🧾 Free · private · in-browser

Free HTTP header inspector — security & caching headers

Inspect response headers and grade security best practices.

Inspect response headers and grade your security posture

Response headers are how a server tells browsers how to treat a page - how long to cache it, whether to force HTTPS, which scripts to trust, and whether the page may be framed. This inspector fetches any URL from the edge, lists every header the server returns, and runs a quick audit of the security headers that do the most to protect your visitors. No CORS walls, no signup.

The security headers we grade

  • Strict-Transport-Security - forces HTTPS so a downgrade attack cannot strip encryption.
  • Content-Security-Policy - whitelists trusted sources to blunt cross-site scripting.
  • X-Frame-Options - stops your pages being embedded in a hostile frame (clickjacking).
  • X-Content-Type-Options - nosniff keeps browsers from guessing content types.
  • Referrer-Policy - controls how much URL information leaks to other sites.
  • Permissions-Policy - restricts powerful features like camera, mic, and geolocation.

Present is a floor, not a ceiling

A green check means the header exists on the response - it does not judge how strong the policy is. A Content-Security-Policy that allows unsafe-inline, for example, still counts as present but offers far less protection than a strict one. Treat the checklist as a fast coverage map: fix the missing headers first, then come back and tighten the values that carry the most risk for your site.

From headers to uptime

Headers tell you how a server behaves on a good day. To know when that server stops answering at all, add the site to the Uptime Monitor for scheduled edge checks and a public status page, or run a one-off status check when you are triaging an incident.

Frequently asked questions

What does the HTTP header inspector show?

It fetches any URL from the edge and lists every response header the server sends, then grades the site against a checklist of the security headers that matter most - HSTS, CSP, X-Frame-Options, and more.

Why can't my browser show me these headers?

Browsers hide most cross-origin response headers for security, and CORS blocks the request entirely for many sites. Fetching server-side from our edge returns the full, unfiltered header set.

Are missing security headers a serious problem?

They are missed opportunities to harden a site. Headers like HSTS, CSP, and X-Content-Type-Options defend against protocol downgrade, cross-site scripting, and MIME sniffing. Adding them is low-cost and high-value for most sites.

Does a green check mean the header is configured correctly?

It means the header is present. A checklist confirms coverage, not policy quality - a weak CSP still shows as present. Use this as a fast first pass, then review the actual values for the headers that matter to you.