HTTP Header Checker

Analyze HTTP response headers for security, performance, and SEO. Check for proper security headers like HSTS, CSP, and CORS configuration.

How it works: Enter a URL to fetch HTTP headers. We'll send a HEAD request to the server and analyze the response headers for security, performance, and best practices.

Enter website domain (e.g., example.com)
Try example URLs:
google.com
github.com
stackoverflow.com
getzenquery.com
httpbin.org
securityheaders.com

Fetching HTTP headers from server...

Security Score

85
/100

This website implements good security practices with most critical security headers present. However, there's room for improvement with some missing headers.

6 Good
2 Warnings
1 Critical
3 Info

Understanding HTTP Headers

HTTP headers are key-value pairs sent by a server in response to an HTTP request. They provide metadata about the response and instructions to the client (browser) on how to handle the content.

Why check HTTP headers? HTTP headers control security, caching, content encoding, and many other aspects of web communication. Properly configured headers are essential for website security and performance.

Critical Security Headers

Content Security Policy (CSP)

CSP helps prevent cross-site scripting (XSS) attacks by specifying which sources of content are allowed to be loaded. It's a crucial security header for modern web applications.

HTTP Strict Transport Security (HSTS)

HSTS forces browsers to use HTTPS for all communication with the website, preventing downgrade attacks and cookie hijacking.

X-Frame-Options

Prevents clickjacking attacks by controlling whether a page can be embedded in an iframe, frame, or object.

X-Content-Type-Options

Prevents MIME type sniffing attacks by forcing browsers to respect the declared content type.

Referrer-Policy

Controls how much referrer information is included in requests, protecting user privacy.

Performance Headers

1

Cache-Control: Controls caching mechanisms for both requests and responses, reducing server load and improving page load times.

2

Content-Encoding: Specifies the compression algorithm used for the response body (e.g., gzip, br), reducing bandwidth usage.

3

ETag: Provides a validator for cache validation, allowing efficient cache updates when content changes.

How to Use This Tool

1

Enter a URL: Provide the full URL of the website you want to analyze (include https:// or http://).

2

Click "Check HTTP Headers": We'll send a HEAD request to the server and retrieve all response headers.

3

Review Results: Analyze the security score, check critical security headers, and examine all headers returned by the server.

4

Implement Recommendations: Use the analysis to improve your website's security and performance by implementing missing headers.

Note on CORS: Due to browser security restrictions (CORS policy), we may not be able to fetch headers from some websites directly. For those cases, we use a secure proxy server that respects privacy and doesn't store any data.

Frequently Asked Questions

Some websites implement CORS (Cross-Origin Resource Sharing) policies that prevent third-party websites from accessing their headers. Additionally, some servers may block HEAD requests. In such cases, we use a secure proxy to fetch the headers, but some websites may still block proxy requests.

A HEAD request asks for the same response as a GET request, but without the response body. It's more efficient for checking headers since we don't need to download the entire page content. However, some servers may not support HEAD requests, so you can switch to GET if needed.

The security score is calculated based on the presence and proper configuration of critical security headers. We check for headers like HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and others. Each header contributes to the score based on its importance for web security.

Follow the recommendations in the Security Headers Analysis section. Implement missing security headers on your web server. For popular servers like Apache, Nginx, or cloud platforms like Cloudflare, you can find specific configuration instructions online. Start with the most critical headers like HSTS and CSP.

We respect user privacy. The URLs you check are not stored or logged. For websites that block direct requests, we use a secure proxy that doesn't retain any data. No personal information is collected during the header checking process.