HTTP headers checker. Paste, audit, fix.
Paste raw HTTP response headers from curl -I or browser DevTools. We classify each header, audit caching + security + compression, surface what's missing, and rate the overall headers configuration. Browser-only.
Paste HTTP response headers from curl -I https://example.com or browser DevTools (Network tab, response headers). The tool classifies every header, audits caching + security + compression + server-fingerprint groups, and surfaces what's missing. Browser-only.
How do I get my response headers?
- curl:
curl -I https://example.com(orcurl -ILv https://example.comto follow redirects + see verbose) - Browser DevTools: open the page, F12 → Network tab → click the document request → Headers panel → copy the Response Headers block
- Postman / Insomnia: send a HEAD or GET request, copy the response headers from the headers tab
Pasting the entire curl -v output also works — we extract the response-header block automatically.
Privacy: header parsing happens in your browser. Nothing is sent or logged.
Six headers. Two are non-negotiable.
Strict-Transport-Security (HSTS). The single most-impactful header. Without it, an attacker on the network (public WiFi, malicious ISP, compromised router) can intercept the first HTTP request to your domain and downgrade the connection to plain HTTP. With HSTS, the browser refuses any non-HTTPS connection to your domain for the duration of the max-age. Modern best practice: max-age=63072000; includeSubDomains; preload. Submit to hstspreload.org for inclusion in the browser-built-in preload list.
Content-Security-Policy (CSP). The strongest XSS protection layer. Even if an attacker injects a script tag into your HTML (via stored XSS, third-party JS compromise), the browser refuses to execute it unless your CSP allows that origin. The catch: CSP is hard to author correctly — every third-party script, every inline style, every embedded video must be explicitly allowed. For a simple marketing site, start with default-src 'self' and add exceptions as you find broken pages. For a complex app, use a build-time CSP with nonces or hashes per Google's CSP guide.
X-Content-Type-Options. One value, always: nosniff. Prevents browsers from MIME-sniffing — guessing the content type of a response. Without nosniff, a server that returns an image as text/plain may have its content executed as script if the bytes look script-shaped. Modern threat surface, easy fix.
X-Frame-Options or CSP frame-ancestors. Clickjacking protection. Prevents your site from being framed inside a malicious page that overlays invisible iframes over real buttons. SAMEORIGIN for most sites; DENY for sites that should never be framed (banking, account management). The CSP frame-ancestors directive supersedes X-Frame-Options when both are present.
Referrer-Policy. Controls how much URL data leaks in the Referer header on outbound clicks. Default browser behavior leaks the full URL on cross-origin links — a privacy and security gap. Modern recommendation: strict-origin-when-cross-origin (sends just the origin to cross-origin destinations).
Permissions-Policy. Restricts browser-feature access on your page. geolocation=(), camera=(), microphone=() denies all three to all scripts on the page including third-party. Critical for sites that embed third-party widgets where you don't want those widgets requesting hardware access.
Four jobs this tool covers.
Job 1: Security audit before launch. Before flipping a new site live, run curl -I https://staging.example.com, paste the headers here. Address every FAIL in the security category before the marketing-team launch announcement, not after. The fix is usually a few lines in your CDN / load-balancer / nginx config.
Job 2: Vendor / third-party diligence. Evaluating a SaaS vendor or partner integration? Run their public site through the checker. A well-configured vendor signals operational maturity; a vendor with default-server headers and missing security posture is a yellow flag for your security review process.
Job 3: CDN configuration verification. After spinning up a new CDN (Cloudflare, Vercel, Netlify, AWS CloudFront), verify the headers it ships. Most CDNs add several headers automatically (cf-ray, server-timing); make sure your origin's intended headers are also present and not stripped. Pair with our Web Server Detector for the server-fingerprint side.
Job 4: Incident-response forensics. When a security incident happens, header configuration is part of the post-mortem evidence. Snapshot the headers before and after the fix; the difference shows exactly what changed and confirms the fix landed. Pair with our SSL Certificate Inspector for the cert side of the security stack.
Six questions users ask.
Why paste headers instead of fetching the URL?
Browser CORS policy blocks reading response headers from cross-origin URLs without explicit Access-Control-Expose-Headers cooperation from the target server. Most sites do not send that header, so a browser-side fetch tool would fail on most sites. Paste mode works on any site — get the headers from curl -I or browser DevTools and paste them here. This is the same pattern used by Mozilla Observatory and other reputable header analyzers; we just don't host a backend proxy.
