Analyze HTTP Response Headers
What are HTTP headers?
HTTP headers are the core part of HTTP requests and responses. They carry essential information about the client browser, the requested page, the server, and the connection. When you visit a website, headers are passed back and forth invisibly.
Security Headers
Modern web applications use specific security headers like Content-Security-Policy and Strict-Transport-Security to protect users from vulnerabilities like Clickjacking and Cross-Site Scripting (XSS). This tool instantly checks for their presence.
Frequently Asked Questions
What HTTP headers does this tool check?
It fetches all response headers: status code, Content-Type, Cache-Control, security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options), Server, and any other headers returned by the server.
Why does the tool need a server to fetch headers?
Browsers block direct JavaScript cross-origin requests due to CORS restrictions. The tool uses a lightweight server-side proxy to fetch the headers and return them. Your input URL is not stored.
Can I check any URL?
Any publicly accessible URL can be checked. Private or intranet URLs that require authentication or a VPN will not be reachable from the proxy.
What is HSTS and why does it matter?
HSTS (HTTP Strict Transport Security) tells browsers to only connect over HTTPS for a defined period. Missing HSTS leaves the site vulnerable to downgrade attacks on first connection.
What is Content-Security-Policy?
CSP restricts which scripts, styles, and resources a browser can load on a page, reducing the risk of XSS attacks. Its absence is a common finding in security audits.