HTTP Header Checker
β
β
β
β
β
β
β
β
β
β
4.8(0 votes)
Inspect every HTTP response header: status code, content-type, cache, HSTS, CSP, X-Frame-Options, and more.
HTTP Header Checker
Headers fetched via CORS proxy. Proxies may strip some sensitive headers (Set-Cookie, Authorization).
Response Headersβ
Security Headers Audit
About This Tool
Security Headers Audit
Checks for all six recommended security headers: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.
How It Works
Fetches the URL via a CORS proxy and reads all available response headers. Some headers may be stripped by the proxy for security reasons.
Frequently Asked Questions
What's a good security header score?
Aim for all 6 present on production. WordPress users can add them via .htaccess or a security plugin (Wordfence, Headers Security Advanced).
Why is Server header sometimes blank?
Well-configured servers strip Server header to avoid exposing exact software versions to potential attackers. This is a good security practice.
Why are some headers missing from the results?
CORS proxies may strip certain headers (Set-Cookie, Authorization, etc.) for security. For a complete audit, use curl from a server or browser DevTools Network tab.
