HTTP Header Inspector - Check Response Headers
How to Use the HTTP Header Inspector
Enter any URL and click Inspect. The tool fetches the URL’s response headers and displays them in a formatted table. Security-related headers are highlighted with status indicators so you can quickly assess whether a site follows security best practices. The tool shows both common headers and any custom headers returned by the server.
Understanding HTTP Response Headers
HTTP response headers are metadata sent by a web server alongside every response. They control browser behavior including caching, security policies, content negotiation, and cookie handling. While invisible to end users, headers are critical for web security, performance, and correct functionality.
Essential Security Headers
Modern web security relies heavily on response headers to protect users from common attacks:
| Header | Protection Against | Recommended Value |
|---|---|---|
| Content-Security-Policy | XSS, data injection | Strict policy limiting sources |
| Strict-Transport-Security | Protocol downgrade | max-age=31536000; includeSubDomains |
| X-Frame-Options | Clickjacking | DENY or SAMEORIGIN |
| X-Content-Type-Options | MIME sniffing | nosniff |
| Referrer-Policy | Information leakage | strict-origin-when-cross-origin |
| Permissions-Policy | Feature abuse | Restrict camera, microphone, etc. |
Content-Security-Policy (CSP)
CSP is the most powerful security header, defining which sources of content the browser is allowed to load. A well-configured CSP prevents cross-site scripting (XSS) by restricting where scripts, styles, images, and other resources can be loaded from. Implementing CSP is one of the most effective defenses against injection attacks.
Strict-Transport-Security (HSTS)
HSTS tells browsers to always use HTTPS for the domain, even if the user types http:// or follows an HTTP link. This prevents protocol downgrade attacks where an attacker intercepts the initial HTTP request before the redirect to HTTPS. Once a browser receives an HSTS header, it automatically upgrades all future requests to HTTPS.
Caching Headers and Performance
Caching headers significantly impact website performance by controlling how browsers and CDNs store and reuse responses:
| Header | Purpose | Example |
|---|---|---|
| Cache-Control | Caching rules and duration | max-age=3600, public |
| ETag | Unique version identifier | ”33a64df551425fcc55e4d42a148795d9f25f89d4” |
| Last-Modified | Resource modification timestamp | Wed, 21 Oct 2025 07:28:00 GMT |
| Vary | Cache key variation | Accept-Encoding |
Proper caching configuration reduces server load and improves page load speed. Static assets like images, CSS, and JavaScript should have long cache durations, while dynamic content like API responses may need shorter durations or revalidation.
Diagnosing Common Header Issues
Missing Security Headers
A site without security headers is vulnerable to multiple attack vectors. Use this tool to audit your site and identify which headers are missing. Start by adding X-Content-Type-Options and X-Frame-Options, which are simple to configure and provide immediate protection.
CORS Issues
Cross-Origin Resource Sharing (CORS) headers control which domains can access your API. The Access-Control-Allow-Origin header specifies permitted origins. Missing or overly restrictive CORS headers cause API calls from frontend applications to fail with browser security errors.
Incorrect Content-Type
The Content-Type header tells the browser how to interpret the response body. Serving JavaScript with a text/plain content type or JSON without application/json can cause parsing failures and security warnings.
For verifying the SSL certificate behind the HTTPS connection, use the SSL Certificate Checker. To check DNS configuration and verify that the domain resolves correctly, use the DNS Lookup tool.
Related Tools
- SSL Certificate Checker - Verify HTTPS certificate validity
- DNS Lookup - Check domain DNS records and configuration
- HTML Entity Encoder - Encode content to prevent XSS in headers
Frequently Asked Questions
What are HTTP security headers?
HTTP security headers are response headers that instruct browsers to enable security features. Key headers include Content-Security-Policy (prevents XSS), Strict-Transport-Security (enforces HTTPS), X-Frame-Options (prevents clickjacking), and X-Content-Type-Options (prevents MIME sniffing).
How do I check if a website has proper security headers?
Enter the website URL in this tool and click Inspect. The results highlight security-related headers and flag missing critical headers. Look for Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, and X-Content-Type-Options in the response.
What does the Cache-Control header do?
Cache-Control tells browsers and CDNs how long to cache a response and under what conditions. Values like max-age=3600 cache for one hour, no-cache requires revalidation before using cached content, and no-store prevents caching entirely. Proper caching improves performance while ensuring users see fresh content.