HTTP Header Checker

What are HTTP headers?

HTTP headers are metadata sent between a browser and a web server with every request and response. They control caching, security, content type, authentication, and more. Response headers from the server tell the browser how to handle the page — for example, whether to cache it, what content type it is, and which security policies to enforce.

What is a good HTTP security header score?

A good security header score is A or A+. This means your site has the essential security headers: Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Most major sites like Google, GitHub, and Facebook score A or higher. A score of D or F means critical security headers are missing.

What is Strict-Transport-Security (HSTS)?

HSTS (HTTP Strict Transport Security) is a header that tells browsers to always use HTTPS when connecting to your site. Once a browser receives this header, it will automatically convert any HTTP requests to HTTPS for the specified duration (typically 1 year). This prevents man-in-the-middle attacks and protocol downgrade attacks. The recommended value is: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload.

What is Content-Security-Policy (CSP)?

Content-Security-Policy (CSP) is a powerful security header that prevents cross-site scripting (XSS), data injection attacks, and other code injection vulnerabilities. It works by specifying which sources of content (scripts, styles, images, etc.) the browser is allowed to load. A basic CSP might look like: Content-Security-Policy: default-src 'self'; script-src 'self'. This is one of the most important security headers you can implement.

How to check HTTP response headers?

You can check HTTP response headers in several ways: (1) Use this free online tool — just enter a URL and click Analyze. (2) In Chrome DevTools, go to Network tab, click a request, and view the Response Headers section. (3) Use curl in the terminal: curl -I example.com. (4) In Firefox, open Developer Tools → Network → click a request → Headers tab. Our tool adds value by grouping, explaining, and scoring the headers automatically.

Why is X-Content-Type-Options important?

X-Content-Type-Options: nosniff prevents browsers from "sniffing" the MIME type of a response. Without this header, browsers might interpret a file differently than intended — for example, treating a text file as JavaScript and executing it. This is a common attack vector for cross-site scripting. The fix is simple: add X-Content-Type-Options: nosniff to your response headers.

What does X-Frame-Options do?

X-Frame-Options prevents your website from being embedded in <iframe> tags on other sites. This protects against "clickjacking" attacks where an attacker overlays a transparent iframe of your site on top of a malicious page, tricking users into clicking buttons they didn't intend to. Use X-Frame-Options: DENY to block all framing, or SAMEORIGIN to allow framing only by your own site.

What are CORS headers and when do I need them?

CORS (Cross-Origin Resource Sharing) headers control which external domains can access your API or resources. If your website makes API calls to a different domain, the server must include Access-Control-Allow-Origin to permit the request. Without CORS headers, browsers block cross-origin requests by default for security. Common CORS headers include Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Allow-Headers.