to implement), then work toward a Content-Security-Policy that fits your application’s needs. After making changes, use this HTTP header checker to verify your headers are correctly applied and your security grade has improved.
Related Tools
To check a website’s SSL certificate details, use our SSL Certificate Checker. To see what your browser reveals to websites, try our User Agent Detector.
Related Tools
Security Header Scanner
Scan any website for security headers. Get a security grade, detailed findings, and actionable recommendations.
Open toolSSL Certificate Checker
Validate SSL/TLS certificates — detect expired, misconfigured, or expiring certificates. Check issuer, chain, and protocol.
Open toolWhat Is My User Agent
See what your browser reveals — user agent string, browser version, OS, and device details that websites can see.
Open tool