HTTP Header Checker

Inspect HTTP response headers and analyze security headers for any URL.

What This Tool Checks

Get a complete picture of your server's HTTP response headers and security posture.

Security Score

Get an instant percentage score showing how well a site implements recommended security headers.

Security Headers Analysis

Check for critical headers like HSTS, CSP, X-Frame-Options and more — with pass/fail status for each.

All Response Headers

View every HTTP response header returned by the server, displayed in a readable monospace format.

Response Time

Measure how long the server takes to respond, helping you spot slow endpoints at a glance.

Content-Type Detection

Identify the declared MIME type and charset in the Content-Type header to catch misconfiguration.

Cache Analysis

Inspect Cache-Control, ETag, and Expires headers to understand how content is cached by browsers and proxies.

How It Works

Three simple steps to inspect and evaluate any website's HTTP headers.

Enter a URL

Type or paste any URL into the input field. You can include or omit the protocol — the tool handles both.

Analyze Headers

The tool fetches the URL server-side and extracts all response headers, then evaluates each security header.

Review Security

Read the security score, check which headers are present or missing, and browse the full header dump.

Important Security Headers

These headers are checked against industry best practices to calculate the security score.

HSTS

Strict-Transport-Security

CSP

Content-Security-Policy

X-Frame

X-Frame-Options

X-CTO

X-Content-Type-Options

Referrer

Referrer-Policy

Permissions

Permissions-Policy

Related Tools

More tools to help you inspect and debug your web infrastructure.

HTTP Status Checker

Check the HTTP status code returned by any URL.

SSL Checker

Verify SSL/TLS certificate validity and expiry.

Redirect Checker

Trace the full redirect chain for any URL.

Frequently Asked Questions

Common questions about HTTP security headers and this tool.

What are HTTP security headers?

HTTP security headers are response headers that instruct browsers on how to behave when handling your site's content. They protect users from a range of attacks including cross-site scripting (XSS), clickjacking, and protocol downgrade attacks. Configuring them correctly is one of the easiest ways to improve a website's security posture.

What makes a good security score?

A score of 80% or above is considered good. This typically means the site has implemented the most critical headers: Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, and Referrer-Policy. A perfect score requires all recommended headers to be present with appropriate values.

Why is HSTS important?

HTTP Strict Transport Security (HSTS) tells browsers to always connect to your site over HTTPS, even if the user types plain http:// in the address bar. This prevents protocol downgrade attacks and cookie hijacking on networks where traffic could be intercepted. Without HSTS, an attacker on the same network can force an insecure connection.

What does Content-Security-Policy do?

Content-Security-Policy (CSP) is a powerful header that controls which resources — scripts, styles, images, fonts, and more — are allowed to load on your page. A well-crafted CSP is one of the most effective defences against cross-site scripting (XSS) attacks, as it prevents unauthorized scripts from executing even if an attacker manages to inject them into your HTML.