HTTP Headers Checker

Enter any URL to inspect its HTTP response headers and analyse security header configuration.

Headers are fetched via a CORS proxy. Response times reflect proxy latency, not the origin server directly.

What are HTTP headers?

HTTP headers are metadata sent with every request and response between a browser and a web server. Response headers tell the browser how to handle the content — caching rules, content type, security policies, compression, and more. They're invisible to normal users but critical for performance, security, and correct behaviour.

Why security headers matter

Security headers are your first line of defence against common web attacks. A properly configured set of headers can prevent XSS, clickjacking, MIME-sniffing, protocol downgrade attacks, and data leaks — without changing a single line of application code.

Strict-Transport-Security (HSTS)

Tells browsers to only connect to the site via HTTPS, even if the user types http://. Prevents protocol downgrade attacks and SSL stripping. The max-age should be at least one year (31536000 seconds). Adding includeSubDomains and preload enables inclusion in browser preload lists for maximum protection.

Content-Security-Policy (CSP)

The most powerful security header. CSP defines exactly which sources of content (scripts, styles, images, fonts, frames) the browser is allowed to load. A well-configured CSP is the strongest defence against cross-site scripting (XSS). Start with a report-only policy to audit before enforcing.

X-Frame-Options

Prevents the page from being loaded inside an <iframe>, blocking clickjacking attacks. Set to DENY (never allow framing) or SAMEORIGIN (only allow same-origin frames). The modern replacement is Content-Security-Policy: frame-ancestors.

X-Content-Type-Options

Should always be set to nosniff. Prevents browsers from guessing the content type (MIME sniffing), which can turn an innocent-looking file into an executable script.

Referrer-Policy

Controls how much of the referring URL is sent when the user navigates away. strict-origin-when-cross-origin is a good default — it sends the origin for cross-site requests but the full URL for same-origin navigation.

Permissions-Policy

Restricts which browser APIs the page can access. If your site doesn't use the camera, microphone, or geolocation, explicitly disabling them prevents malicious scripts from accessing them even if XSS occurs. Formerly called Feature-Policy.