HTTP Header Checker

Analyze HTTP response headers and security configuration. Check HSTS, CSP, X-Frame-Options, and other security headers.

Check HTTP Headers

Enter a URL to analyze its HTTP response headers and security configuration

What Are HTTP Headers?

HTTP headers are key-value pairs of metadata exchanged between web browsers and servers during every HTTP request and response. They're invisible to users but essential for the web to function properly. Headers control everything from content type and caching to authentication and security policies.

When you visit a website, your browser sends request headers (like which browser you're using, what languages you accept, and any cookies). The server responds with response headers (like content type, caching instructions, and security policies) along with the actual page content.

Security

Protect against XSS, clickjacking, and other attacks

Performance

Control caching and compression for faster loading

Content Info

Specify content type, encoding, and language

Authentication

Handle cookies, sessions, and access control

Essential Security Headers

Security headers are your first line of defense against common web attacks. Implementing them properly can protect your users from XSS, clickjacking, data injection, and other threats.

Strict-Transport-Security (HSTS)

Purpose: Forces browsers to only use HTTPS connections, preventing protocol downgrade attacks and cookie hijacking.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Directives:

  • max-age - Seconds to remember HTTPS-only (31536000 = 1 year)
  • includeSubDomains - Apply to all subdomains
  • preload - Submit to browser preload lists
Content-Security-Policy (CSP)

Purpose: Controls which resources can be loaded, preventing XSS and data injection attacks.

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'

Common directives:

  • default-src - Fallback for all resource types
  • script-src - Allowed JavaScript sources
  • style-src - Allowed CSS sources
  • img-src - Allowed image sources
X-Frame-Options

Purpose: Prevents your site from being embedded in iframes, protecting against clickjacking attacks.

X-Frame-Options: DENY

Options:

  • DENY - Never allow framing
  • SAMEORIGIN - Only allow same-origin framing
  • ALLOW-FROM uri - Allow specific origins (deprecated)

Note: CSP's frame-ancestors is the modern replacement.

X-Content-Type-Options

Purpose: Prevents browsers from MIME-sniffing, ensuring files are treated as their declared content type.

X-Content-Type-Options: nosniff

Why it matters:

  • Stops browsers from executing JavaScript disguised as images
  • Prevents MIME confusion attacks
  • Forces browser to respect declared Content-Type
Referrer-Policy

Purpose: Controls how much referrer information is sent when navigating to other sites.

Referrer-Policy: strict-origin-when-cross-origin

Common values:

  • no-referrer - Never send referrer
  • same-origin - Only send for same-origin requests
  • strict-origin-when-cross-origin - Recommended default
Permissions-Policy

Purpose: Controls which browser features and APIs can be used (formerly Feature-Policy).

Permissions-Policy: geolocation=(), camera=(), microphone=()

Controllable features:

  • geolocation - Location access
  • camera, microphone - Media devices
  • payment - Payment Request API
  • usb, bluetooth - Hardware access

Caching Headers

Proper caching headers improve performance by telling browsers and CDNs how to cache your content. This reduces server load and speeds up page loads for returning visitors.

Header Purpose Example
Cache-Control Primary caching directive for both browsers and CDNs Cache-Control: public, max-age=31536000
ETag Unique identifier for a specific version of a resource ETag: "33a64df551425fcc55e4d42a148795d9f25f89d4"
Last-Modified Date the resource was last changed Last-Modified: Wed, 21 Oct 2023 07:28:00 GMT
Expires Date after which the resource is stale (legacy, use Cache-Control) Expires: Thu, 01 Dec 2024 16:00:00 GMT
Vary Tells caches which request headers affect the response Vary: Accept-Encoding, Accept-Language

Cache-Control Directives

Response Directives
  • public - Can be cached by any cache
  • private - Only browser can cache (not CDN)
  • no-cache - Must revalidate before using cache
  • no-store - Never cache (sensitive data)
  • max-age=N - Cache for N seconds
  • s-maxage=N - Shared cache max age (CDN)
  • immutable - Content will never change
Recommended Settings

Static assets (CSS, JS, images):

