HTTP Header Checker
Inspect HTTP response headers for any URL. Analyze security headers, caching policies, CORS settings, and server configuration.
Security Header Audit
Understanding HTTP Response Headers
HTTP headers carry metadata about requests and responses. Security headers are especially important -- they instruct browsers how to handle your content and protect users from attacks.
Content-Security-Policy (CSP)
Controls which resources the browser is allowed to load. A strong CSP mitigates cross-site scripting (XSS), clickjacking, and data injection attacks by whitelisting trusted sources.
Strict-Transport-Security (HSTS)
Forces browsers to only connect via HTTPS for a specified duration. The includeSubDomains directive extends this to all subdomains. preload allows inclusion in browser preload lists.
X-Frame-Options
Prevents your page from being embedded in iframes on other sites, protecting against clickjacking attacks. Use DENY to block all framing or SAMEORIGIN to allow same-origin only.
X-Content-Type-Options
When set to nosniff, prevents browsers from MIME-type sniffing. This stops the browser from interpreting files as a different content type than declared, reducing attack surface.
Referrer-Policy
Controls how much referrer information is sent with requests. strict-origin-when-cross-origin is a good default -- it sends the origin for cross-origin requests but full URL for same-origin.
Permissions-Policy
Restricts which browser features (camera, microphone, geolocation, etc.) your page can use. This limits the capabilities available to embedded content and your own scripts.
Cache-Control
Directs how browsers and CDNs cache responses. no-store prevents caching entirely. max-age sets how long (in seconds) a response is considered fresh.
Access-Control-Allow-Origin (CORS)
Specifies which origins can access the resource. A wildcard * allows any origin. For credentialed requests, you must specify the exact origin instead of a wildcard.