HTTP Header Checker

Enter any URL to see its HTTP response headers and a quick review of the security headers every site should be sending.

Why HTTP headers matter

Every response a web server sends carries headers — metadata describing the content, caching rules and, importantly, the browser's security policy. A handful of these headers harden a site against common attacks, yet they're easy to forget.

The headers we check

  • Strict-Transport-Security — forces browsers to use HTTPS on every future visit.
  • Content-Security-Policy — restricts where scripts, styles and other resources may load from, the strongest defence against XSS.
  • X-Content-Type-Options — set to nosniff to stop browsers guessing content types.
  • X-Frame-Options / CSP frame-ancestors — stop your pages being embedded in a malicious frame (clickjacking).
  • Referrer-Policy — controls how much of the URL is shared when users click away.