HTTP Headers Viewer

View HTTP response headers and check security header scores for any URL

The HTTP Headers Viewer fetches the response headers from any CORS-enabled URL and analyzes them for security issues. It checks for critical security headers and calculates a security score to help identify vulnerabilities.

Fetch Headers

Tip: Try https://httpbin.org/get — it's designed for HTTP testing and exposes CORS headers.

Browser CORS limitation: Only headers explicitly allowed by the server's CORS policy are visible here. For complete header inspection, use curl -I https://yoursite.com from a terminal.

How to Use the HTTP Headers Viewer

The HTTP Headers Viewer fetches a URL and reads its HTTP response headers. It then analyzes security headers and calculates a score based on which protective headers are present.

Step 1: Enter a URL

Enter the full URL including https:// prefix. The tool works best with CORS-enabled URLs. Try https://httpbin.org/get as a test — it's a service designed for HTTP testing that exposes all response headers.

Step 2: Read Security Headers

The security score section checks for 6 critical security headers:

  • Content-Security-Policy — prevents XSS and injection attacks
  • Strict-Transport-Security — enforces HTTPS connections
  • X-Frame-Options — prevents clickjacking via iframes
  • X-Content-Type-Options — prevents MIME type sniffing
  • Referrer-Policy — controls how much referrer info is shared
  • Permissions-Policy — controls browser feature access (camera, mic, etc.)

Step 3: Review All Headers

The full headers table shows every header the server sent. Look for:

  • Cache-Control — how the browser should cache the response
  • Content-Type — MIME type of the response
  • Server — web server software (sometimes hidden for security)
  • Set-Cookie — cookie attributes (HttpOnly, Secure, SameSite)

Browser CORS Limitations

Browser security policy means only CORS-allowed headers are visible. Most real-world sites serve Set-Cookie, X-Frame-Options, and other headers that aren't CORS-exposed. For complete inspection, use the curl command from your terminal:

curl -I https://yoursite.com

More free tools

Server Status Checker

Check if a website or server is online

Redirect Checker

Trace redirect chains for any URL

DNS Records Checker

Look up A, MX, NS, TXT, and CNAME records

WHOIS Lookup

Look up domain registration info and registrar

IP Geolocation Lookup

Find country, city, ISP for any IP address

Domain Age Checker

Find how old a domain is from registration date

FAQ

What are HTTP response headers and why do they matter?

HTTP response headers are metadata sent by the server alongside every response. They control caching, cookies, security policies, content types, and more. Security headers like Content-Security-Policy and Strict-Transport-Security protect users from XSS and MITM attacks. Missing security headers are one of the most common web security vulnerabilities.

Why can't I see all headers? Some are missing.

Browser CORS policy restricts which headers JavaScript can read from cross-origin requests. Only headers explicitly exposed via the Access-Control-Expose-Headers header (or a small set of 'CORS-safe' headers) are readable. For complete header inspection, use curl: curl -I https://example.com — this bypasses browser restrictions entirely.

What is Content-Security-Policy (CSP)?

Content-Security-Policy is a security header that tells browsers which sources of content (scripts, styles, images) are allowed to load. A strong CSP prevents cross-site scripting (XSS) attacks by blocking malicious injected scripts from running. CSP is one of the most important security headers for modern web applications.

What does HSTS (Strict-Transport-Security) do?

HTTP Strict Transport Security (HSTS) tells browsers to always use HTTPS for the domain, even if the user types http:// or follows a plain HTTP link. It prevents SSL stripping attacks where an attacker downgrades a HTTPS connection to HTTP. HSTS with a long max-age value is essential for all HTTPS sites.

What is X-Frame-Options and why does it matter?

X-Frame-Options prevents your site from being embedded in an iframe on another domain. Without it, attackers can use 'clickjacking' to overlay invisible iframes over legitimate content and trick users into clicking hidden buttons. The recommended value is DENY (never allow) or SAMEORIGIN (only your own domain can iframe).

How is the security score calculated?

The security score checks for 6 key security headers: Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Each present header adds to the score. Note that due to CORS limitations, some headers may not be visible even if they exist — the curl command will give more accurate results.