HTTP Header Inspector
Inspect any URL's response headers and security policy. Check HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy plus Server, Content-Type, Cache-Control in one click.
Enter a public URL. Our server fetches it once and returns the response headers β no body, no JavaScript execution.
What to look for
Modern sites use response headers to harden the browser against attacks. Strict-Transport-Security forces HTTPS. Content-Security-Policy limits which scripts and frames can load. X-Frame-Options stops clickjacking. Server and X-Powered-By give away software versions β many sites strip them. The status code, redirects and final URL also reveal a lot about how a site is set up.
Common use cases
- 1Audit a website's security posture β see in one click which of HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy are present.
- 2Debug a redirect chain β paste a campaign URL or shortened link and watch every 301/302 hop until the final landing page, plus the final URL the browser actually loads.
- 3Confirm cache and CDN config β Cache-Control, ETag, Age and CF-Cache-Status reveal whether your assets are being served from origin, edge cache or a stale revalidate.
Frequently asked questions
What's a good security header score?+
A modern site should ship at least HSTS, CSP, X-Frame-Options or frame-ancestors in CSP, X-Content-Type-Options: nosniff, and a Referrer-Policy. Permissions-Policy is increasingly expected.
My site has none of those headers β is that bad?+
It is a missed opportunity, not always an emergency. Add HSTS first to lock the site to HTTPS. Then a strict Referrer-Policy. CSP is the strongest defence but takes the most planning.
Why is the Server header redacted on some sites?+
Mature sites strip Server and X-Powered-By to make version-specific exploits harder. Cloudflare and CDN-fronted origins often replace the value with "cloudflare" or remove it entirely.