Cache-Control: public, max-age=31536000, immutable

HTML pages:

Cache-Control: no-cache

Sensitive data:

Cache-Control: no-store, private

Other Important Headers

Header Type Description
Content-Type Content MIME type of the response (e.g., text/html; charset=utf-8)
Content-Encoding Content Compression method used (e.g., gzip, br for Brotli)
Content-Length Content Size of the response body in bytes
Server Info Web server software (consider hiding for security)
X-Powered-By Info Backend technology (remove this—reveals attack vectors)
Set-Cookie Auth Sets cookies with attributes like HttpOnly, Secure, SameSite
WWW-Authenticate Auth Authentication method required (Basic, Bearer, etc.)
Access-Control-Allow-Origin CORS Which origins can access the resource in cross-origin requests

Security Header Grades

Here's how to interpret your security header score and what to prioritize:

70-100%

Good

Your site has most essential security headers. Fine-tune CSP and consider adding Permissions-Policy.

40-69%

Needs Work

Some headers are missing. Prioritize HSTS, X-Frame-Options, and X-Content-Type-Options.

0-39%

Poor

Critical security headers are missing. Your site may be vulnerable to common attacks.

How to Add Security Headers

Apache (.htaccess)
<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    Header always set X-Frame-Options "DENY"
    Header always set X-Content-Type-Options "nosniff"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "geolocation=(), camera=(), microphone=()"
</IfModule>
Nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), camera=(), microphone=()" always;
Cloudflare

Cloudflare provides easy security header configuration:

  1. Go to SSL/TLS → Edge Certificates for HSTS
  2. Use Transform Rules to add custom headers
  3. Or use a Cloudflare Worker for full control
PHP
<?php
header("Strict-Transport-Security: max-age=31536000; includeSubDomains");
header("X-Frame-Options: DENY");
header("X-Content-Type-Options: nosniff");
header("Referrer-Policy: strict-origin-when-cross-origin");
?>

Common Mistakes to Avoid

Don't Do This:
  • Setting CSP too strict and breaking your own site
  • Using Access-Control-Allow-Origin: * with credentials
  • Exposing server version in Server header
  • Keeping X-Powered-By header visible
  • Setting cookies without HttpOnly and Secure
  • Using short HSTS max-age values
Do This Instead:
  • Start with CSP in report-only mode, then enforce
  • Specify exact origins for CORS
  • Remove or genericize server information
  • Remove X-Powered-By header entirely
  • Always use HttpOnly; Secure; SameSite=Strict
  • Use max-age of at least 1 year (31536000)

Testing and Monitoring

Security Headers

Scan and grade your security headers configuration.

securityheaders.com
Mozilla Observatory

Comprehensive security assessment from Mozilla.

observatory.mozilla.org
cURL

Check headers from command line.

curl -I https://example.com

Frequently Asked Questions

HTTP headers are metadata sent between a client (browser) and server during HTTP requests and responses. They contain information about content type, caching policies, security settings, cookies, and more. Response headers from the server tell the browser how to handle the response.

Security headers are HTTP response headers that enhance website security. Key headers include HSTS (forces HTTPS), CSP (prevents XSS), X-Frame-Options (prevents clickjacking), and X-Content-Type-Options (prevents MIME sniffing). These headers protect users from common web attacks.

HSTS is a security header that tells browsers to only connect to a website over HTTPS, even if the user types HTTP. This prevents man-in-the-middle attacks and SSL stripping. The recommended value is 'max-age=31536000; includeSubDomains' for a one-year policy.

Content Security Policy is a security header that controls which resources the browser can load. It helps prevent XSS attacks by specifying allowed sources for scripts, styles, images, and other resources. A proper CSP can significantly reduce the risk of code injection attacks.

Recent Header Checks

Recently analyzed websites

URLStatusSecurity ScoreChecked
seemenus.com20057%Apr 29, 2026 11:12

More SEO & Webmaster Tools

Use our full suite of tools to analyze and optimize your website:

DNS Lookup
Check DNS
Redirect Checker
Check Redirects
SSL Checker
Check SSL
Speed Test
Test Speed

Back to All Tools