Inspect every HTTP response header from any URL. View security headers, caching directives, server info, and CORS headers — grouped and colour-coded. Single URL or bulk check up to 50 URLs with CSV export.
Fetches live response headers exactly as your server sends them — no caching.
Switch between Single and Bulk mode. In Single mode enter any full URL. In Bulk mode paste up to 50 URLs one per line. Both modes fetch real live server headers.
Headers are grouped into four categories: Security (CSP, HSTS, X-Frame-Options), Performance (Cache-Control, ETag, compression), Server Info (Server, X-Powered-By), and CORS. Each header shows its value and an explanation.
Click Copy as JSON to grab all headers for your records. In Bulk mode download a CSV showing all headers across all URLs. Headers that leak sensitive server information are flagged as warnings.
HTTP response headers are key-value pairs sent by the server alongside every page response. They control browser behaviour — telling browsers how to cache content, which security policies to apply, what content type the response is, and many other instructions. They are invisible to regular users but critical for security, performance and SEO.
The most important security headers are: Content-Security-Policy (prevents XSS), Strict-Transport-Security (forces HTTPS), X-Frame-Options (prevents clickjacking), X-Content-Type-Options (prevents MIME sniffing), Referrer-Policy (controls referrer leakage), and Permissions-Policy (restricts browser features).
The X-Powered-By header reveals your server technology (e.g. PHP/8.1.2, ASP.NET). Attackers use this information to target known vulnerabilities in specific framework versions. Best practice is to remove this header entirely. It provides no benefit to users and reduces your security posture.
Cache-Control tells browsers and CDNs how long to cache a response. A missing or misconfigured Cache-Control header can cause browsers to cache sensitive pages (like authenticated user pages) or force users to re-download static assets on every visit. Both scenarios hurt either security or performance.
Use Bulk mode — paste up to 50 URLs one per line and click Check. The tool fetches headers for all URLs simultaneously and returns a comparison table. This is useful for verifying that security headers are consistently applied across your homepage, checkout, login, and API endpoints.
CORS (Cross-Origin Resource Sharing) headers control which external domains can make requests to your server. The Access-Control-Allow-Origin header is the key one. Setting it to * (wildcard) allows any website to make requests to your API — which may be intentional for public APIs but a security risk for authenticated endpoints.
