🔎 HTTP Header Checker

Analyze HTTP response headers and security configuration.

Check URL
Paste Headers
⚠️ CORS Note: Due to browser security restrictions, only headers exposed by the server via Access-Control-Expose-Headers can be read client-side. For complete header analysis, paste headers from browser DevTools or curl.

Paste raw HTTP headers (one per line, format: Header-Name: value)

Understanding Security Headers

🔒Strict-Transport-Security (HSTS)Forces HTTPS connections
🛡️Content-Security-Policy (CSP)Controls resource loading
📋X-Content-Type-OptionsPrevents MIME sniffing
🖼️X-Frame-OptionsPrevents clickjacking
👁️Referrer-PolicyControls referrer information
⚙️Permissions-PolicyControls browser features

FAQ

What are HTTP response headers?

HTTP response headers are metadata sent by a web server along with the response body. They contain information about caching, content type, security policies, server software, and more. They are invisible to users but critical for security and performance.

What security headers should every website have?

Essential security headers include: Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy. These protect against XSS, clickjacking, MIME sniffing, and other common attacks.

How is the security grade calculated?

The grade is based on the presence of 6 key security headers. Each present header earns points. Grade A = all 6 present, Grade B = 5, Grade C = 4, Grade D = 2-3, Grade F = 0-1. The actual configuration quality is also considered for some headers.

Related Tools

Network Calculator