Request Headers · Security Headers · CORS
HTTP Headers Checker
Inspect your browser's HTTP request headers exactly as servers see them. Check security headers, analyze response headers from any URL, and identify missing security configurations.
HTTP Headers Inspector
Your request headers are shown automatically. To check response headers from a URL, enter it below.
Loading your request headers…
Advertisement
What are HTTP headers?
HTTP headers are key-value pairs sent between clients (browsers) and servers with every HTTP request and response. Request headers tell the server about the client — its browser, accepted languages, cookies, and authentication tokens. Response headers tell the browser how to handle the content — caching rules, content type, security policies, and CORS settings.
Why do security headers matter?
Security headers protect your web application from common attacks. Missing or misconfigured security headers are one of the most common web vulnerabilities. Key headers include:
- Content-Security-Policy (CSP) — Prevents XSS attacks by controlling which resources can load
- Strict-Transport-Security (HSTS) — Forces HTTPS connections, prevents downgrade attacks
- X-Frame-Options — Prevents clickjacking by controlling iframe embedding
- X-Content-Type-Options — Prevents MIME type sniffing attacks
- Referrer-Policy — Controls how much referrer information is shared
- Permissions-Policy — Controls browser feature access (camera, microphone, etc.)
More free developer tools
- IP Whitelist Config Generator — Generate AWS, MongoDB, GCP whitelist configs
- SSL Checker — Verify SSL certificate validity and expiry
- DNS Lookup — Query DNS records for any domain
- Port Checker — Test if TCP ports are open on any host
More Free Tools
Advertisement
FAQ
HTTP headers questions
What is the most important security header to add?
▾
Strict-Transport-Security (HSTS) is arguably the most critical — it forces all connections to use HTTPS and prevents SSL stripping attacks. For most sites, adding "Strict-Transport-Security: max-age=31536000; includeSubDomains" provides immediate security improvement. Content-Security-Policy is more complex to configure but provides the most comprehensive XSS protection.
Why can't I see all response headers?
▾
Browser security (CORS) restricts which response headers JavaScript can access. Some headers like Set-Cookie and Authorization are never exposed to JavaScript for security reasons. To see all headers for a URL, use browser DevTools (F12 → Network tab) or a command-line tool like curl.
What is CORS and why does it matter?
▾
CORS (Cross-Origin Resource Sharing) is a browser security mechanism that controls which origins can make requests to your API. The Access-Control-Allow-Origin header tells browsers which domains are allowed to read your responses. Misconfigured CORS (like using wildcard * on authenticated endpoints) can expose sensitive data to malicious sites.