HTTP header checker
Inspect the response status and headers of any URL — security, caching, redirects.
Fetched by our server, never stored. Private/localhost targets are blocked.
How to check HTTP headers
- Enter a URL. Paste a full URL (https:// is assumed if you omit it).
- Fetch the headers. Our server requests the URL and returns its response headers.
- Review. Inspect the status, security headers, caching and any redirect.
The four jobs headers do
Every HTTP response opens with a status line and a block of headers before any content. They fall into four
buckets worth reading separately. Status & routing — the status code and any
Location redirect tell you whether the request even reached the page you expected.
Caching — Cache-Control, ETag, Age and
Expires govern how long browsers and CDNs hold a copy. Security — a family of
headers that harden the response (below). Content — Content-Type,
Content-Encoding and Content-Length describe what came back and how it's packaged.
The security headers worth auditing
A handful of response headers are pure defense and easy to get wrong by omission.
Strict-Transport-Security (HSTS) forces HTTPS so a downgrade attack can't strip encryption.
Content-Security-Policy restricts where scripts, styles and frames may load from — the main
lever against cross-site scripting. X-Content-Type-Options: nosniff stops the browser
second-guessing a file's type, X-Frame-Options (or CSP frame-ancestors) blocks
click-jacking, and Referrer-Policy controls how much URL data leaks to other sites. Checking a
response for the absence of these is often more revealing than reading the ones that are present.
Why fetch it server-side
A browser can't read another origin's raw response headers from JavaScript — the same-origin policy and CORS hide them. This tool sidesteps that by fetching the URL from our server and returning the full header block, so you see exactly what a plain client sees with no extension required (the request is proxied for you and not stored). That makes it the quickest way to confirm a deploy shipped, verify a redirect chain, or work out why a CDN keeps serving a stale file. To inspect the site's TLS certificate instead, use the SSL checker.
Frequently asked questions
- It requests a URL from our server and shows the raw HTTP response status and headers — content type, caching, security headers, redirects and more.
- Headers reveal a lot: whether security headers like Strict-Transport-Security and Content-Security-Policy are set, how caching is configured, which server or CDN responds, and whether the URL redirects.
- No — it shows the first response so you can see the redirect status and Location header. Follow up by checking the destination URL directly.
- No. For safety, requests to localhost and private network ranges are blocked. Use it for public URLs.
- No. The URL is fetched by our server and the headers are returned to you. Nothing is stored.