Free HTTP Headers Checker

Inspect every HTTP response header for any URL. Score security headers (HSTS, CSP, X-Frame-Options), detect the CDN provider, and analyze cache behavior in one request. No signup, no limits.

Who uses this tool?

Web developers — verify CSP, HSTS, and cache headers after deployment
Security engineers — audit security header coverage across a portfolio of sites
DevOps & SRE — confirm CDN is serving and cache is hot
Penetration testers — quickly identify missing XSS and clickjacking protections
SEO specialists — verify canonical, X-Robots-Tag, and cache behavior

How to use (step-by-step)

Step 1 — Enter a URL or domain: Type any domain or full URL. The tool tries HTTPS first and falls back to HTTP.
Step 2 — Click Check: We fetch the URL with redirect: manual and inspect every response header.
Step 3 — Review the results: See security score (0-100), detected CDN, response time, all security headers with status, and the full header map.

Frequently asked questions

What are HTTP response headers?

HTTP response headers are metadata sent by the server with each response. They control caching (Cache-Control), security (HSTS, CSP, X-Frame-Options), content type, cookies, and more.

What security headers should every website have?

The essentials: Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Missing any of these is a common security issue.

How is the security score calculated?

The score is the percentage of essential security headers present. A perfect 100 requires HSTS, CSP, X-Frame-Options, X-Content-Type-Options: nosniff, Referrer-Policy, and Permissions-Policy all set correctly.

How is the CDN detected?

We look at distinctive response headers. Cloudflare sets cf-ray, AWS CloudFront sets x-amz-cf-id, Fastly sets x-served-by, Vercel sets x-vercel-id, and so on. No probing is needed — the CDN identifies itself in the response.

Related free tools

SSL Certificate Checker — Verify HTTPS certificate and expiry
Redirect Chain Checker — Trace 301/302 hops and detect loops
DNS Lookup — Check A, MX, TXT records
WHOIS Lookup — Domain registrar and expiry
All Free Domain Tools — Complete toolkit for domain research

Try it on popular domains: github.com, google.com, cloudflare.com, openai.com.