HTTP Headers Checker
Inspect HTTP response headers for any URL — status codes, redirects, security headers, caching, server info.
http-headers.sh
Fetching headers…
What are HTTP Headers?
HTTP headers are metadata sent between a browser (client) and web server with every request and response. They are invisible to users but contain critical information: what content type is being sent, how long to cache it, security policies, cookies, and more.
Important Security Headers
| Header | Purpose |
|---|---|
Strict-Transport-Security | Forces HTTPS connections (HSTS) |
Content-Security-Policy | Prevents XSS and injection attacks |
X-Frame-Options | Prevents clickjacking via iframes |
X-Content-Type-Options | Prevents MIME type sniffing |
Referrer-Policy | Controls referrer information sent |
Permissions-Policy | Restricts browser feature access |
Frequently Asked Questions
HTTP headers are key-value pairs transmitted with every HTTP request and response. Response headers tell the browser how to handle the content — what type it is, how long to cache it, what security policies apply, and whether to follow a redirect. They're invisible to normal users but essential for developers and security teams.
200 OK — success. 301/302 — redirect (301 is permanent, 302 temporary). 400 — bad request. 401 — authentication required. 403 — forbidden. 404 — not found. 500 — server error. 503 — service unavailable. For SEO, always use 301 for permanent redirects and ensure pages return 200.
Security headers protect against common attacks. Missing HSTS means users can be downgraded to HTTP. Missing CSP leaves you vulnerable to XSS. Missing X-Frame-Options allows clickjacking. Sites with strong security headers score better in security audits and build user trust.