HTTP Header Checker

About the HTTP Header Checker

HTTP response headers control everything from browser caching to cross-origin resource sharing to clickjacking protection. Missing or misconfigured headers are one of the most common causes of security vulnerabilities and performance problems in web applications. This tool analyzes pasted headers against a comprehensive checklist.

Security Headers Explained

Strict-Transport-Security (HSTS) — forces browsers to always use HTTPS for your domain. X-Frame-Options: DENY — prevents your page from being embedded in an iframe (protects against clickjacking). Content-Security-Policy (CSP) — specifies which sources of scripts, styles, and media the browser should trust. X-Content-Type-Options: nosniff — prevents browsers from MIME-type sniffing. Referrer-Policy — controls how much referrer information is sent with requests. Permissions-Policy — restricts access to browser APIs like camera, microphone, and geolocation.

Caching Headers

Cache-Control — the primary caching directive. Use max-age=31536000, immutable for versioned static assets (CSS/JS with content hashes). Use no-cache for HTML files so browsers always validate freshness. ETag — fingerprint of the response; enables conditional requests. Last-Modified — timestamp for cache validation.

CORS Headers

Access-Control-Allow-Origin — specifies which origins can read the response cross-origin. Use specific origins (https://app.example.com) rather than * for credentialed requests. Access-Control-Allow-Methods — lists allowed HTTP methods for preflight. Access-Control-Allow-Headers — lists allowed request headers.

How to Inspect Headers

Browser DevTools → Network tab → click any request → Headers section. Or use cURL: curl -I https://example.com (GET request, headers only) or curl -v https://example.com 2>&1 | grep '<'.