How do I get my headers from curl?
Run curl -I https://example.com — the -I flag fetches headers only (HEAD request). For full request + response headers including following redirects, use curl -ILv https://example.com (the v adds verbose output, including the cert chain). Paste the response-header block. We accept either single-response or curl-verbose-output paste; the parser extracts the response headers automatically.
Which headers does the audit check?
Five categories. (1) Caching — Cache-Control, ETag, Last-Modified, Expires; whether the policy supports CDN caching and browser revalidation. (2) Security — HSTS (Strict-Transport-Security), CSP (Content-Security-Policy), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy; the modern security-header set per OWASP guidance. (3) Compression — Content-Encoding gzip / br / zstd; what's being shipped. (4) Server fingerprint — Server, X-Powered-By; what your stack reveals. (5) Modern features — Server-Timing for performance debugging, Early-Hints / 103, Speculation-Rules. Each gets a verdict and rationale.
What's HSTS and why does it matter?
HTTP Strict Transport Security tells browsers 'always connect to this domain over HTTPS for the next N seconds, even if the user types http:// or clicks an http link.' Prevents downgrade attacks where a network attacker swaps an HTTPS link for HTTP and intercepts the unencrypted traffic. Modern best practice: max-age=63072000 (2 years), includeSubDomains, preload (for inclusion in the browser-built-in preload list at hstspreload.org). Missing HSTS is the most common security-header gap on production sites.
What's CSP and is it worth setting?
Content Security Policy tells the browser which origins are allowed to load scripts, styles, images, fonts, frames, etc. The strongest XSS protection layer available — even if an attacker injects a script tag into your HTML, the browser refuses to execute it unless your CSP allows that origin. The trade-off: CSP is hard to author correctly; even one missed third-party domain breaks pages. For lower-stakes sites (marketing pages, blogs), the default permissive Content-Security-Policy: default-src 'self' is a reasonable starting baseline. For high-stakes apps (banking, healthcare), invest in a proper CSP with nonces or hashes.
Is the data I paste sent anywhere?
No. Header parsing happens entirely in your browser. The page is static HTML; the only network request is the initial page load. Safe for headers from internal staging environments, dev servers, or production environments you don't want to share — paste them here and the data never leaves the browser tab.
Three mistakes we see most.
Security headers are the one production hardening step that costs nothing and gets skipped most often. OWASP's Secure Headers Project tracks roughly 80% of the Alexa top-1M as either missing HSTS entirely or shipping it without preload, and the equivalent number for a fully-locked-down CSP is closer to 95%.
Mistake 1, HSTS without preload: a Strict-Transport-Security header with max-age=31536000 looks complete, but the first request from a new browser still goes over HTTP and is interceptable. web.dev's security-headers guide recommends adding includeSubDomains; preload and submitting the domain to hstspreload.org, which ships the entry into Chromium and Firefox source. The preload submission is irreversible for 12-18 months, so verify subdomains first, then preload.
Mistake 2, wildcards in CSP defeat the point: a Content-Security-Policy that includes default-src *, script-src 'unsafe-inline', or img-src https: provides no real protection. MDN's CSP documentation is explicit that allowlisting must be specific. Use nonces or hashes for inline scripts, name your CDN hosts, and lock down connect-src to your actual API origins. Run the policy in Report-Only mode for two weeks against production traffic before enforcement; the report-uri data tells you exactly which legitimate resources the strict policy would have killed.
Mistake 3, X-Frame-Options vs frame-ancestors confusion: teams ship X-Frame-Options: SAMEORIGIN and a CSP with frame-ancestors 'none' simultaneously, then wonder why the two disagree. Per MDN's X-Frame-Options reference, when CSP frame-ancestors is set, modern browsers ignore X-Frame-Options entirely. Pick one (frame-ancestors is the future-proof choice), drop the other, and verify in the checker.
When to actually use this: after every deployment that touches headers (web.config, nginx.conf, Cloudflare Transform Rules, Vercel headers), before any pen-test, during compliance prep (SOC 2, PCI), and as part of a quarterly security audit. Our Web development engagements include header-hardening as a day-one task on every new build.
Related Digital Heroes services + reading: See our Web development service for production-grade security architecture, plus our CSP Validator and CORS Checker. Sibling tools: Cookie Analyzer and HTTPS SSL Checker.
Published · Last updated .