Skip to content
snip tools

HTTP header checker

Inspect the response status and headers of any URL — security, caching, redirects.

Fetched by our server, never stored. Private/localhost targets are blocked.

How to check HTTP headers

  1. Enter a URL. Paste a full URL (https:// is assumed if you omit it).
  2. Fetch the headers. Our server requests the URL and returns its response headers.
  3. Review. Inspect the status, security headers, caching and any redirect.

The four jobs headers do

Every HTTP response opens with a status line and a block of headers before any content. They fall into four buckets worth reading separately. Status & routing — the status code and any Location redirect tell you whether the request even reached the page you expected. CachingCache-Control, ETag, Age and Expires govern how long browsers and CDNs hold a copy. Security — a family of headers that harden the response (below). ContentContent-Type, Content-Encoding and Content-Length describe what came back and how it's packaged.

The security headers worth auditing

A handful of response headers are pure defense and easy to get wrong by omission. Strict-Transport-Security (HSTS) forces HTTPS so a downgrade attack can't strip encryption. Content-Security-Policy restricts where scripts, styles and frames may load from — the main lever against cross-site scripting. X-Content-Type-Options: nosniff stops the browser second-guessing a file's type, X-Frame-Options (or CSP frame-ancestors) blocks click-jacking, and Referrer-Policy controls how much URL data leaks to other sites. Checking a response for the absence of these is often more revealing than reading the ones that are present.

Why fetch it server-side

A browser can't read another origin's raw response headers from JavaScript — the same-origin policy and CORS hide them. This tool sidesteps that by fetching the URL from our server and returning the full header block, so you see exactly what a plain client sees with no extension required (the request is proxied for you and not stored). That makes it the quickest way to confirm a deploy shipped, verify a redirect chain, or work out why a CDN keeps serving a stale file. To inspect the site's TLS certificate instead, use the SSL checker.

Frequently asked questions

What does the HTTP header checker do?
It requests a URL from our server and shows the raw HTTP response status and headers — content type, caching, security headers, redirects and more.
Why check response headers?
Headers reveal a lot: whether security headers like Strict-Transport-Security and Content-Security-Policy are set, how caching is configured, which server or CDN responds, and whether the URL redirects.
Does it follow redirects?
No — it shows the first response so you can see the redirect status and Location header. Follow up by checking the destination URL directly.
Can I check localhost or internal IPs?
No. For safety, requests to localhost and private network ranges are blocked. Use it for public URLs.
Is my request logged?
No. The URL is fetched by our server and the headers are returned to you. Nothing is stored.