All tools
Development tools

HTTP Headers Viewer

Inspect every HTTP response header for any URL, get a security grade, and see plain-English explanations of caching, CORS and security headers.

All response headers Security grade A–F Cache-Control explained CORS headers Redirect following Server fingerprint
Get started free Sign in

Free · No credit card · 50 credits/day

Key security headers checked

Header Protects against
Strict-Transport-Security Forces HTTPS; prevents SSL stripping attacks
Content-Security-Policy XSS, data injection, inline script execution
X-Frame-Options Clickjacking — prevents your page being iframed
X-Content-Type-Options MIME type sniffing that can enable XSS
Referrer-Policy Referrer header leaking sensitive URL paths
Permissions-Policy Restricts access to camera, microphone, geolocation
Cross-Origin-Opener-Policy Spectre/side-channel attacks via shared browsing context

Frequently asked questions

Which HTTP headers matter most for security?

The most important: Strict-Transport-Security (HSTS) to enforce HTTPS; Content-Security-Policy (CSP) to prevent XSS; X-Frame-Options to prevent clickjacking; X-Content-Type-Options: nosniff to prevent MIME sniffing; Referrer-Policy to control referrer leakage; and Permissions-Policy to restrict browser features.

What is HSTS preloading?

HSTS tells browsers to always use HTTPS for your domain. Preloading hardcodes your domain into browsers so they never make an HTTP request even on first visit. To qualify, serve HSTS with max-age >= 31536000, includeSubDomains, and the preload directive, then submit to the HSTS preload list.

What does Cache-Control: no-store mean?

Cache-Control: no-store means the response must not be stored anywhere — not in browser cache, not in proxy caches. It is the strongest cache-prevention directive, used for sensitive data. Compare to no-cache (can store but must revalidate) and private (can store in browser but not shared proxies).

What is content-type sniffing and how does X-Content-Type-Options prevent it?

MIME sniffing is when a browser ignores the declared Content-Type and guesses the file type. This can be exploited: an attacker uploads HTML disguised as a JPEG; the browser sniffs and renders it as HTML, enabling XSS. X-Content-Type-Options: nosniff tells the browser to trust only the declared Content-Type.

Related security tools

Deeper header and security analysis.

Security Headers Checker

Focused security header analysis — grade and actionable recommendations for each header.

CORS Tester

Test CORS preflight and response headers for any API endpoint.

API Request Tester

Send custom HTTP requests and inspect the full response including all headers.

Inspect any site's headers now

Free account. 50 credits per day. Access to 75+ tools instantly.

Create free account →