HTTP Headers
Inspect response headers, status code, and body for any CORS-enabled URL.
Free & unlimited
https://jsonplaceholder.typicode.com/posts/1Your browser fetches the URL directly. No data passes through our servers.
About this tool
- 1
Enter a URL
Type or paste the full URL of the website you want to inspect.
- 2
Send the request
Click Fetch to send a HEAD or GET request and retrieve the response headers.
- 3
Review headers
All response headers are displayed in a table with explanations for common ones.
- 4
Check security
Security-related headers are flagged with recommendations for best practices.
- Look for Strict-Transport-Security, Content-Security-Policy, and X-Frame-Options for security assessment.
- Check Cache-Control and Expires headers to understand how a site handles browser caching.
- Missing security headers are flagged - use the suggestions to harden your own site.
- Compare headers between HTTP and HTTPS versions of the same URL.
- Fetches and displays all HTTP response headers from any public URL
- Plain-language explanations for common headers
- Security header audit with pass/fail indicators
- Highlights caching, CORS, and content-type headers
- Shows redirect chain and final destination URL
- Audit your website security headers before a penetration test
- Debug CORS issues by checking Access-Control-Allow-Origin headers
- Verify that caching headers are set correctly for static assets
- Check if a CDN is serving the correct headers after configuration changes
Some servers only send certain headers for specific request types or authenticated sessions. Also, CORS restrictions may prevent the browser from exposing some headers.
This tool sends GET or HEAD requests to inspect response headers. For POST/PUT testing, use the cURL builder or a tool like Postman.
At minimum: Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, and Referrer-Policy.